The Morning Dispatch: Another Day, Another Russian Ransomware Attack

Happy Thursday! On this date 245 years ago, the Liberty Bell was rung in Philadelphia to gather residents for the first public reading of the Declaration of Independence. 

Honestly, that should still be how all big announcements are made.

Quick Hits: Today’s Top Stories

• Haitian President Jovenel Moïse was assassinated early Wednesday morning at his home on the outskirts of Port-au-Prince by what Haiti’s ambassador to the United States described as “well-trained professionals, killers, commandos.” Haiti’s police chief said yesterday that four suspects in the assassination investigation were killed in a shootout with police last night, and two others were arrested. Interim Prime Minister Claude Joseph presented himself as Haiti’s new leader in a televised address yesterday, but the situation is volatile.

• First responders to the Surfside condo collapse are shifting their mission from search and rescue to recovery today, two weeks after the tower fell. The confirmed death toll had risen to 54 as of Wednesday evening, and 86 people remained unaccounted for.

• At least 14 rockets have struck an Iraqi base that houses U.S. troops and other international forces in recent days, injuring two American servicemembers. While no group immediately claimed responsibility, the attack follows the United States’ strikes  against Iranian-backed militias late last month.

• The Tampa Bay Lightning defeated the Montreal Canadiens on Wednesday to win their second consecutive Stanley Cup.

Russia Testing Biden’s Resolve on Cyber

Last Friday, the Miami-based software company Kaseya announced it had been hit by a massive cyber-attack. As Kaseya—and the rest of the United States—quickly found out, the Russian ransomware group REvil had succeeded in hacking Kaseya’s Virtual System/Service Administrator (VSA) tool, a product which allows the company’s customers—which are small to medium-sized businesses around the world—to monitor their computer systems remotely and implement security updates. According to Kaseya, up to 1,500 companies were affected by the security breach, a level of damage which security experts labeled “unprecedented” and the “worst ransomware incident to date.”

“If I was you,” Kaseya’s CEO said in a video posted to the company’s YouTube channel on Tuesday, “I would be very, very frustrated. And you should be.”

As Kaseya responded to the cyber-attack by telling its VSA customers to shut down their servers temporarily, hundreds of small businesses around the world were forced to deal with ongoing problems caused by the breach. In Sweden, around 500 supermarkets closed on Friday after self-service checkouts and cash registers stopped working. And in New Zealand, more than 100 kindergarten schools switched to pen-and-paper teaching as school administrators worked to determine whether any sensitive information was accessed.

On Sunday, REvil officially claimed responsibility for the attack, boasting on its dark web site—the “Happy Blog”—that it had succeeded in infecting more than a million systems. While REvil claimed that certain side effects of the intrusion, such as the disruption to New Zealand’s schools, were merely an “accident,” it asked for a blanket ransom payment to restore most of the affected information. “If anyone wants to negotiate about universal decryptor,” REvil stipulated, “our price is $70,000,000 in Bitcoin.”

That price, if paid, would mark the largest sum ever extracted after a cyber-attack. While the hackers suggested they would lower their demand to $50 million on Tuesday, White House Press Secretary Jen Psaki announced that the US government was urging Kaseya not to pay any ransom, even as she acknowledged she could not speak to the company’s decision-making process on the matter.

“The FBI has basically told companies not to pay ransomware,” she said. “Our ransomware policy continues to be the same as it has been for several months, which is that we do not advise—we advise against, in fact—companies paying ransomware given it incentivizes bad actors to repeat this behavior. In terms of whether the company has paid ransom, I would refer you to the company.”

White House officials met yesterday to discuss the Kaseya attack, where the hackers’ technique of targeting supply chain software mirrored the Russian government’s attack on SolarWinds last year. In the meeting, administration officials evaluated proposals on how to strengthen private companies’ cyber security infrastructure and disincentivize or ban companies from paying out ransoms. And on Tuesday, Psaki told reporters that the administration would “take action” to combat cyber criminals in Russia if the Kremlin failed to discipline the perpetrators of the attack.

But as the Biden administration responded to the Kaseya breach, telling victims it would “provide assistance based on an assessment of national risk,” yet another Russian cyber-attack was reported by the Republican National Committee.

On Tuesday, RNC Chief of Staff Richard Walters issued a statement announcing that Synnex, a third-party contractor, had been hacked, but that the RNC had blocked access from Synnex accounts to the cloud before any data was accessed. Multiple news outlets, including the Washington Post and Bloomberg, reported that Russian government hackers, members of a group called APT-29 or Cozy Bear, were behind the attack. According to the American cybersecurity company Crowdstrike, Cozy Bear—the same organization accused of hacking SolarWinds and the Democratic National Committee in 2016—is associated with the Russian Foreign Intelligence Service.

