The Buffalo News
Preparing for cyberstrikes against Russia, U.S. now confronts hacking by China
WASHINGTON – Just as it plans to begin retaliating against Russia for the large-scale hacking of American government agencies and corporations discovered late last year, the Biden administration faces a new cyberattack that raises the question of whether it will have to strike back at another major adversary: China.
Taken together, the responses will start to define how President Biden fashions his new administration’s response to escalating cyberconflict and whether he can find a way to impose a steeper penalty on rivals who regularly exploit vulnerabilities in government and corporate defenses to spy, steal information and potentially damage critical components of the nation’s infrastructure.
The first major move is expected over the next three weeks, officials said, with a series of covert counterstrikes on Russian networks that are intended to be evident to President Vladimir Putin and his intelligence services and military but not to the wider world.
The officials said the strikes would be combined with some kind of economic sanctions – though there are few truly effective sanctions left to impose – and an executive order from Biden to accelerate the hardening of federal government networks after the Russian hacking, which went undetected for months until it was discovered by a private cybersecurity firm.
The issue has taken on added urgency at the White House, the Pentagon and the intelligence agencies in recent days after the public exposure of a major breach in Microsoft email systems used by small businesses, local governments and, by some accounts, key military contractors.
Microsoft identified the intruders as a state-sponsored Chinese group and moved quickly to issue a patch to allow users of its software to close off the vulnerability.
But that touched off a race between those responsible for patching the systems and a raft of new attackers – including multiple other Chinese hacking groups, according to Microsoft – seeking to exploit the holes in the system while they could.
The U.S. government has not made public any formal determination of who was responsible for the hacking, but at the White House and on Microsoft’s campus in Redmond, Wash., the fear is that espionage and theft may be a prelude to far more destructive activity, such as changing data or wiping it out.
The White House underscored the seriousness of the situation in a statement Sunday from the National Security Council.
“The White House is undertaking a whole of government response to assess and address the impact” of the Microsoft intrusion, the statement said.
It said the response was being led by Anne Neuberger, a former senior National Security Agency official who is the first occupant of a newly created post: deputy national security adviser for cyber and emerging technologies.
The statement said that national security officials were working throughout the weekend to address the hacking and that “this is an active threat still developing, and we urge network operators to take it very seriously.”
Jake Sullivan, Biden’s national security adviser, said on Twitter on Thursday that the White House was “closely tracking” the reports that the
vulnerabilities in Microsoft Exchange were being used in “potential compromises of U.S. think tanks and defense industrial base entities.”
The discovery came as Biden’s national security team, led by Sullivan and Neuberger, has moved to the top of its agenda an effort to deter attacks, whether their intent is theft, altering data or shutting down networks.
For the president, who promised that the Russian attack would not “go unanswered,” the administration’s reactions in the coming weeks will be a test of his ability to assert U.S. power in an often unseen but increasingly high-stakes battle among major powers in cyberspace.
A mix of public sanctions and private counterstrikes is the most likely combination to force a “broad strategic discussion with the Russians,” Sullivan said in an interview Thursday, before the scope of the Chinese attack was clear.
“I actually believe that a set of measures that are understood by the Russians, but may not be visible to the broader world, are actually likely to be the most effective measures in terms of clarifying what the United States believes are in bounds and out of bounds, and what we are prepared to do in response,” he added.
From the first day of the new administration, Sullivan has been reorganizing the White House to fashion such responses. The same order he issued Jan. 20, requiring the military to advise the White House before conducting drone strikes outside war zones, contained a paragraph with separate instructions for dealing with major cyberoperations that risk escalating conflict.
The order left in place, however, a still secret document signed by former President Donald Trump in August 2018 giving the U.S. Cyber Command broader authorities than it had during the Obama administration to conduct day-to-day, short-of-war skirmishes
in cyberspace, often without explicit presidential authorization.
Under the new order, Cyber Command will have to bring operations of significant size and scope to the White House and allow the National Security Council to review or adjust those operations, according to officials briefed on the memo. The forthcoming operation against Russia, and any potential response to China, is likely to fall in this category.
U.S. officials continue to try to better understand the scope and damage done by the Chinese attack, but every day since its revelation has suggested that it is bigger, and potentially more harmful, than first thought.
“This is a crazy huge hack,” Christopher C. Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, wrote on Twitter on Friday.
The initial estimates were that 30,000 or so systems were affected, mostly those operated by businesses or government agencies that use Microsoft software and run their email systems in-house. (Email and other systems run on Microsoft’s cloud were not affected.)
