The hacking of Microsoft servers by rogue actors linked to Beijing and other recent cyberattacks have led U.S. President Joe Biden’s administration to redouble its efforts to forge closer cooperation between the government and private industries to build cyber defenses. But Big Tech is resisting.
Why? As always, U.S. companies don’t want to be seen as instruments of the U.S. government, even when it’s clear the Chinese and Russian governments are deploying their own networks of companies to mount constant hacking operations against U.S. corporations. That makes the hacking war an unequal contest, for now, because many of those U.S. companies are individually vulnerable. Most operate without sophisticated defenses or expert direction from U.S. Cyber Command and other government agencies.
With the Microsoft breach, “we’re looking at a wall with 10,000 other vulnerabilities we can’t yet see, and we’re just patching hole number 57,” said cybersecurity expert Edward Amoroso, the former chief security officer for AT&T.
Capitol Hill is joining the Biden administration in pressuring the industry. On Wednesday, U.S. Sen. Mark Warner, chairperson of the U.S. Senate Select Committee on Intelligence, U.S. Sen. Marco Rubio, vice chairperson of the committee, and U.S. Sen. Susan Collins, a senior committee member, introduced bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery.
The hack in March of tens of thousands of Microsoft’s servers around the world is part of a barrage of recent hacking incidents, and it revives longstanding tensions between Washington and major U.S. corporations that relish their independence because, especially in China, one of their biggest markets, they don’t want to be identified with a federal government hostile to Beijing.
After Google was hacked in 2010, the company knew it was the Chinese government, but Google still resisted efforts by the FBI and Justice Department to access technical logs and other information about the breach, noted James Lewis, director of strategic technologies at the Center for Strategic and International Studies and a former senior U.S. diplomat on technology and encryption issues. “Google was still looking at the costs through a market lens,” Lewis said. “What’s changed is the cost of doing business in these environments. We’ve entered the age of the mass hack. This administration has done more on cybersecurity than any of its predecessors.”
Biden officials are openly speaking of a new level of public-private cooperation to erect better defenses against cyberattacks—and admitting that, as of yet, the nation remains woefully unprepared against future cyberattacks. At present, most companies are vulnerable targets, especially those that remain on private servers rather than moving secure information to the Cloud—where they can get expert monitoring and responses.
“This needs to be a massive generational initiative—like getting to the moon,” Amoroso said. “It’s going to take a lot of years. Now, it’s like we’re only in 1962; first you have to learn to fly the thing, then orbit, and only then think about the moon.”
On Aug. 25, Biden and members of his national security team and across the administration will hold a meeting with private sector leaders to discuss how “we can work together to collectively improve the nation’s cybersecurity,” a National Security Council official told reporters this week.
The Biden administration has also taken a much more aggressive approach to forcing the private sector’s hand—for example, by changing voluntary guidelines for energy pipeline operators into a mandatory requirement to disclose information about hacks like the one that hit Colonial Pipeline. Biden’s executive order in May also required companies to do more secure coding and maintain greater visibility in their software. On Tuesday, the administration issued yet another directive, saying it would require pipelines designated as critical to “implement specific mitigation measures to protect against ransomware attacks and other known threats” and develop recovery plans.
Now, Lewis said, tech companies in particular are a little more willing to cooperate “because they’re tired of getting whacked all the time. But I still think these are American companies that service a global market, so they don’t want to be seen as tools of the federal government.”
Some on Capitol Hill agree that hack-ravaged companies are more willing to play ball. “Generally, private sector resistance to cooperation is decreasing as the cyberthreat increases,” said a Rubio spokesperson.
But major tech companies are often finding themselves at odds with Washington over antitrust and political issues, and relations remain tense. A key problem Biden faces is there is very little he can order the companies to do. His executive order mandate is temporary unless Congress turns it into law. So the administration is trying to use suasion for now.
After the Microsoft hack was discovered in March, Microsoft’s voluntary cooperation with the government made a huge difference, said Anne Neuberger, deputy national security advisor for cybersecurity, who called it a “precedent” for future partnership. The administration asked Microsoft to help small businesses using its software, and in response, Microsoft released a one-click mitigation tool that led the number of vulnerable systems to fall from more than 100,000 systems to fewer than 10,000 systems in one week.
The administration is also trying to be sensitive to big business’s desire not to go too far in offending Beijing. Even though there are apparently clearer ties between Beijing’s Ministry of State Security and the hackers who were indicted this week than there are between the Kremlin and Russian hackers, Biden is resisting imposing sanctions as he did on Russia after the SolarWinds hack. Partly, that’s because so many U.S. tech companies heavily invest in China.