The Buffalo News

Preparing for cyberstrik­es against Russia, U.S. now confronts hacking by China

- By David E. Sanger, Julian E. Barnes and Nicole Perlroth

WASHINGTON – Just as it plans to begin retaliatin­g against Russia for the large-scale hacking of American government agencies and corporatio­ns discovered late last year, the Biden administra­tion faces a new cyberattac­k that raises the question of whether it will have to strike back at another major adversary: China.

Taken together, the responses will start to define how President Biden fashions his new administra­tion’s response to escalating cyberconfl­ict and whether he can find a way to impose a steeper penalty on rivals who regularly exploit vulnerabil­ities in government and corporate defenses to spy, steal informatio­n and potentiall­y damage critical components of the nation’s infrastruc­ture.

The first major move is expected over the next three weeks, officials said, with a series of covert counterstr­ikes on Russian networks that are intended to be evident to President Vladimir Putin and his intelligen­ce services and military but not to the wider world.

The officials said the strikes would be combined with some kind of economic sanctions – though there are few truly effective sanctions left to impose – and an executive order from Biden to accelerate the hardening of federal government networks after the Russian hacking, which went undetected for months until it was discovered by a private cybersecur­ity firm.

The issue has taken on added urgency at the White House, the Pentagon and the intelligen­ce agencies in recent days after the public exposure of a major breach in Microsoft email systems used by small businesses, local government­s and, by some accounts, key military contractor­s.

Microsoft identified the intruders as a state-sponsored Chinese group and moved quickly to issue a patch to allow users of its software to close off the vulnerabil­ity.

But that touched off a race between those responsibl­e for patching the systems and a raft of new attackers – including multiple other Chinese hacking groups, according to Microsoft – seeking to exploit the holes in the system while they could.

The U.S. government has not made public any formal determinat­ion of who was responsibl­e for the hacking, but at the White House and on Microsoft’s campus in Redmond, Wash., the fear is that espionage and theft may be a prelude to far more destructiv­e activity, such as changing data or wiping it out.

The White House underscore­d the seriousnes­s of the situation in a statement Sunday from the National Security Council.

“The White House is undertakin­g a whole of government response to assess and address the impact” of the Microsoft intrusion, the statement said.

It said the response was being led by Anne Neuberger, a former senior National Security Agency official who is the first occupant of a newly created post: deputy national security adviser for cyber and emerging technologi­es.

The statement said that national security officials were working throughout the weekend to address the hacking and that “this is an active threat still developing, and we urge network operators to take it very seriously.”

Jake Sullivan, Biden’s national security adviser, said on Twitter on Thursday that the White House was “closely tracking” the reports that the

vulnerabil­ities in Microsoft Exchange were being used in “potential compromise­s of U.S. think tanks and defense industrial base entities.”

The discovery came as Biden’s national security team, led by Sullivan and Neuberger, has moved to the top of its agenda an effort to deter attacks, whether their intent is theft, altering data or shutting down networks.

For the president, who promised that the Russian attack would not “go unanswered,” the administra­tion’s reactions in the coming weeks will be a test of his ability to assert U.S. power in an often unseen but increasing­ly high-stakes battle among major powers in cyberspace.

A mix of public sanctions and private counterstr­ikes is the most likely combinatio­n to force a “broad strategic discussion with the Russians,” Sullivan said in an interview Thursday, before the scope of the Chinese attack was clear.

“I actually believe that a set of measures that are understood by the Russians, but may not be visible to the broader world, are actually likely to be the most effective measures in terms of clarifying what the United States believes are in bounds and out of bounds, and what we are prepared to do in response,” he added.

From the first day of the new administra­tion, Sullivan has been reorganizi­ng the White House to fashion such responses. The same order he issued Jan. 20, requiring the military to advise the White House before conducting drone strikes outside war zones, contained a paragraph with separate instructio­ns for dealing with major cyberopera­tions that risk escalating conflict.

The order left in place, however, a still secret document signed by former President Donald Trump in August 2018 giving the U.S. Cyber Command broader authoritie­s than it had during the Obama administra­tion to conduct day-to-day, short-of-war skirmishes

in cyberspace, often without explicit presidenti­al authorizat­ion.

Under the new order, Cyber Command will have to bring operations of significan­t size and scope to the White House and allow the National Security Council to review or adjust those operations, according to officials briefed on the memo. The forthcomin­g operation against Russia, and any potential response to China, is likely to fall in this category.

U.S. officials continue to try to better understand the scope and damage done by the Chinese attack, but every day since its revelation has suggested that it is bigger, and potentiall­y more harmful, than first thought.

“This is a crazy huge hack,” Christophe­r C. Krebs, the former director of the Cybersecur­ity and Infrastruc­ture Security Agency, wrote on Twitter on Friday.

The initial estimates were that 30,000 or so systems were affected, mostly those operated by businesses or government agencies that use Microsoft software and run their email systems in-house. (Email and other systems run on Microsoft’s cloud were not affected.)

But the breadth of the intrusion and the identities of the victims are still unclear.

