President-elect Joe Biden on Tuesday blamed Russia for carrying out a sprawling ongoing hacking operation against U.S. government agencies and major companies ― echoing most cybersecurity experts and breaking with President Donald Trump, who has suggested China was responsible.
Multiple assessments, including from Secretary of State Mike Pompeo and Attorney General William Barr, suggest Russia is responsible, said Biden, who is being regularly briefed on U.S. intelligence, during a press conference in Wilmington, Delaware. He urged Trump to soon make a similar announcement to hold Moscow accountable.
Biden suggested the outgoing president made the country vulnerable to such a crisis, citing Trump’s decision to abolish a White House role responsible for cybersecurity and blasting Trump’s “irrational downplaying of the seriousness of this attack.”
“Enough’s enough ... we can’t let this go unanswered,” Biden continued, saying as commander in chief he would respond once the U.S. makes a formal declaration of Russian responsibility but declining to describe how he might do so. “We don’t sit here and say, we’re going to strike you with a nuclear weapon,” Biden told a reporter who asked him to outline possible options.
Officials, private firms and national security analysts are still struggling to understand the full extent of the attack, which is widely known as the SolarWinds hack after the cyber company whose software was targeted. The hack poses “a grave risk” to the U.S., according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Experts are concerned because of how much data the hackers were able to access once they infiltrated SolarWinds software used by thousands of major American institutions earlier this year. After penetrating the computer management system, which is called Orion, between March and June, the hackers entered the computer systems of SolarWinds clients who downloaded Orion updates. The attackers then secretly remained inside those systems for months until private cybersecurity investigators spotted strange activity and tipped off the National Security Agency.
The victims of the campaign ― which reports suggest was carried out by the Russian government hacking group APT29 or CozyBear ― include the State, Treasury and Energy departments, as well as corporations like Microsoft and Cisco. Many of them have had to take large chunks of their networks offline and revelations about other targets continue to trickle out. Russian officials deny any involvement.
Biden said he was awaiting a full accounting of the damage done by the hack. Last week, he pledged to “make dealing with this breach a top priority from the moment we take office.”
For the president-elect to be so frank shows how concerned his administration-in-waiting already is about the issue. On the vast majority of national security matters, including steps taken by Trump that could make Biden’s foreign policy goals harder to achieve, the incoming Biden team has declined to comment, citing respect for the principle that the U.S. only has one president at a time.
The first key step to address the hack is for officials to understand what Russia has taken and how to prevent it from using that data to cause further harm, said Suzanne Spaulding, a veteran cybersecurity official now with the Center for Strategic and International Studies think tank. That includes identifying potentially stolen confidential and strategic information, whether about U.S. assets abroad or about critical infrastructure such as electricity grids, and quickly changing vital processes to make them less vulnerable to Russian meddling, she added.
Some clues of Moscow’s intentions could become clear quickly because of who the hackers pursued out of SolarWinds’ vast client list, Spaulding said.
“They used a vector that had the potential to impact 18,000 customers but from what we’ve heard, they didn’t actually exploit that access in the vast majority of those cases ... so that means this was fairly targeted in the actual exploitation and so what can we learn from that?” Spaulding continued.
Lawmakers like Reps. Adam Schiff (D-Calif.), chairman of the House Intelligence Committee, and Elissa Slotkin (D-Mich.), a former Pentagon official, have said in statements that the hack also shows how urgently the U.S. needs to shore up its cyber defenses. Bipartisan defense legislation that Trump has yet to sign would make some progress in that direction, for instance by restoring the cyber czar role at the White House.
To deter similar hacks in the future involves more than efforts to punish or be aggressive with adversaries like the Russians, analysts Benjamin Jensen, Brandon Valeriano and Mark Montgomery, who are all associated with the congressionally appointed Cyberspace Solarium Commission, recently wrote in Lawfare. They urged the government to engage in more international coordination on cyber regulation, constant public tests of the security of its networks and greater coordination with the private sector.
Other experts, like Ron Ross at the National Institute of Standards and Technology, say the U.S. must reconsider its approach to engineering so it can build its systems to be more secure.
The first move, of course, is recognizing the reality and gravity of the situation ― the way Biden has now done in contrast to Trump.
“President Trump’s muddying the waters, implying that maybe it was China, is extremely harmful,” said Spaulding, who has worked for Republican and Democratic presidents and lawmakers for decades.