Can the US Curb China's Cyber Ambitions?Security Experts Weigh the Impact of White House's Latest Cyber Moves
Security experts are debating the impact of the Biden administration's Monday condemnation of China for waging attacks on vulnerable Windows Exchange servers.
Many security experts and analysts are applauding the U.S. for calling out China's cyber behavior, especially after the White House had focused so much attention on Russia's cyber activities.
But some are calling for bolder action.
"Given that sanctions have already been used against virtually every other rogue cyber nation-state, not using them against China is a glaring oversight," Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and the former CTO of CrowdStrike, notes on Twitter.
Scott Shackelford, chair of Indiana University’s cybersecurity program, offers a similar conclusion.
"As for attributing the Exchange cyberattacks, the main benefit for the Biden administration is the fact that this was done collectively with close partners and allies. Naming and shaming, though, only gets us so far without any formal sanctions to go along with the attribution."
Pointing a Finger at China
On Monday, the White House formally accused China's Ministry of State Security, aka MSS, of carrying out a series of attacks earlier this year against vulnerable on-premises Microsoft Exchange email servers.
Also on Monday, the U.S. National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agency published a detailed list of tools and techniques used by Chinese-linked attackers.
Meanwhile, the Justice Department unsealed an indictment against four members of the MSS for various cyber activities that targeted universities and government agencies in an effort to allegedly steal trade secrets and intellectual property.
The Chinese Foreign Ministry in Beijing on Tuesday denied that the nation was involved in the various cyberthreats and intrusions outlined by the Biden administration, Reuters reports.
Some security experts say it was significant that the U.K., the European Union and NATO joined the U.S. in condemning China's cyber behavior.
"What is perhaps most significant is that the Biden administration is building momentum," says Sam Curry, the CSO at the security firm Cybereason. "And it's building an international consensus or coalition. It's the sort of move we normally see in physical conflicts and territorial disputes. And now we're seeing it applied to the cyber domain."
While the supply chain attack against the software firm SolarWinds, which the Biden administration attributed to Russian intelligence, has been a major source of concern, the attacks against Exchange servers were just as damaging, says Chris Painter, who served as the State Department’s top cyber official during the Obama administration.
The Exchange attacks affected tens of thousands of vulnerable on-premises Exchange servers around the world, opening the doors for ransomware attacks by other groups, Painter points out (see: Microsoft Exchange: At Least 10 APT Groups Exploiting Flaws).
"Even if you claimed it was just espionage, it went beyond that in terms of the reckless way it was done," notes Painter, who now serves on the board of the Center for International Security. "So certainly it was a significant incident."
More Actions Needed?
In 2015, then-President Barrack Obama used diplomacy and other leverage with Chinese President Xi Jinping to pressure the country to address intellectual property theft and other cyber issues.
The same techniques might work again, Painter says.
"China seems to care more about public accusations than Russia does," Painter says. "We need to be able to follow that up … with further actions by the administration and by allies and partners. And it's got to be a sustained campaign - just like Russia."
Even if Chinese-linked attackers don't relent, the U.S. focus on their activities could force them to rethink their strategies, says Mike Hamilton, a former vice-chair of the Department of Homeland Security's State, Local, Tribal and Territorial Government Coordinating Council.
"The point of making this announcement is to put the Chinese on notice that we do detailed attribution to not only identify persons directly responsible for carrying out attacks, but the specific tools, techniques and procedures used," says Hamilton, now the CISO for Critical Insights. "This lets them know that 'we see you,' which will create one of two outcomes: They'll change techniques and procedures or they back off. My money’s on door number one."
Strength in Numbers
Although the Biden administration did not issue sanctions against China, it built a coalition of international partners to confront China over the Exchange attacks and other actions. On Monday, Norway's Foreign Ministry formally accused China of attacking its parliament in March through the Exchange flaws.
The fact that NATO joined in condemning China's Exchange attacks might help deter other intrusions, says Meg King, director of the Science and Technology Innovation Program at The Wilson Center, a nonpartisan think tank based in Washington.
"Such strong and unusual words used by NATO show that the Biden administration and allies view this new international effort as the most effective method going forward to communicate that a large group of nations condemns China's cyber activities and that the group - not just the U.S. alone - will keep track of and reduce the number and impact of future attacks by that country," King says.
Besides the attacks against on-premises Exchange servers, the Biden administration accused MSS-affiliated groups of carrying out numerous other cyber operations, including ransomware attacks that resulted in losses of millions of dollars.
The fact that ransomware attacks are being conducted from China should not come as a surprise, but the White House was right to call these out, King says.
"By going on record, the U.S. and allied governments are highlighting a range of China's cyber activities for information sharing purposes and to make clear they are not acceptable," she says.
It's important for the Biden administration to acknowledge that nations other than Russia allow ransomware gangs to operate within their borders, says Megan Stifel, the executive director of the Americas for the Global Cyber Alliance and a former director of cyber policy at the National Security Council during the Obama administration.
When the Institute for Security and Technology's Ransomware Task Force published its recommendations in April, it highlighted the need to hold nations accountable, says Stifel, who served on the panel.
"We believed that ransomware was not just a threat by the actors emanating out of Russia, but actually a threat from a range of actors, and that it was rising to the level of a national security risk," Stifel says.