Kremlin spokesperson Dmitry Peskov denied Russian state responsibility for the RNC hack, telling reporters that “whatever happened … had no connection to official Moscow.” But the cyber-attack on the RNC, combined with the Kaseya breach, represents a significant test for the Biden administration’s efforts to establish a diplomatic relationship with Russia.

Three weeks ago, during his first meeting with Russian president Vladimir Putin, President Biden demanded that Russia work to prevent cyber-attacks against the United States, presenting Putin with a list of 16 critical sectors of the American economy that would provoke a response from the U.S. government if attacked. James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies, told the New York Times that Russia is now challenging those limits.

“Biden did a good job laying down a marker, but when you’re a thug, the first thing you do is test that red line,” Lewis said. “And that’s what we’re seeing here.”

In an interview with The Dispatch, Klon Kitchen—a national defense and cybersecurity expert at the American Enterprise Institute—said that cyber attacks are beneficial in furthering the Russian government’s narrative about the West.

“Even if you accept the line from some attackers that they’re just in it for the money and they’re not working on behalf of the Russian government,” Kitchen said, “it is simply a reality that they would not be allowed to operate and to have this level of influence if the Russian government weren’t tacitly or actively allowing them to operate. And this has a political benefit to Moscow.”

“It creates this type of instability, and it shows the West to be weak and vulnerable,” he continued. “That fits the political narrative that Moscow and Putin are trying to inculcate and spread around the world—that the West is hollowing out. They want to prove that the West is increasingly ineffectual in terms of protecting its own interests, and Russia specifically can act with impunity.”

Asked why the attacks keep happening despite U.S. warnings, Kitchen was blunt.

“The reason they’re occurring is because they work. People like those who were behind the REvil attacks not only write code, but they also make it available as a service to those who want to use ransomware as a tool. So that has now matured as a service industry, and it’s taking off because people are paying the ransom. We have to change the political calculus of Russia and other nations who enable this.”

For his part, Kitchen advises designating attacks on U.S. cybersecurity infrastructure as terrorism, arguing this will enable American intelligence enterprises to start deconstructing Russian hacking syndicates. Even if cyber-attacks don’t have a physical body count, Kitchen said, they still have the potential to seriously affect a society’s way of life. “Just because we haven’t had a society-changing ransomware attack doesn’t mean there can’t be one.”

Sen. Mark Warner, who chairs the Senate Intelligence Committee, told NBC News he expects Biden to hold Russia accountable for the recent attacks. 

“What President Biden can and, I expect, will do, is demand Russia live up to its obligations and prevent its territory from being used for these criminal acts,” Warner said. “If Putin wants Russia to be a productive member of the international community, he could certainly arrest and try these criminals in Russia, or hand them over to stand trial elsewhere.”

U.S. Misses White House Vaccination Goal

When the U.S. opened its COVID vaccine floodgates to the masses in mid-April, President Biden had a goal in mind: 70 percent of American adults receiving at least one vaccine dose by July 4, and 160 million fully vaccinated. But as Independence Day came and went this weekend, the country was still a few million vaccines shy of both targets—highlighting how the initial clamor for shots has slowed to a trickle in recent weeks, with millions of Americans remaining unconvinced about the necessity of the drugs.

In the face of the missed benchmark, Biden on Tuesday pledged that the White House would redouble its efforts to support reaching people in vaccine-hesitant communities at the local level, transitioning from a strategy focused on mass-vaccination sites to one built on going “community by community, neighborhood by neighborhood, and oftentimes door to door—literally knocking on doors—to help get the remaining people protected from the virus.”

“My administration is doing everything it can to lead a whole-of-government response at the federal, state, and local levels to defeat the pandemic,” Biden said. “But we need everyone to do their part. Millions of Americans have already done that. We have to keep it up, though. We have to keep it up until we’re finished.”

Whether the administration is doing everything it can or not, however, it’s growing clearer by the week that a significant portion of the country just isn’t interested in receiving the vaccine. Hesitancy is most prevalent among several different groups—young people who think they have little reason to fear COVID to begin with; poorer people, both white and black, who have a preexisting skepticism toward the U.S. government and healthcare systems; and right-leaning people who view ongoing government efforts to encourage vaccination as an increasingly irritating nanny-state intrusion into their lives.  

This latter group has been encouraged in its hesitance by a growing number of Republican lawmakers and conservative groups across the country. Rep. Thomas Massie of Kentucky recently introduced a bill that would prohibit any branch of the military from requiring COVID vaccination. (Military members are already required to receive a bevy of other vaccines.)

So prickly have some Republicans grown about vaccination that they regard even simple encouragements to get vaccinated as tyrannical. Biden’s “door-to-door” comment Tuesday, for example, provoked a round of conservative denunciations. Young Americans for Liberty called it “outright Orwellian.” Rep. Chip Roy of Texas tweeted that he would start selling “Come Inject It” merch.

