On July 15, 2021, the U.S. State Department announced that up to $10 million rewards would be provided to informants with information concerning cyberattacks sponsored by or on behalf of foreign governments. Details of the program can be found here and here. Notably, today, the White House has announced that the United States and its allies have determined that the Chinese government has utilized contract criminal hackers in cybersecurity hacking involving zero day vulnerabilities in Microsoft’s Exchange Server. The Biden Administration notes generally that:
[United States Department of Justice] imposing costs and
announcing criminal charges against four MSS [PRC Ministry of State Security] hackers.
The US Department of Justice is announcing criminal charges
against four MSS hackers addressing activities concerning a multiyear campaign
targeting foreign governments and entities in key sectors, including maritime,
aviation, defense, education, and healthcare in a least a dozen countries. DOJ
documents outline how MSS hackers pursued the theft of Ebola virus vaccine
research and demonstrate that the PRC’s theft of intellectual property, trade
secrets, and confidential business information extends to critical public
health information. Much of the MSS activity alleged in the Department of
Justice’s charges stands in stark contrast to the PRC’s bilateral and
multilateral commitments to refrain from engaging in cyber-enabled theft of
intellectual property for commercial advantage.
The Biden Administration notes that it “working around the
clock” to address cybersecurity issues.
Here are some of the measures the Administration is taking:
- The Administration has funded five cybersecurity
modernization efforts across the Federal government to modernize network
defenses to meet the threat. These include state-of-the-art endpoint
security, improving logging practices, moving to a secure cloud
environment, upgrading security operations centers, and deploying
multi-factor authentication and encryption technologies.
- The Administration is implementing President
Biden’s Executive
Order to improve the nation’s cybersecurity and protect Federal
government networks. The E.O. contains aggressive but achievable
implementation milestones, and to date we have met every milestone on time
including:
- The National Institute of Standards and Technology
(NIST) convened a workshop with almost 1000 participants from industry,
academia, and government to obtain input on best practices for building
secure software.
- NIST issued guidelines for the minimum standards
that should be used by vendors to test the security of their software.
This shows how we are leveraging federal procurement to improve the
security of software not only used by the federal government but also
used by companies, state and local governments, and individuals.
- The National Telecommunications and Information
Administration (NTIA) published minimum elements for a Software Bill of
Materials, as a first step to improve transparency of software used by
the American public.
- The Cybersecurity and Infrastructure Security
Agency (CISA) established a framework to govern how Federal civilian
agencies can securely use cloud services.
- We continue to work closely with the private sector
to address cybersecurity vulnerabilities of critical infrastructure. The
Administration announced an Industrial Control System Cybersecurity
Initiative in April and launched the Electricity Subsector Action Plan as
a pilot. Under this pilot, we have already seen over 145 of 255 priority
electricity entities that service over 76 million American customers adopt
ICS cybersecurity monitoring technologies to date, and that number keeps
growing. The Electricity Subsector pilot will be followed by similar
pilots for pipelines, water, and chemical.
- The Transportation Security Administration (TSA)
issued Security Directive 1 to require critical pipeline owners and
operators to adhere to cybersecurity standards. Under this directive,
those owners and operators are required to report confirmed and potential
cybersecurity incidents to CISA and to designate a Cybersecurity
Coordinator, to be available 24 hours a day, seven days a week. The
directive also requires critical pipeline owners and operators to review
their current practices as well as to identify any gaps and related
remediation measures to address cyber-related risks and report the results
to TSA and CISA within 30 days. In days to come, TSA will issue Security
Directive 2 to further support the pipeline industry in enhancing its
cybersecurity and that strengthen the public-private partnership so
critical to the cybersecurity of our homeland.
By exposing the PRC’s malicious activity, we are continuing
the Administration’s efforts to inform and empower system owners and operators
to act. We call on private sector companies to follow the Federal government’s
lead and take ambitious measures to augment and align cybersecurity investments
with the goal of minimizing future incidents.