Staking out the Olympics cyber threats
With help from Eric Geller
Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— The Olympic games are here — so are the cyber threats. From disinfo to ransomware, here’s what kind of attacks experts are watching out for.
— The Senate Intelligence Committee’s mandatory incident reporting bill was introduced last week, and some lawmakers are already pushing for changes, including on data privacy.
— With Deputy Secretary of State Wendy Sherman wrapping up her visit to China today, MC dives into why the administration’s reaction to China has differed from those about Russian cyberattacks.
HAPPY MONDAY and welcome back to Morning Cybersecurity! I’m your host, Sam Sabin. It’s a new week, start off on the right foot: Send your thoughts, feedback and — especially — story tips to [email protected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below.
LET THE GAMES BEGIN — The Olympic Games in Tokyo already brought many awe-inspiring moments during their first weekend. But for security defenders, they also bring a heightened level of anxiety seeing as the games provide a ripe target for hackers looking for their next high-profile target this summer.
From the worldwide media attention to guaranteed thousands of spectators each night, hackers have plenty of incentives to go after the games. And organizations have been on watch: while the FBI said it wasn’t aware of any ongoing “specific cyber threat” against the 2021 games, it still warned organizations affiliated with the Olympics last week to be on high alert for possible attacks.
As the games continue over the next couple of weeks, here’s what cyber experts are looking out for:
— Russian nation-state activity: Russian hackers targeted the last two Olympic Games after the International Olympic Committee found evidence of Russian athletes doping and suspended them from competing under their country’s flag. The United Kingdom also said Russia’s GRU military intelligence service attempted to hack organizations last year associated with the 2020 Olympics and Paralympic Games before they were postponed.
However, Russia goes after the Olympics to be a disruptor: in 2018, the country is alleged to have coordinated a mass phishing scheme that targeted everyone from athletes to company partners. But given how mangled the lead up to the Olympics have been so far in Japan, Neil Jenkins, chief analytic officer at the Cyber Threat Alliance, told MC Russia could lose interest: “They may look at the current situation in the game and say ‘Well, nobody cares that much about the Olympics this year, there aren’t going to be any spectators there, [and] Japan is already embarrassed,’” he said.
— What about China? Jenkins argued China could pose a threat by using the games as an outlet for cyber espionage to gain information before they host the 2022 Winter Olympics, although it’s less likely to happen than Russian activity.
— Ransomware and malware: Ransomware could be the weapon of choice for cybercriminals, Jenkins said. And such attacks — which lock an organization’s systems until a hefty sum is paid — have already targeted Olympic organizations. Last month, the Japanese Olympic Committee said it was the victim of a ransomware attack in April, although an investigation showed there was no ransom demand and the committee replaced the infected computers. And last week, malware designed to wipe files on an infected device was discovered targeting Japanese computers two days before the opening ceremony.
Although some hacking groups have already gone underground after high-profile attacks put large targets on their backs, some other groups could be eager to get a pay day from any of the organizations associated with the games, such as media organizations: “If we take that offline and nobody can watch the Olympics, whoever is the target there is going to be really incentivized to get back online really quick,” Jenkins said.
— Disinformation: Polarization is an essential ingredient for any nation-state disinformation campaign, Jenkins said. And a report from cybersecurity firm Recorded Future earlier this month warned that ingredient is everywhere in Japan, given how deadly Covid-19 is still in the country and how much disdain there is for hosting an international sporting event while they recover from the pandemic. Already, the report said, Russian state media outlets have been pushing stories that portray the Tokyo Games as unsafe and portrayed the unpopularity of the games in Japan through “sensationalist articles,” including one with the headline “‘Olympics kill the poor’: Furious Japanese public protest Tokyo 2020 Olympics as calls to cancel Games continue,” the report notes.
HOLDING OUT — When Senate Intelligence leaders Mark Warner (D-Va.) and Marco Rubio (R-Fla.) introduced legislation last week requiring certain companies to report cyber incidents to the federal government, just three committee members didn’t sponsor the legislation. Some want more protections, others just want general changes (but declined to provide specifics). Here’s what each senator’s office said when Eric reached out to learn more about why they’re holding out on sponsoring the historic legislation:
— Sen. Ron Wyden (D-Ore.): When the Colonial Pipeline fell victim to ransomware in May, the Oregon Democrat publicly called for more “serious civil and criminal penalties,” including personal accountability for CEOs, for critical infrastructure firms that have lax security practices. But the senator is a huge data privacy hawk, and as such, he seems to be pushing for more scrutiny for the companies and stronger data protection laws in the bill. As a Wyden aide told Eric, Wyden hopes to work with Warner to “add additional safeguards that protect Americans’ personal information” to the incident reporting legislation and “limit corporate liability protection for sharing Americans’ personal data with the government.” The aide remained anonymous so they could speak freely about the senator’s reasons for not sponsoring the bill right away.