But the breadth of the intrusion and the identities of the victims are still unclear.
And while the Chinese deployed the attack widely, they might have sought only to take information from a narrow group of targets in which they have the highest interest.
There is little doubt that the scope of the attack has U.S. officials considering whether they will have to retaliate against China as well. That would put them in the position of engaging in a potentially escalating conflict with two countries that are also its biggest nuclear-armed adversaries.
It has become increasingly clear in recent days that the hacking that Microsoft has attributed to Beijing poses many of the same challenges as the SolarWinds attack conducted by the
Russians, although the targets and the methodology are significantly different.
Like the Russians, the Chinese attackers initiated their campaign against Microsoft from computer servers – essentially cloud services – that they rented under assumed identities in the United States.
Both countries know that U.S. law prohibits intelligence agencies from looking in systems based in the United States, and they are exploiting that legal restriction.
“The Chinese actor apparently spent the time to research the legal authorities and recognized that if they could operate from inside the United States, it takes some of the government’s best threat-hunters off the field,” Tom Burt, the Microsoft executive overseeing the investigation, said Friday.
The result was that in both the SolarWinds and the more recent Chinese hacking, U.S. intelligence agencies appeared to have missed the evidence of what was happening until a private company saw it and alerted the authorities.
The debate preoccupying the White House is how to respond. Sullivan served as Biden’s national security adviser while he was vice president, as the Obama administration struggled to respond to a series of attacks.
Those included the Chinese effort that stole 22.5 million security-clearance records from the Office of Personnel Management in 2014 and the Russian attack on the 2016 presidential election.
In writings and talks over the past four years, Sullivan has made clear that he believes traditional sanctions alone do not sufficiently raise the cost to force powers like Russia or China to begin to talk about new rules of the road for cyberspace.
But government officials often fear that too strong a response risks escalation.
WASHINGTON – A year ago, Anique Houpe, a single mother in suburban Atlanta, was working as a letter carrier, running a side business catering picnics and settling into a rent-toown home in Stone Mountain, Ga., where she thought her boys would flourish in class and excel on the football field.
Then the pandemic closed the schools, the boys’ grades collapsed with distance learning, and she quit work to stay home in hopes of breaking their fall. Expecting unemployment aid that never came, she lost her utilities, ran short of food and was recovering from an immobilizing bout of Covid when a knock brought marshals with eviction papers.
Depending on when the snapshot is dated, Houpe might appear as a striving emblem of upward mobility or a mother on the verge of homelessness. But in either guise, she is among the people Democrats seek to help with a mold-breaking plan, on the verge of congressional passage, to provide most parents a monthly check of up to $300 per child.
Obscured by other parts of President Biden’s $1.9 trillion stimulus package, which won Senate approval Saturday, the child benefit has the makings of a policy revolution. Although framed in technocratic terms as an expansion of an existing tax credit, it is essentially a guaranteed income for families with children, akin to children’s allowances that are common in other rich countries.
The plan establishes the benefit for a single year. But if it becomes permanent, as Democrats intend, it will greatly enlarge the safety net for the poor and the middle class at a time when the volatile modern economy often leaves families moving between those groups. More than 93% of children – 69 million – would receive benefits under the plan, at a one-year cost of more than $100 billion.
The bill, which is likely to pass the House and be signed by Biden this week, raises the maximum benefit most families will receive by up to 80% per child and extends it to millions of families whose earnings are too low to fully qualify under existing law. Currently, one-quarter of children get a partial benefit, and the poorest 10% get nothing.
While the current program distributes the money annually, as a tax reduction to families with income tax liability or a check to those too poor to owe income taxes, the new program would send both groups monthly checks to provide a more stable cash flow.
By the standards of previous aid debates, opposition has been surprisingly muted. While the bill has not won any Republican votes, critics have largely focused on other elements of the rescue package. Some conservatives have called the child benefit “welfare” and warned that it would bust budgets and weaken incentives to work or marry. But Sen. Mitt Romney, R-Utah, has proposed a child benefit that is even larger, though it would be financed through other safety net cuts.
While the proposal took center stage in response to the pandemic, supporters have spent decades developing the case for a children’s income guarantee. Their arguments gained traction as science established the long-term consequences of deprivation in children’s early years and as rising inequality undercut the idea that everyone had a fair shot at a better life.