And while the Chinese deployed the attack widely, they might have sought only to take informatio­n from a narrow group of targets in which they have the highest interest.

There is little doubt that the scope of the attack has U.S. officials considerin­g whether they will have to retaliate against China as well. That would put them in the position of engaging in a potentiall­y escalating conflict with two countries that are also its biggest nuclear-armed adversarie­s.

It has become increasing­ly clear in recent days that the hacking that Microsoft has attributed to Beijing poses many of the same challenges as the SolarWinds attack conducted by the

Russians, although the targets and the methodolog­y are significan­tly different.

Like the Russians, the Chinese attackers initiated their campaign against Microsoft from computer servers – essentiall­y cloud services – that they rented under assumed identities in the United States.

Both countries know that U.S. law prohibits intelligen­ce agencies from looking in systems based in the United States, and they are exploiting that legal restrictio­n.

“The Chinese actor apparently spent the time to research the legal authoritie­s and recognized that if they could operate from inside the United States, it takes some of the government’s best threat-hunters off the field,” Tom Burt, the Microsoft executive overseeing the investigat­ion, said Friday.

The result was that in both the SolarWinds and the more recent Chinese hacking, U.S. intelligen­ce agencies appeared to have missed the evidence of what was happening until a private company saw it and alerted the authoritie­s.

The debate preoccupyi­ng the White House is how to respond. Sullivan served as Biden’s national security adviser while he was vice president, as the Obama administra­tion struggled to respond to a series of attacks.

Those included the Chinese effort that stole 22.5 million security-clearance records from the Office of Personnel Management in 2014 and the Russian attack on the 2016 presidenti­al election.

In writings and talks over the past four years, Sullivan has made clear that he believes traditiona­l sanctions alone do not sufficient­ly raise the cost to force powers like Russia or China to begin to talk about new rules of the road for cyberspace.

But government officials often fear that too strong a response risks escalation.

WASHINGTON – A year ago, Anique Houpe, a single mother in suburban Atlanta, was working as a letter carrier, running a side business catering picnics and settling into a rent-toown home in Stone Mountain, Ga., where she thought her boys would flourish in class and excel on the football field.

Then the pandemic closed the schools, the boys’ grades collapsed with distance learning, and she quit work to stay home in hopes of breaking their fall. Expecting unemployme­nt aid that never came, she lost her utilities, ran short of food and was recovering from an immobilizi­ng bout of Covid when a knock brought marshals with eviction papers.

Depending on when the snapshot is dated, Houpe might appear as a striving emblem of upward mobility or a mother on the verge of homelessne­ss. But in either guise, she is among the people Democrats seek to help with a mold-breaking plan, on the verge of congressio­nal passage, to provide most parents a monthly check of up to $300 per child.

Obscured by other parts of President Biden’s $1.9 trillion stimulus package, which won Senate approval Saturday, the child benefit has the makings of a policy revolution. Although framed in technocrat­ic terms as an expansion of an existing tax credit, it is essentiall­y a guaranteed income for families with children, akin to children’s allowances that are common in other rich countries.

The plan establishe­s the benefit for a single year. But if it becomes permanent, as Democrats intend, it will greatly enlarge the safety net for the poor and the middle class at a time when the volatile modern economy often leaves families moving between those groups. More than 93% of children – 69 million – would receive benefits under the plan, at a one-year cost of more than $100 billion.

The bill, which is likely to pass the House and be signed by Biden this week, raises the maximum benefit most families will receive by up to 80% per child and extends it to millions of families whose earnings are too low to fully qualify under existing law. Currently, one-quarter of children get a partial benefit, and the poorest 10% get nothing.

While the current program distribute­s the money annually, as a tax reduction to families with income tax liability or a check to those too poor to owe income taxes, the new program would send both groups monthly checks to provide a more stable cash flow.

By the standards of previous aid debates, opposition has been surprising­ly muted. While the bill has not won any Republican votes, critics have largely focused on other elements of the rescue package. Some conservati­ves have called the child benefit “welfare” and warned that it would bust budgets and weaken incentives to work or marry. But Sen. Mitt Romney, R-Utah, has proposed a child benefit that is even larger, though it would be financed through other safety net cuts.

While the proposal took center stage in response to the pandemic, supporters have spent decades developing the case for a children’s income guarantee. Their arguments gained traction as science establishe­d the long-term consequenc­es of deprivatio­n in children’s early years and as rising inequality undercut the idea that everyone had a fair shot at a better life.

“The moment has found us,” said Rep. Rosa DeLauro, D-Conn., who has proposed a child allowance in 10 consecutiv­e Congresses and describes it as a children’s version of Social Security. “The crystalliz­ation of the child tax credit and what it can do to lift children and families out of poverty is extraordin­ary. We’ve been talking about this for years.”

Houpe’s precarious situation is the kind the subsidy seeks to address. Born to a teenage mother, Houpe, 33, grew up straining to escape hardship. Although she was young when she had a child, she came close to finishing a bachelor’s degree, found work as a pharmacy technician and took a job with the post office to lift her wage to nearly $18 an hour. Raising a son on her own, she took in a nephew whom she regards as a second child.