— Sen. John Cornyn (R-Texas) is similarly “seeking some changes to be made to the bill,” spokesperson told Eric, although they declined to provide details on what needs to change. Cornyn was a part of the effort to craft the legislation in March, Communications Daily reported at the time, saying that “if we’re going to protect our critical infrastructure and fend off cyberattacks, we have to know exactly what’s going on.”
— Sen. Tom Cotton (R-Ark.) also held out on sponsoring the bill; however, a representative for his office didn’t respond to a request for comment. Beside a push in 2019 to have the Senate Sergeant of Arms report cyber incidents targeting the chamber, Cotton hasn’t said much publicly about the need for companies to report cyber incidents to the federal government.
Why it matters: Although the bill has plenty of momentum to pass without these lawmakers’ support (especially with a House counterpart on the way), their differences could signal what’s to come in the debate about this legislation in the next few weeks.
CISA ON THE HILL — In the sprint to August recess, lawmakers have set up a jam-packed cyber hearing schedule for themselves, including several appearances Tuesday by CISA’s Executive Assistant Director For Cybersecurity Eric Goldstein:
— That morning, Goldstein will testify before the Senate Judiciary Committee, alongside other DHS and DOJ officials, about ransomware (the Hill’s favorite cyber topic this summer).
— Later that afternoon, Goldstein will head to the other side of the Capitol (albeit virtually) to testify before the House Oversight Committee about security threats to the electric grid. Other testifying individuals include the head of the Energy Department’s cyber office and FERC’s energy infrastructure security office.
CHINA, DEBRIEFED — The meetings during Deputy Secretary of State Wendy Sherman’s visit to China that started yesterday with a focus on competition will certainly touch on cybersecurity before ending today — creating one of the first testing grounds for how the administration moves forward with Beijing on cybersecurity.
Last week, the Biden administration attributed a global hacking campaign, including the breach of Microsoft Exchange servers, to hackers hired by the Chinese government. But, kicking things up a notch, the attribution wasn’t made alone: several international actors, like NATO, co-signed the agreement.
But for some cyber industry experts, the attribution fell short due to the lack of sanctions that came with it. The administration had doled out sanctions against Russia when it attributed the SolarWinds espionage campaign to the country’s state-actors. So, why not with China?
— One reason: the economic relationship between the U.S. and China is much more deeply intertwined. China was the United States’ third largest goods trading partner in 2019, the latest available data on the Office of the United States Trade Representative’s website. Making things more complicated: That same year, China was the United States’ largest supplier of goods imports, with $451.7 billion worth of Chinese goods coming into the country in 2019.
— The other: Sanctions might not send the right message. According to a Bloomberg report Friday, Biden administration officials worry that sanctioning now as a form of punishment, “rather than to change the behavior of adversaries, could undermine the effectiveness of sanctions in the future.” Instead, the administration is leaning hard into public criticism as a way to force Beijing to reign in its cyber aggression (which has only grown during the last few years) and possibly come back to the negotiating table.
ONE MORE TIME WITH FEELING — A French security researcher discovered a new security flaw in Windows, marking the third major faw found in Microsoft’s operating system in the past month following the Print Nightmare and SeriousSAM (or HiveNightmware) vulnerabilities. Microsoft has already published a list of official migrations for the latest flaw, which goes by the name PetitPotam and provides a way for attackers to force operators to share their login credential details so hackers can borrow even further into a company’s networks.
A fun HIPAA song from MSNBC’s Hayes Brown: “WHEEEEEEEN / THEEEEEEEEEEE / PRESS WANTS SOME FACTS / AND SAYS “SIR ARE YOU VAXED” / THAT’S A-HIPAA”
— Consumers and workers are now suing Colonial and other companies whose operations suffer after a ransomware attack. (The Washington Post)
— An internal NSA review found that Fox News host Tucker Carlson wasn’t one of the agency’s spying targets, according to two people familiar with the matter. (The Record)
— NSO Group’s chief executive officer is now claiming that the Boycott, Divestment, and Sanctions movement, which is working to end Israeli occupation of Palestine, is behind a news investigation about its spyware published last weekend. (Motherboard)
— An interview with Taiwan’s head of cybersecurity about how the government is preparing for cyber warfare. (CNN)
— “Disinformation for Hire, a Shadow Industry, Is Quietly Booming.” (The New York Times)