Microsoft hacking: towards a cyber-response from the United States?

Microsoft’s email hack, the second major cyberattack in months, puts the Biden administration under pressure on its ability to fight back to protect US interests. Faced with attacks that exploit vulnerabilities in corporate and government networks threatening national security, experts believe that strong measures are needed, such as “hack back”, a cyber response that consists of hacking in return.

The most recent hack, of Microsoft Exchange last week, attributed to a group of Chinese hackers backed by Beijing, affected at least 30,000 American organizations, including businesses, cities and local communities in the United States. This attack was deemed “unusually aggressive”.

An important test for the Biden administration

Additionally, it follows revelations that Russia was likely behind the massive December hack of Texas-based software, SolarWinds, which rocked the US government and corporate security. “These two very big incidents are an important test for the beginnings of the Biden administration,” said Frank Cilluffo, former homeland security adviser in the administration of George W. Bush, now director of the McCrary Institute of the Auburn University.

According to him, the response of the Democratic administration is all the more important as it will “set the tone” on the way in which it intends to respond “to unacceptable cyber behavior”. It will also be a message to the whole world, not just to hackers. Because “everyone is watching, state and non-state actors”, the ability of the US government to react, he said.

James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies, believes that the two incidents are proof that the American strategy “does not work against the most qualified and the most dangerous adversaries”. “The benefits of espionage are endless,” he continues. The Biden team knows this and is trying to change things, but we are far from having the solution. ”

An attacked state can resort to hacking

Until very recently, the notion of “hacking back” was considered too risky politically, by international standards. But a 2019 agreement between 28 countries established a legal framework for such retaliation, says James Lewis. “Piracy by private companies is still illegal,” but a government can argue that the remedy is legal for a state in the event of a large-scale attack, he adds.

David Edelman, former digital security adviser to the Obama administration and fellow of the Massachusetts Institute of Technology, notes that the Biden administration faces tough choices. “The administration has indicated that it wants to impose costs [en représailles, NDLR], but what kind of costs would be proportional to the attack ?, he asks. “Charges? Sanctions ”for agents installed safely in a foreign country thousands of kilometers away ?, he also asks.

“It cannot be treated as just a cyber incident”

Last month, Anne Neuberger, the White House’s senior cybersecurity adviser, said her team was considering retaliation after the attack on SolarWinds. “This is not the only case of malicious cyber activity of probably Russian origin, whether for us or for our allies and partners,” she added.

For Frank Cilluffo, any response will have to be carefully crafted, without collateral damage, like military action against specific targets. This could mean economic, diplomatic or military measures, he argues. “This cannot be treated as just a cyber incident,” he insisted, advocating integrating the response into the “geopolitical and national security machinery” of the US government.

The different types of responses could therefore be adapted depending on the identity of those suspected of having carried out the cyberattack, whether it be Russia, China, North Korea or other individuals. “Attacking a computer network is clearly one of the tools we have at our disposal,” he admits. “But we want to do it in a surgical way, in a discriminatory way, to have, obviously, an impact on those we are targeting” and only them, he concludes.


You may also like