The United States is increasingly vulnerable to a cyberattack targeting hospitals, food supplies or other vital functions during the coronavirus pandemic, lawmakers and experts say. They’re calling on the Trump administration to take bold action to keep adversaries at bay.
Already during the outbreak, unidentified adversaries launched what appears to be an unsuccessful digital attack aimed at overwhelming computer networks at the Health and Human Services Department. A separate effort spread misleading claims that President Trump planned to impose a nationwide lockdown over text message, encrypted apps and social media platforms.
“There are actors out there in cyberspace that think we’re vulnerable,” Rep. Mike Gallagher, R- Wis., who co-chaired the recent Cyber Solarium Commission on the future of U.S. cybersecurity, told me. “At a minimum, we need to impose costs on whoever did this. We don’t want the signal to be that now is a good time to take advantage of the U.S.”
The pandemic has heightened concerns among cyber hawks that the United States hasn’t done enough to deter digital attacks from adversaries such as Russia and China. And they worry a lack of serious consequences now could embolden adversaries to target vital services such as medical care or food supplies and cost people’s lives.
The warning also comes as huge portions of the nation’s workers are suddenly working from home on unfamiliar or even un-vetted equipment, raising the likelihood of digital vulnerabilities that hackers could exploit.
Sen. Angus King, I-Maine, the commission’s other co-chair, warned that the virus “underlines our overall vulnerabilities (to cyberattacks) and the absolute unscrupulousness of our adversaries.”
Attorney General William Barr has already warned there will be “severe” consequences if the HHS attack or disinformation campaign are traced to an adversary government. He has also urged the Justice Department to prioritize prosecuting any cyber criminals who seek to profit from the pandemic. But he hasn’t described any specific responses yet.
King stressed that if the HHS attack goes unpunished, even though it didn’t result in any serious disruption to government operations, those promises won’t deter more devastating attacks. King pointed to an example of what he wants to avoid: A ransomware attack last week at the Brno University Hospital in the Czech Republic locked up the hospital’s computer server as doctors were dealing with a coronavirus outbreak.
And to put it in perspective: The misinformation effort last weekend—the source of which an interagency effort including the FBI and intelligence agencies are now investigating—seemed designed to get people to overrun stores to buy supplies before new restrictions took hold. A more damaging attack, for instance, could target data used by grocery stores or agricultural firms to impede the flow of food to market.
“Until people fear some response, they’re going to keep doing these things,” King said. “Not responding is inviting further attacks, which will continue to escalate.”
With Russia in particular, the United States has responded to digital aggression in the past with sanctions and indictments—including following Russian interference in the 2016 election—but never with a response so muscular that it has actually deterred further attacks.
“It’s the right message to send, but there needs to be follow-through,” Chris Painter, the State Department’s top cybersecurity diplomat during the Obama administration, said. “We’ve had really bad attacks before, including on our democracy, and we’ve not been good at following through with consequences.”
If cyberattacks do impede the U.S. response to the pandemic, Washington could join with its allies to impose more punishing economic consequences or targeted retaliatory cyberattacks, Painter said. “You don’t want to escalate out of control, but you want to send a message that these things are off-limits,” he said. “You can take far more serious actions than we’ve done.”
Robert Knake, a former director for cybersecurity policy at the National Security Council during the Obama administration, went a step further in a blog post. He urged serious actions even against nations whose governments aren’t directly responsible for cyberattacks targeting U.S. hospitals—if they refuse to cooperate with U.S. investigations or to hand over cyber criminals responsible for attacks that originate inside their borders.
“We should be treating cyber criminals who target critical infrastructure during this crisis the way we treat terrorists, not as regular criminals,” Knake told me.
The Trump administration should explain clearly what sorts of attacks will elicit retaliation, what that might look like, and how adversaries can keep the situation from escalating out of control, lawmakers and experts said. But they were skeptical that Russia and other adversaries would rein in their actions without follow through.
“It’s hard to say that comments alone will move the needle,” said Jon Bateman, a former Defense Intelligence Agency analyst and now a cybersecurity fellow for the Carnegie Endowment for International Peace.
It is possible, however, that a strategy to publicly shame adversaries might be more effective than usual during a pandemic because people across the world see the virus as a global challenge, Bateman said.
A State Department official declined to comment on strategies under discussion, but said in an email that the department was committed to “promoting responsible state behavior in cyberspace” as well as “to holding states accountable for destructive, disruptive, or otherwise destabilizing malicious cyber activity.”
There’s a separate danger, however, that the Trump administration could overreact to these or future attacks amid the sense of urgency created by the pandemic—and end up embroiling the U.S. in an escalating tit-for-tat hacking conflict.
“I think it’s a bad idea in general to change risk calculus in response to a crisis,” Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Homeland Security Department cybersecurity official, said.