Latest (as of December 31, 2024): the U.S. Treasury has announced that it is the victim of a Chinese cyberattack. Using standard hammer-through-papier-mâché techniques, the attackers wended their way into the department’s workstations and grabbed unclassified documents (is our tax data classified?) “after compromising a third-party software service provider, the agency said Monday.”
We have plenty of almost no information about what happened. Associated Press says that Treasury “did not provide details on how many workstations had been accessed or what sort of documents the hackers may have obtained, but it said in a letter to lawmakers revealing the breach that ‘at this time there is no evidence indicating the threat actor has continued access to Treasury information.’ ”
The compromised service has since been taken offline, and there’s no evidence that the hackers still have access to department information, Aditi Hardikar, an assistant Treasury secretary, said in the letter Monday to leaders of the Senate Banking Committee.
The department said it was working with the FBI and the Cybersecurity and Infrastructure Security Agency and others to investigate the impact of the hack, and that the hack had been attributed to Chinese state-sponsored culprits. It did not elaborate.
Also, Treasury made clear that the hack “was being investigated as a ‘major cybersecurity incident.’…”
That’s good. If this hack by rampantly cyberhacking China had been treated as a minor or marginal cybersecurity incident, we might not even have heard about it.
Now, though, we have heard about it, and…this means that…well, that something…will be done, I guess? In the way of counterattack and prevention?
What to do
In a column for this site, James Roth observes, as have others, that the U.S. government in fact mandated back doors to our hyper-Chinese-hacked telecommunications infrastructure. One of Roth’s recommendations: “close the back doors. The next chance to sunset Public Law No: 118-49 comes in less than two years.” But why wait? Just pass something in Congress to rescind this right now. Or on January 20.
With respect to a Chinese company known to be enabling many Chinese cyberattacks, Roth says that “we have a company, its address, its stock, more. But we’re combatting its projects while leaving the firm itself alone.”
At Instapundit, reader DysG suggests ways to “put an end to this sort of crap…. Move mission critical systems…off of Windows. Windows has too many holes in it, and it is compromised with bullshit ‘features’ that are security holes from the get-go.
“Instead, the NSA/DOD/USAF and private sector in the US should form a consortium to pick a Unix-based OS (pick OpenBSD as a starting point—I don’t really care, just get the hell away from Windows) and harden it for use on web servers, file servers/backups, etc….
“Microsoft has had long enough to get their house in order. They’ve failed….
“Create a counterattack team to deploy to federal and cooperating companies which would allow them to examine attacks and counterattack the hackers. The passivity of our government in the face of these cyberattacks is ridiculous….
“Start attacking China and Russian networks and infrastructure without remorse. Create a black hat team that has as its objective wholesale destruction of their digital infrastructure….”
Despite the abundance of informed recommendations about how to go about being less horrible at defending ourselves, protecting U.S. institutions and organizations from further cyberattack doesn’t seem to be the highest priority right now.
Federal, state, and local governments and agencies need to be more security-conscious, as do companies and other private organizations, as do individuals. The phase in which everybody either runs around like chickens with their heads cut off or complacently assumes that it will never happen to them is lasting too long.
Et tu, reader
Same goes for you, reader. If you’re still using your birthday or password1 as your password; still using the same password for all your accounts; and still using just a password for your accounts and not also, when available, two-factor authentication; etc.—repent. Repent. Before it’s too late. I know you’re busy.