It’s possible some of this hesitancy will fade organically as the months go by, particularly if—as seems likely—it becomes clear that new outbreaks, cases, and deaths are clustered among unvaccinated populations. While few states publicly index their COVID disease statistics by vaccination status, the data we do have suggests this is happening already. The state of Maryland reported Tuesday that every one of its citizens that died of COVID in June had been unvaccinated, as had 93 percent of those hospitalized with the disease.

The sad fact of this hesitancy is that it will result in preventable deaths in the months ahead. What’s less clear is how far the impact will spread beyond the unvaccinated themselves. The more transmissible Delta variant is fast becoming the dominant COVID strain in America, but while vaccine protection is somewhat lessened against it, it’s extremely rare for it to cause serious illness in the vaccinated. As a result, we’re very unlikely to see anything like the kind of mayhem and uncontrolled spread we witnessed last winter again—assuming the Delta variant is as bad as we get.

“Most of all, the older folks in particular have gotten their vaccines,” Dr. Megan Ranney, an emergency physician and professor at Brown University, told The Dispatch. “Although we will see a lot of hospitalizations and sick people and possibly long COVID, it would have to be a new variant that really the vaccines just don’t work against to drive up into that kind of horrifying condition that we were in last fall and winter.”

But this, of course, is the rub: The more uncontrolled spread, the greater the chance of a new mutation that does have the ability to slip past the defenses granted by vaccination.

“The chance of you, personally, being the person who developed the deadly new variant of COVID is pretty low,” Ranney said. “But you know what, every variant starts somewhere, and the U.K. and the U.S. are not all that different … It just takes one bad mutation.”

Worth Your Time

• As we continue to emerge from the COVID-19 pandemic, Emily Yoffe hosted a discussion over at Persuasion focusing on what we as a society got wrong in dealing with the coronavirus, and what we got right. “I hate to say it, but the moment Donald Trump said he was for schools reopening, I think a lot of people turned their brains off, and they opposed it totally to thwart him,” epidemiologist Stefan Baral told Yoffe. “And I think that is one of the worst things that has happened.”

• In a piece for Sports Illustrated, Tom Verducci pauses to appreciate the greatness of Shohei Ohtani, the Los Angeles Angel who is doing things on a baseball diamond that haven’t been seen in decades—if ever. The 27-year-old phenom this week became the first player to ever be selected to the All Star Game as both a hitter and a pitcher, and on Wednesday he set a Major League Baseball record for the most home runs in a season by a Japanese-born player—with about half the season left to go. “Babe Ruth, his closest comp, was a true two-way player only for a 218-game window in 1918 and 1919—and not even the Babe slugged or ran like Ohtani while doing so,” Verducci writes. “This is not like what Samuel Johnson once said about a dog walking on its hind legs: ‘It is not done well, but you are surprised that it is done at all.’ No, this two-way show is more like a dog dancing the role of Princess Odette in Swan Lake.”

Presented Without Comment

Also Presented Without Comment

Toeing the Company Line

• On this week’s Dispatch Podcast, Sarah, David, Jonah, and Chris discuss the political salience of January 6 half a year later, whether Republicans have lost the right to be called the party of ideas, and if Democrats’ failure to recognize flaws in election administration will make it easier for bad actors to steal elections. Plus, is there growing tension between Ron DeSantis and Donald Trump?

• Scott Lincicome’s Capitolism this week (🔒) dissects the increasingly bipartisan consensus that free trade, trade agreements, and globalization have been a major driver of economic inequality in the United States by enriching the economic elite and hollowing out the working class. “As usual, however, this framing is far too simplistic,” Scott argues, pointing to a new paper examining Americans’ “surprisingly egalitarian consumption of imports.”

• In Wednesday’s G-File (🔒), Jonah laments the increasingly common political tactic of defining yourself simply in opposition to your political opponents. “This systematized distrust is like a kind of crazed mutual orbit, where each body in space pulls the other in a direction not of its own choosing. One side says X, so the other must, of necessity, take the not-X position,” he writes. “The problem is that this leads to a kind of categorical thinking that forces you to surrender to the other side’s categories.”

Let Us Know

If you were conducting an after-action report on the United States’ COVID-19 response, what would you say are the biggest things we got right, and the biggest things we got wrong?

Reporting by Declan Garvey (@declanpgarvey), Andrew Egger (@EggerDC), Charlotte Lawson (@charlotteUVA), Ryan Brown (@RyanP_Brown), Harvest Prude (@HarvestPrude), Tripp Grebe (@tripper_grebe), Emma Rogers (@emw_96), Price St. Clair (@PriceStClair1), Jonathan Chew (@JonathanChew19), and Steve Hayes (@stephenfhayes).