The United States faces an alarming and growing threat of cyberattacks from Russia. Some in Congress would compound these dangers by enacting legislation that would force America’s leading tech companies to allow access to their software, hardware and operating systems to customers and competitors in the U.S. and overseas.
The Cybersecurity & Infrastructure Agency (CISA) has been blunt about Russia.
“The Russian government engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries,” CISA says on its website.
During a “60 Minutes” interview on April 17, CISA director Jen Easterly said: “We are seeing evolving intelligence about Russia planning for potential attacks. And we have to assume that there’s going to be a breach. There’s going to be an incident. There’s going to be an attack.”
Last year, a ransomware attack on the Colonial Pipeline, thought to have been done by criminals in Russia but not the Russian government itself, caused widespread disruption even though it lasted just a few days. Coordinated, sustained attacks from Russia’s government would impose exponentially more harm.
Against this backdrop, the Senate is poised to vote on the American Innovation and Choice Online Act that would compound these dangers. Introduced by senators Amy Klobuchar, D-Minn., and Chuck Grassley, R-Iowa, it broadly requires Big Tech companies to provide information about back-end infrastructure, that is hardware and software, to competitors and third parties.
While exceptions are in place for cybersecurity threats, the language governing this is vague, and the enforcement powers given to regulators are exceptionally strong. With companies facing fines of up to 10 percent of annual revenue for non-compliance, there will be considerable pressure to give in.
Bad actors do not announce they are bad actors before penetrating companies. Given this and the heightened dangers from Russia, now is a time to be especially cautious about granting such access. Even the European Union has not been as reckless as AICO would be from a cybersecurity standpoint.
Regardless of how events go in the war with Ukraine, Russia’s cyberattack risks will be extremely high during the next year or longer. A Ukrainian victory, or battlefield humiliation, could lead Russia to lash out and flex its cyber muscle to deter U.S. support for the Ukrainians’ brave and honorable fight.
And a Russian victory, with sanctions still in effect, could lead President Vladimir Putin to use cyber as a weapon to curb sanctions.
Russia has already blatantly engaged in cyberattacks against Ukraine’s postal service, Ukraine’s electric grid, and a Saudi Arabian oil refinery. And we know there are no limits to Russian brutality in Ukraine.
As the U.S. Chamber of Commerce has documented, America’s large tech companies, including Google, Microsoft and Amazon, are playing a critical role in preventing cyberattacks in Ukraine. Many other world-class companies are helping keep us safe from electric grid attacks, such as Raytheon Technologies, Sierra Nevada Corporation and Forescout.
These companies know that now is a time for especially strong vigilance on cybersecurity, which the U.S. Congress should take to heart.
The move to bash Big Tech through AICO has brought together those on the left who despise large, successful private companies and those on the right who believe Big Tech is politically biased and swung the 2020 presidential election. But recklessly opening these companies to potential adversaries does not address either of these concerns. At the same time, it empowers Russia and hurts many entrepreneurial and other businesses.
Like many politically expedient measures that gain traction, AICO is fraught with dangers and should be tabled before it is the catalyst for great harm.