CRS report analyzes US Congress’s understanding of cyberattacks


A new Congressional Research Service (CRS) report released this week identifies two categories of cyberattacks by foreign adversaries against entities in the U.S., with 23 cyberattack campaigns that the federal government has attributed to hackers operating on behalf of other nation-states, and another 30 cyberattacks that the government has attributed to criminal attackers seeking personal gain.

In investigating cyber incidents, the U.S. government attempts to unmask those behind the incident and attribute it as an attack, Chris Jaikaran, an analyst in cybersecurity policy, wrote in the CRS report. “Attributing cyberattacks is difficult, but not impossible. Officials seek to develop a comprehensive understanding of the cyber incident not just from the victim, but also by corroborating that information with other government and private sector evidence to make a claim of attribution,” he added.

While a process exists to repeatedly and consistently develop a claim of attribution and a confidence level in it, adversaries take steps to complicate these efforts by obfuscating and removing any trace of their activity and using new infrastructure to make it difficult to track attack campaigns, according to Jaikaran.

The CRS is a federal legislative branch agency located within the Library of Congress that serves as shared staff exclusively to congressional committees and members of Congress. Its experts assist at every stage of the legislative process, right from the early considerations that precede bill drafting, through committee hearings and floor debate, to the oversight of enacted laws and various agency activities.

In an effort to address the challenge of rising cybersecurity threats and attacks, policymakers are considering a variety of solutions, such as denying opportunities for successful attacks by improving defenses and deterring adversaries from engaging in disruptive activities in cyberspace, the report said. As Congress considers options for deterrence, knowledge of known adversaries, the types of activities they conduct online, and how they are identified by the U.S. government may inform the debate. With this information, policymakers may gain a greater understanding of the risks that the nation and specific sectors face.

The report describes selected cyberattacks against entities in the United States which were discovered or ended within the past 10 years, even if the activity was observed earlier.

To develop the list of attacks, the CRS took into account only primary sources, mainly by searching for public statements on U.S. government websites belonging to the Department of Defense, the Department of Homeland Security, the Department of Justice (DOJ), the Office of the Director of National Intelligence, and the Cybersecurity and Infrastructure Security Agency (CISA).

The CRS revealed that the DOJ’s website only publishes press releases from 2009 onward, limiting the number of available press releases and indictments available for the search. There may be additional indictments that are not publicized but unsealed and available in court proceeding databases. Those documents are not searchable and accessible via the public internet and are therefore not included as part of its latest report.

Additionally, government officials may attribute a particular campaign to a nation-state actor or criminal group but have not made evidence or corroborating information available, such as a list of victims or naming a specific actor in a country. Such instances are not included in this list, the CRS said in its report.

The CRS report pointed that nation-states are some of the most sophisticated hackers that conduct cyberattacks. The Director of National Intelligence is required annually to deliver to U.S. Congress an assessment from the intelligence community on worldwide threats, it added.

Recent assessments have highlighted cyberspace as an area of strategic concern, with Russia, China, Iran, and North Korea as the leading threat attackers, the CRS report said. Attacks from these countries include spying on government agencies by accessing agency computers, stealing sensitive information from public and private sector entities in the U.S., stealing intellectual property, and destroying or potentially destroying computer equipment.

Transnational security agencies released a joint cybersecurity advisory warning last week of the ongoing malicious cyber activity by an advanced persistent threat (APT) group that has been associated with the Iranian government. The group is actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors.

The CRS report also disclosed that cybercriminals are less resourced than nation-state hackers and are less likely to employ novel and cutting-edge techniques in campaigns, yet their attacks are often highly effective. Most criminals are financially motivated and use cyberspace as a medium for conducting profit-bearing schemes. However, gaining money is not a requirement for illicit activity. Cyberattacks against victims in the U.S. from hackers located abroad include compromising computers to create and maintain botnets, infiltrating business email, hacking and releasing campaigns, and conducting ransomware attacks.

Last month, a CRS report explored the legal issues surrounding the federal law that provides potential approaches to combat ransomware attacks in the wake of rising cybercrime and cybersecurity attacks.

The U.S. CISA and the Federal Bureau of Investigation issued earlier this week a reminder to all entities, especially critical infrastructure partners, to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats.