In the wake of a massive, potentially catastrophic hack that is reportedly affecting numerous federal agencies and large US corporations (the scope of the intrusion is not yet fully known), a growing number of government officials, including President-Elect Joe Biden, are calling for an aggressive response.
But what that should be is up for debate. Experts in the information security field are characterizing the deep penetration of important computer networks as acts of espionage—early signs point to Russia—but some politicians are casting the hacks in much starker terms. Sen. Dick Durbin (D-Ill.) called it “virtually a declaration of war by Russia.” Sen. Marco Rubio (R-Fla.), interim chair of the Senate Intelligence Committee, urged patience with attribution but, “America must retaliate, and not just with sanctions.” Biden said his administration would “elevate cybersecurity as an imperative,” and added that “a good defense is not enough; we need to disrupt and deter our adversaries,” and let potential attackers know that “I will not stand idly by in the face of cyber assaults on our nation.”
President Donald Trump has not said a word about the hack publicly, but his press secretary, Kayleigh McEnany, insisted the government was “taking all necessary steps to identify and remedy any possible issues related to the situation.”
It’s not as though the federal government has entirely sat on its hands, says Javed Ali, a University of Michigan professor focused on national security and cybersecurity policy. In the wake of Russia’s 2016 election meddling, Congress imposed sanctions and President Barack Obama’s administration expelled Russian “diplomats” suspected of intelligence activities. The US government has also grown more aggressive in conducting its own cyber operations and naming and indicting foreign hackers—as Special Counsel Robert Mueller did with certain Russian military hackers and the Justice Department did more recently, accusing Chinese military hackers of conducting operations related to COVID-19 research. Ali told me that if the hacks can be tied back to Moscow, they are just the latest in a string of significant and aggressive cyber operations perpetrated by elements of the Russian government against local, state, and federal governments and corporate entities. “We clearly have not imposed the right level of costs,” says Ali, who previously served at the Department of Homeland Security, the FBI, and the National Security Council.
Shortly after the November elections, the New York Times reported on the apparent success of American policy that relied on “persistent engagement” and “defend forward” tactics to stay ahead of foreign adversaries. In a recent piece, however, the Times pointed out that the “tens of billions” the US spent on its cyber capabilities was not sufficient to thwart “among the greatest intelligence failures of modern times.”
“We did a victory lap after the election,” Ali says. “Putin must have been laughing … the whole time. He’s like ‘You guys have no idea what we’re really doing to you.’”
The FBI, the Cybersecurity Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence issued a joint statement Wednesday acknowledging “a significant and ongoing cybersecurity campaign” dating back to March 2020 that has affected multiple federal agency networks. The announcement came a little more than a week after FireEye, a major cybersecurity firm, revealed it had been the victim of a hack, and that the tools it used to investigate cyber activities were stolen. Subsequent reports suggest that Homeland Security, Energy, and Treasury were among the departments compromised, along with local governments in Texas and Arizona.
The hackers, whoever they are, implanted malware into an update for a product supplied by the IT services company SolarWinds that’s used by many government and private-sector organizations. The malware appears to have been downloaded and installed by more than 17,000 customers. Officials don’t know, or have yet to reveal, exactly what the malware allowed the attacker to do—whether it was used simply to access information, or rather to establish a foothold for more serious future activity, such as the modification or deletion of important data, or destruction of infrastructure.
Brad Smith, the president of Microsoft, wrote in a blog post Thursday that the activity represents “a broad and successful espionage-based assault on both the confidential information of the US Government and the tech tools used by firms to protect them.”
In an op-ed this week, Alex Stamos, the former chief information security officer for Yahoo and Facebook, and now director of the Stanford Internet Observatory, wrote that, beyond retaliation, the US government needs to up its own cyber game. He suggests the creation of a new government division to track attacks, investigate incidents, and issue recommendations. Stamos also called for stronger laws to force government agencies or private corporations to publicly disclose breaches that now fly under the radar, a strengthening of CISA’s abilities to defend public and private networks, and the appointment to key government roles of people with actual experience defending computer networks from attacks.
Security experts agree the feds need to get better at defense. Less clear is how the government should retaliate to these latest attacks. No option is perfect, Ali says. These hacks seem to be “a dramatic escalation,” so the question is how aggressive the response should be, and whether it should be made public.
“Proportional response, whatever that is, loses some of its value if people don’t know that something has happened,” he says. “Even if you’re able to conduct the operation and achieve the effects that you want, are we then willing to publicly acknowledge them and then incur the consequences?”