Billions spent on US cyberdefenses failed to detect giant Russian hack

Over the past few years, the US government has spent tens of billions of dollars on cyberoffensive capabilities, building a giant war room at Fort Meade, Maryland, for U.S. Cyber Command, and installing sensors all around the country — a system named Einstein to give it an air of genius — to deter the nation’s enemies from picking its networks clean, again.

It now is clear that the broad Russian espionage attack on the US government and private companies, underway since spring and detected by the private sector only a few weeks ago, ranks among the greatest intelligence failures of modern times.

Einstein missed it — because the Russian hackers brilliantly designed their attack to avoid setting it off. The National Security Agency and the Department of Homeland Security, which understandably focused on protecting the 2020 election, were looking elsewhere.

The new US strategy of “defend forward” — essentially, putting American “beacons” into the networks of its adversaries that would warn of oncoming attacks and provide a platform for counterstrikes — proved little to no deterrence for the Russians, who have upped their game significantly since the 1990s, when they launched an attack on the Defense Department called Midnight Maze.

Something else has not changed, either: An allergy inside the US government to coming clean on what happened.

The national security adviser, Robert C. O’Brien, cut short a trip to the Middle East and Europe on Tuesday and returned to Washington to run crisis meetings to assess the situation, but he and his colleagues have done whatever they could to play down the damage.

Asked Tuesday whether the Defense Department had seen evidence of compromise, the acting defense secretary, Christopher C. Miller, said, “No, not yet, but obviously looking closely at it.” Other government officials say that is trying to turn ignorance about what happened into happy spin — it is clear the Defense Department is one of many government agencies that made extensive use of the software that Russia bored into.

At the very moment in September that President Vladimir Putin of Russia was urging a truce in the “large-scale confrontation in the digital sphere,” where the most damaging new day-to-day conflict is taking place, one of his premier intelligence agencies had pulled off a sophisticated attack that involved getting into the long, complex software supply chain on which the entire nation now depends.

“Stunning," Sen. Richard Blumenthal, D-Conn., wrote Tuesday night. “Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what’s going on.”

He called for the government to declassify what it knows and what it doesn’t know.

On Wednesday morning, Sen. Dick Durbin, D-Ill., called the Russian cyberattack “virtually a declaration of war.”

So far, though, President Donald Trump has said nothing, perhaps aware that his term in office is coming to an end just as it began, with questions about what he knew about Russian cyberoperations and when. The National Security Agency has been largely silent, hiding behind the classification of the intelligence. Even the Cybersecurity and Infrastructure Security Agency, the group within the Department of Homeland Security charged with defending critical networks, has been conspicuously quiet on the Russian mega hack.

Blumenthal’s message on Twitter was the first official acknowledgment that Russia was behind the intrusion.

Trump administration officials have acknowledged that several federal agencies — the State Department, the Department of Homeland Security, parts of the Pentagon as well as the Treasury and the Department of Commerce — had been compromised. Investigators were struggling to determine the extent to which the military, intelligence community and nuclear laboratories were affected.

The same questions are being asked inside many Fortune 500 companies that use the network management tool, called Orion and made by Austin, Texas-based company SolarWinds. Los Alamos National Laboratory, where nuclear weapons are designed, uses it, as do major defense contractors.

“How is this not a massive intelligence failure, particularly since we were supposedly all over Russian threat actors ahead of the election,” Robert Knake, a senior Obama administration cyberofficial, asked on Twitter on Wednesday. “Did the NSA fall in a giant honey pot while the SVR” — Russia’s most sophisticated spying agency — “quietly pillaged” the government and private industry?

Of course, the NSA is hardly all-seeing, even after placing its probes and beacons into networks around the world. But if there is a major investigation — and it is hard to imagine how one could be avoided — the responsibility of the agency, run by Gen. Paul Nakasone, one of the nation’s most experienced cyberwarriors, will be front and center.

Government officials have yet to acknowledge what the Russians were seeking or what they stole — and perhaps that has not been determined.

Even if the Russians got into these institutions, it is not yet certain whether they got into the most classified networks. But experience shows that there is lots of highly sensitive data in places that do not have layers of classification. That was the lesson of the Chinese hack of the Office of Personnel Management five years ago, during the Obama administration, when it turned out that the security-clearance files on 22.5 million Americans, and 5.6 million sets of fingerprints, were being stored on lightly protected computer systems in, of all places, the Department of the Interior.

They are now all in Beijing, after the files were spirited out without setting off alarms.

“An intrusion like this gives the Russians a rich target set,” said Adam Darrah, a former government intelligence analyst, now director of intelligence at Vigilante, a security firm. “The SVR goes after these targets as a jumping-off point to more desirable targets like the CIA and NSA.”