“The moment has found us,” said Rep. Rosa DeLauro, D-Conn., who has proposed a child allowance in 10 consecutive Congresses and describes it as a children’s version of Social Security. “The crystallization of the child tax credit and what it can do to lift children and families out of poverty is extraordinary. We’ve been talking about this for years.”
Houpe’s precarious situation is the kind the subsidy seeks to address. Born to a teenage mother, Houpe, 33, grew up straining to escape hardship. Although she was young when she had a child, she came close to finishing a bachelor’s degree, found work as a pharmacy technician and took a job with the post office to lift her wage to nearly $18 an hour. Raising a son on her own, she took in a nephew whom she regards as a second child.
Houpe seemed on the rise before the pandemic, with the move to a new house. The monthly payment consumed 60% of her income, twice what the government deems affordable, but she trimmed the cost by renting out a room and started a side job catering picnics.
During the pandemic, she spent six months waiting for schools to reopen until the boys’ plummeting grades – Trejion is 14 and Micah 11 – persuaded her that she could not leave them alone.
“I had to make a decision,” Houpe said, “my boys or my job.”
But when her requests for unemployment
were denied, the bottom fell out.
While critics fear cash aid weakens work incentives, Houpe said it might have saved her job by allowing her to hire someone part time to supervise the boys. “I definitely would have kept my job,” she said.
The campaign for child benefits is at least a half-century old and rests on a twofold idea: Children are expensive, and society shares an interest in seeing them thrive. At least 17 wealthy countries subsidize child-rearing for much of the population, with Canada offering up to $4,800 per child each year. But until recently, a broad allowance seemed unlikely in the United States, where policy was more likely to reflect a faith that opportunity was abundant and a belief that aid sapped initiative.
It was a Democratic president, Bill Clinton, who abolished the entitlement to cash aid for poor families with children. The landmark law he signed in 1996 created time limits and work requirements and caused an exodus from the rolls. Spending on the poor continued to grow but targeted low-wage workers, with little protection for those who failed to find or keep jobs.
In a 2018 analysis of federal spending on children, economists Hilary W. Hoynes and Diane Whitmore Schanzenbach found that virtually all the increases since 1990 went to “families with earnings” and those “above the poverty line.”
But rising inequality and the focus on early childhood brought broader
subsidies a new look. A landmark study in 2019 by the National Academies of Sciences, Engineering and Medicine showed that even short stints in poverty could cause lasting harm, leaving children with less education, lower adult earnings and worse adult health. Although welfare critics said aid caused harm, the panel found that “poverty itself causes negative child outcomes” and that income subsidies “have been shown to improve child well-being.”
Republicans may have unwittingly advanced the push for child benefits in 2017 by doubling the existing child tax credit to $2,000 and giving it to families with incomes of up to $400,000 but not extending the full benefit to those in the bottom third of incomes.
Republicans said that since the credit was meant to reduce income taxes, it naturally favored families who earned enough to have a tax liability. But by prioritizing the affluent, the move amplified calls for a more equitable child policy.
Under Biden’s plan, a nonworking mother with three young children could receive $10,800 a year, plus food stamps and Medicaid – too little to prosper but enough, critics fear, to erode a commitment to work and marriage. Scott Winship of the conservative American Enterprise Institute wrote that the new benefit creates “a very real risk of encouraging more single parenthood and more noworker families.”
But a child allowance differs from traditional aid in ways that appeal to
some on the right. Libertarians like that it frees parents to use the money as they choose, unlike targeted aid such as food stamps. Proponents of higher birthrates say a child allowance could help arrest a decline in fertility. Social conservatives note that it benefits stay-at-home parents, who are bypassed by work-oriented programs like child care.
And supporters argue that it has fewer work disincentives than traditional aid, which quickly falls as earnings climb. Under the Democrats’ plan, full benefits extend to single parents with incomes of $112,500 and couples with $150,000.
Backlash could grow as the program’s sweep becomes clear. But Samuel Hammond, a proponent of child allowances at the center-right Niskanen Center, said the politics of aid had changed in ways that softened conservative resistance.
A quarter-century ago, debate focused on an urban underclass whose problems seemed to set them apart from a generally prospering society. They were disproportionately Black and Latino and mostly represented by Democrats. Now insecurity has traveled up the economic ladder to a broader working class with similar problems, like underemployment, marital dissolution and drugs. Often white and rural, many are voters whom Republicans hope to court.
“Republicans can’t count on running a backlash campaign,” Hammond said. “They crossed the Rubicon in terms of cash payments. People love the stimulus checks.”