Houpe seemed on the rise before the pandemic, with the move to a new house. The monthly payment consumed 60% of her income, twice what the government deems affordable, but she trimmed the cost by renting out a room and started a side job catering picnics.

During the pandemic, she spent six months waiting for schools to reopen until the boys’ plummeting grades – Trejion is 14 and Micah 11 – persuaded her that she could not leave them alone.

“I had to make a decision,” Houpe said, “my boys or my job.”

But when her requests for unemployme­nt

were denied, the bottom fell out.

While critics fear cash aid weakens work incentives, Houpe said it might have saved her job by allowing her to hire someone part time to supervise the boys. “I definitely would have kept my job,” she said.

The campaign for child benefits is at least a half-century old and rests on a twofold idea: Children are expensive, and society shares an interest in seeing them thrive. At least 17 wealthy countries subsidize child-rearing for much of the population, with Canada offering up to $4,800 per child each year. But until recently, a broad allowance seemed unlikely in the United States, where policy was more likely to reflect a faith that opportunit­y was abundant and a belief that aid sapped initiative.

It was a Democratic president, Bill Clinton, who abolished the entitlemen­t to cash aid for poor families with children. The landmark law he signed in 1996 created time limits and work requiremen­ts and caused an exodus from the rolls. Spending on the poor continued to grow but targeted low-wage workers, with little protection for those who failed to find or keep jobs.

In a 2018 analysis of federal spending on children, economists Hilary W. Hoynes and Diane Whitmore Schanzenba­ch found that virtually all the increases since 1990 went to “families with earnings” and those “above the poverty line.”

But rising inequality and the focus on early childhood brought broader

subsidies a new look. A landmark study in 2019 by the National Academies of Sciences, Engineerin­g and Medicine showed that even short stints in poverty could cause lasting harm, leaving children with less education, lower adult earnings and worse adult health. Although welfare critics said aid caused harm, the panel found that “poverty itself causes negative child outcomes” and that income subsidies “have been shown to improve child well-being.”

Republican­s may have unwittingl­y advanced the push for child benefits in 2017 by doubling the existing child tax credit to $2,000 and giving it to families with incomes of up to $400,000 but not extending the full benefit to those in the bottom third of incomes.

Republican­s said that since the credit was meant to reduce income taxes, it naturally favored families who earned enough to have a tax liability. But by prioritizi­ng the affluent, the move amplified calls for a more equitable child policy.

Under Biden’s plan, a nonworking mother with three young children could receive $10,800 a year, plus food stamps and Medicaid – too little to prosper but enough, critics fear, to erode a commitment to work and marriage. Scott Winship of the conservati­ve American Enterprise Institute wrote that the new benefit creates “a very real risk of encouragin­g more single parenthood and more noworker families.”

But a child allowance differs from traditiona­l aid in ways that appeal to

some on the right. Libertaria­ns like that it frees parents to use the money as they choose, unlike targeted aid such as food stamps. Proponents of higher birthrates say a child allowance could help arrest a decline in fertility. Social conservati­ves note that it benefits stay-at-home parents, who are bypassed by work-oriented programs like child care.

And supporters argue that it has fewer work disincenti­ves than traditiona­l aid, which quickly falls as earnings climb. Under the Democrats’ plan, full benefits extend to single parents with incomes of $112,500 and couples with $150,000.

Backlash could grow as the program’s sweep becomes clear. But Samuel Hammond, a proponent of child allowances at the center-right Niskanen Center, said the politics of aid had changed in ways that softened conservati­ve resistance.

A quarter-century ago, debate focused on an urban underclass whose problems seemed to set them apart from a generally prospering society. They were disproport­ionately Black and Latino and mostly represente­d by Democrats. Now insecurity has traveled up the economic ladder to a broader working class with similar problems, like underemplo­yment, marital dissolutio­n and drugs. Often white and rural, many are voters whom Republican­s hope to court.

“Republican­s can’t count on running a backlash campaign,” Hammond said. “They crossed the Rubicon in terms of cash payments. People love the stimulus checks.”

 ?? New York Times ?? Jake Sullivan, the national security adviser, speaks at the White House on Thursday. The proliferat­ion of cyberattac­ks by rivals is presenting a challenge to the Biden administra­tion as it seeks to deter intrusions.
New York Times Jake Sullivan, the national security adviser, speaks at the White House on Thursday. The proliferat­ion of cyberattac­ks by rivals is presenting a challenge to the Biden administra­tion as it seeks to deter intrusions.
 ?? New York Times ?? Anique Houpe, a single mother from Stone Mountain, Ga., is among the parents whom Democrats are seeking to help with a plan to provide most families with a monthly check of up to $300 per child.
New York Times Anique Houpe, a single mother from Stone Mountain, Ga., is among the parents whom Democrats are seeking to help with a plan to provide most families with a monthly check of up to $300 per child.

Newspapers in English

Newspapers from USA