“There are actors out there in cyberspace that think we’re vulnerable,” Rep. Mike Gallagher (R- Wis.), who co-chaired the recent Cyber Solarium Commission on the future of U.S. cybersecurity, told me. “At a minimum, we need to impose costs on whoever did this. We don’t want the signal to be that now is a good time to take advantage of the U.S.”
The pandemic has heightened concerns among cyber hawks that the United States hasn’t done enough to deter digital attacks from adversaries such as Russia and China. And they worry a lack of serious consequences now could embolden adversaries to target vital services such as medical care or food supplies and cost people's lives.
The warning also comes as huge portions of the nation's workers are suddenly working from home on unfamiliar or even un-vetted equipment, raising the likelihood of digital vulnerabilities that hackers could exploit.
Sen. Angus King (I-Maine), the commission's other co-chair, warned that the virus “underlines our overall vulnerabilities [to cyberattacks] and the absolute unscrupulousness of our adversaries.”
Attorney General William Barr has already warned there will be “severe” consequences if the HHS attack or disinformation campaign are traced to an adversary government. He has also urged the Justice Department to prioritize prosecuting any cyber criminals who seek to profit from the pandemic. But he hasn’t described any specific responses yet.
King stressed that if the HHS attack goes unpunished, even though it didn’t result in any serious disruption to government operations, those promises won't deter more devastating attacks. King pointed to an example of what he wants to avoid: A ransomware attack last week at the Brno University Hospital in the Czech Republic locked up the hospital’s computer server as doctors were dealing with a coronavirus outbreak.
And to put it in perspective: The misinformation effort last weekend – the source of which an interagency effort including the FBI and intelligence agencies are now investigating – seemed designed to get people to overrun stores to buy supplies before new restrictions took hold. A more damaging attack, for instance, could target data used by grocery stores or agricultural firms to impede the flow of food to market.
“Until people fear some response, they’re going to keep doing these things,” King said. “Not responding is inviting further attacks, which will continue to escalate.
With Russia in particular, the United States has responded to digital aggression in the past with sanctions and indictments — including following Russian interference in the 2016 election — but never with a response so muscular that it has actually deterred further attacks.
“It’s the right message to send, but there needs to be follow-through,” Chris Painter, the State Department’s top cybersecurity diplomat during the Obama administration, told me. “We’ve had really bad attacks before, including on our democracy, and we’ve not been good at following through with consequences.”
If cyberattacks do impede the U.S. response to the pandemic, Washington could join with its allies to impose more punishing economic consequences or targeted retaliatory cyberattacks, Painter said. “You don’t want to escalate out of control, but you want to send a message that these things are off-limits,” he said. “You can take far more serious actions than we’ve done.”
Robert Knake, a former director for cybersecurity policy at the National Security Council during the Obama administration, went a step further in a blog post. He urged serious actions even against nations whose governments aren’t directly responsible for cyberattacks targeting U.S. hospitals – if they refuse to cooperate with U.S. investigations or to hand over cyber criminals responsible for attacks that originate inside their borders.
“We should be treating cyber criminals who target critical infrastructure during this crisis the way we treat terrorists, not as regular criminals,” Knake told me.
The Trump administration administration should explain clearly what sorts of attacks will elicit retaliation, what that might look like, and how adversaries can keep the situation from escalating out of control, lawmakers and experts said. But they were skeptical that Russia and other adversaries would rein in their actions without follow through.
“It’s hard to say that comments alone will move the needle,” said Jon Bateman, a former Defense Intelligence Agency analyst and now a cybersecurity fellow for the Carnegie Endowment for International Peace.
It is possible, however, that a strategy to publicly shame adversaries might be more effective than usual during a pandemic because people across the world see the virus as a global challenge, Bateman said.
A State Department official declined to comment on strategies under discussion, but told me in an email that the department is committed to “promoting responsible state behavior in cyberspace” as well as “to holding states accountable for destructive, disruptive, or otherwise destabilizing malicious cyber activity.”
There’s a separate danger, however, that the Trump administration could overreact to these or future attacks amid the sense of urgency created by the pandemic – and end up embroiling the U.S. in an escalating tit-for-tat hacking conflict.
"I think it’s a bad idea in general to change risk calculus in response to a crisis,” Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Homeland Security Department cybersecurity official, told me.
PINGED, PATCHED, PWNED
PINGED: Senate Democrats worry that Google's health division won’t do enough to protect patient data collected through its new tool to scan for coronavirus symptoms, my colleague Tony Romm reports.
The data the tool collects would be “highly valuable to potential hackers, foreign state and nonstate actors with nefarious intent, and other criminal enterprises,” the group, led by New Jersey Sens. Bob Menendez and Cory Booker, said in a letter to Google CEO Sundar Pichai.
They want to know what the White House and Google have done to vet the project for cybersecurity and privacy problems that could damage the security and privacy of millions of Americans.
“If Google and its subsidiaries fail to establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination,” the group wrote. The letter cited recent data breaches, including those at medical companies Quest Diagnostics and LabCorp.
Google and the White House did not immediately respond to requests for comment from Tony. Patients must use or create Google accounts to use the free tool. But Verily, the Alphabet subsidiary running the project said in a blog post that data from the site will not be combined with an individual's other Google account information — an issue that sparked early privacy concerns. Right now, the tool is available only in California, and Verily has not announced a nationwide launch date.
PATCHED: Sen. Michael Bennet (D-Colo.) is calling for a major review of cybersecurity protections at HHS, the National Institutes of Health and the Centers for Disease Control and Prevention following the attempted digital attack earlier this week, Maggie Miller at the Hill reports. The Senate Intelligence Committee member wants the Department of Homeland Security's cybersecurity arm to lead the review, making sure the agencies are secure as they grapple with the growing public health crisis posed by the coronavirus pandemic.
“The security of these vital systems is critical to ensuring that our federal agencies responsible for public health can effectively support our response to the pandemic and continue to provide trusted and timely information to the American people,” Bennet wrote in his letter to the agencies.
PWNED: Cybercriminals and scammers continue to push an array of attacks aimed at profiting from the coronavirus pandemic. Nearly 20 percent of Web domains related to the virus look like they could be phony sites aimed at infecting visitors with malicious software and about 1 percent of them are definitely malicious, according to a report out this morning from the cybersecurity company Check Point.
Meanwhile, researchers have found phony maps of coronavirus infections that actually carried malware, as CyberScoop reported. And researchers at Sophos Labs have found scammers impersonating the World Health Organization and the COVID-19 Solidarity Response Fund.
Rep. Katie Porter (R-Calif.) even tweeted a coronavirus-related scam texted to her that promised a free iPhone.
Those sorts of scams are common for opportunistic hackers who frequently piggyback on high profile events ranging from floods and tornadoes to the Super Bowl to infect unsuspecting internet users. Coronavirus scams are likely to be among the most numerous yet, though, Thomas Brewster at Forbes reports.
“The closest analogy is the kind of fraud that we saw relating to Hurricane Katrina,” Scott Brady, U.S. attorney for the Western District of Pennsylvania, told Thomas. “I think we are really going to see an unprecedented wave of cyberattacks and cyber fraud. And that's what we're trying to prepare our partners and the public for.”
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The R Street Institute is hosting a virtual conversation, "Combatting Digital Disinformation During a Global Pandemic," today at noon.