JOIN USPompeo says Russia was behind cyberattack on US
When Secretary of State Mike Pompeo told a conservative radio show host Friday, almost as an aside, that “we can say pretty clearly that it was the Russians” behind the vast hack of the federal government and US industry, he put the Trump administration on record for the first time blaming the Kremlin for a cybersecurity breach on a scale Washington has never seen before.
But with 30 days left in office, national security officials say they are all but certain to hand off the sensitive issue of how to respond to President-elect Joe Biden. And that seemed especially clear Saturday, when President Donald Trump sought to minimize the importance of the hack, insisting that “everything is well under control” and suggesting that it might have been China rather than Russia that carried it out.
Trump even sought, with no evidence, to link the hack to his loss in the election. “There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA,” he wrote on Twitter, tagging Pompeo in his remarks.
In fact, the election system, spread across 50 states, appears to have been unaffected by the attack, which was focused on federal agencies and the country’s biggest companies.
So, in the midst of a pandemic, Biden will inherit a government so laced with electronic tunnels bored by Russian intelligence that it may be months before he can trust the systems that run much of Washington. And in his first days in office, he will have to confront a quandary that has confounded his predecessors for a quarter-century in dealing with cyber intrusions: Retaliation often results in escalation.
As Michael Sulmeyer, now a senior adviser to US Cyber Command, once put it before he entered government, America “lives in the glassiest of glass houses.” What he meant was that the United States is more reliant than almost any other nation on fragile computer networks that make the government and economy hum, making it an especially big and vulnerable target for digital spying and attacks.
In contrast with Trump, who has always been reluctant to confront Moscow, Biden has signalled that he will not let the intrusion, whose full extent is not yet known, pass without a response.
“A good defence isn’t enough,” Biden said in a statement Thursday, vowing to impose “substantial costs on those responsible for such malicious attacks.”
He will not find that easy.
All countries spy on each other, of course, and for now that appears to have been the first objective of the Russian campaign, one that researchers said Friday appears to date back to October 2019.
That was when hackers presumed to be working for the SVR, one of the most elite and talented of the Russian spy agencies first broke into the SolarWinds network management software, which is used across the federal government and by three-quarters of the nation’s Fortune 500 companies.
The theory is that the Russians were conducting an early exploration, trying to figure out whether they could get into the “supply chain” of software that would give them broad access to the array of systems that make America tick.
What no one in the Trump administration wants to address, at least publicly, is how the Russians managed to evade billions of dollars in American-built defenses that are intended to set off alarms when a foreign power comes into its networks. That question, too, now seems certain to be left to Biden to answer.
From their new cyber command centre in Fort Meade, Maryland, the National Security Agency and Cyber Command are supposed to monitor incoming attacks, the way generations of US military officials jammed underground command centres to look for incoming missile attacks since the dawn of the nuclear age.
In this case, the sensors never went off, and the commander of those cyber forces, Gen. Paul M. Nakasone, one of the nation’s most experienced cyber warriors, has said not one word in public about what went wrong.
The private sector will face hard questions as well. The attack was ultimately detected by FireEye, one of the country’s premier cybersecurity firms — but only after the Russians had cleaned it out, too, stealing the “Red Team” tools that the firm uses to discover vulnerabilities in corporate and government systems. The firm had to publish the technical details of those tools last week so that Moscow could not use them to wreak further havoc.
The Russian attack was carefully calibrated to avoid all of those defences. It gained access to the updates of the SolarWinds software — akin to the updates Apple and other phone-makers push onto cellphones as they charge overnight — betting that small changes in code would not be noticed.
They inserted malware that, once the updates were installed by government agencies and companies, would give them broad access to computer systems. From there they could build “back doors” that would enable them to come and go, steal data and — though it apparently hasn’t happened yet — alter data or conduct destructive attacks.
“This was a cybersecurity superspreading event,” Brad Smith, president of Microsoft Corp., said in an interview Thursday. “And I would argue that this is more than just spying; it is the creation of a broad supply chain vulnerability that requires a different kind of response. It created a vulnerability for the world in a way that other espionage techniques do not.”
Smith called it “a moment of reckoning.”
While Trump began his time in office with a strong cybersecurity team in the White House, his third national security adviser, John Bolton, ousted them and eliminated the post of a cyber czar with direct access to the president. The new National Defense Authorization Act, which Trump is threatening to veto for other reasons, would re-create such a post. It is one of several recommendations from a bipartisan Cyberspace Solarium Commission that wrote a report earlier this year, before the Russian attack was known.
Yet until Pompeo, who ran the CIA for the first two years of the Trump administration, made his assessment in an interview on “The Mark Levin Show,” the administration had all but ignored the attack in public — perhaps realizing that an administration that came into office on the heels of Russian interference in the 2016 election was leaving as the victim of one of Russia’s most well-executed cyberattacks.
“This was a very significant effort,” Pompeo said, adding that “we’re still unpacking precisely what it is.” He said he expected most of the details would remain classified.
He did not mention that the hackers had gotten into his own workplace — the State Department — nor did he say whether they were only in unclassified spaces. He also made no mention of the fact that the Treasury Department and US nuclear laboratories like Los Alamos were hit.
“We have failed to deter the Russians,” Sen. Chris Coons, D-Del., who is close to Biden, said Thursday. “We are only going to see Putin stop this action when we stop him. This is as aggressive to our intelligence and military systems as anything in my lifetime.”
But if history is any guide, that will be difficult. The US conducts its own spying missions; that is what the National Security Agency spends billions of dollars to accomplish. The US has carried out supply chain attacks, too — against Iran’s nuclear centrifuges and its missile program. It has been running them against North Korea for years.
“The US government has no principled basis to complain about the Russia hack, much less retaliate for it with military means, since the US government hacks foreign government networks on a huge scale every day,” said Jack Goldsmith, a Harvard Law School professor who worked in the George W. Bush administration’s Justice Department and writes often on the Wild West rules of attacking the internet.
“Indeed, a military response to the Russian hack would violate international law,” he added. “The United States does have options, but none are terribly attractive.”
And that is the core of Biden’s problem. In the first 16 days of his presidency, he will have to deal with Russia President Vladimir Putin to address the renewal of New START, the nuclear arms control treaty that expires Feb. 5. Biden has said he favours a clean renewal of the agreement, which can be extended five years without having to return to the Senate for approval.
But he will be conducting that negotiation while also dealing with the question of how to retaliate. It is a question that confounded the Obama administration, which failed to call out the Russians for their 2014-15 attacks on the White House’s and State Department’s email systems and those of the Joint Chiefs of Staff.
In retrospect, several members of the Obama administration — including some appointed to senior posts in the incoming administration — wonder if that emboldened the Russians to conduct further short-of-war attacks.