Washington – Over the past few years, the U.S. government has spent tens of billions of dollars on cyberoffensive abilities, building a giant war room at Fort Meade, Md., for U.S. Cyber Command, while installing defensive sensors all around the country — a system named Einstein to give it an air of genius — to deter the nation’s enemies from picking its networks clean, again.
It now is clear that the broad Russian espionage attack on the U.S. government and private companies, underway since spring and detected by the private sector only a few weeks ago, ranks among the greatest intelligence failures of modern times.
Einstein missed it — because the Russian hackers brilliantly designed their attack to avoid setting it off. The National Security Agency and the Department of Homeland Security were looking elsewhere, understandably focused on protecting the 2020 election.
The new U.S. strategy of “defend forward” — essentially, putting American “beacons” into the networks of its adversaries to warn of oncoming attacks and provide a platform for counterstrikes — provided little to no deterrence for the Russians, who have upped their game significantly since the 1990s, when they launched an attack on the Defense Department called Moonlight Maze.
Over the past few days, the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence formed an urgent response group, the Cyber Unified Coordination Group, to coordinate the government’s responses to what the agencies called a “significant and ongoing cybersecurity campaign.”
At the very moment in September that Russian President Vladimir Putin was urging a truce in the “large-scale confrontation in the digital sphere,” where the most damaging new day-to-day conflict is taking place, one of his premier intelligence agencies had pulled off a sophisticated attack that involved getting into the long, complex software supply chain on which the entire nation now depends.
“Stunning,” Sen. Richard Blumenthal, D-Conn., wrote Tuesday night. “Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what’s going on.”
He called for the government to declassify what it knows and what it does not.
Briefings on the intrusion, including to members of Congress, have discussed the extent of the Russian penetration but have not outlined what information was stolen — or whether the access the hackers gained might allow them to conduct destructive attacks or change data inside government systems, a fear that looms above mere spying.
Investigators have not discovered breaches into any classified systems, only unclassified systems connected to the internet. Still, the intrusion seems to be one of the biggest ever, with the amount of information put at risk dwarfing other network intrusions.
On Wednesday morning, Sen. Dick Durbin, D-Ill., called the Russian cyberattack “virtually a declaration of war.” All nations spy on one another, and the United States uses cyberinfiltration to steal secrets as well. But disparate Russian intelligence units have, in previous attacks, used similar access to shut systems down, destroy data and, in the case of Ukraine, shut off power.
The Russians have denied any involvement. The Russian ambassador to the U.S., Anatoly Antonov, said there were “unfounded attempts by the U.S. media to blame Russia” for the recent cyberattacks, in a discussion hosted by Georgetown University on Wednesday.
Until Saturday, President Donald Trump had said nothing, perhaps aware that his term in office is coming to an end just as it began, with questions about what he knew about Russian cyberoperations and when. The National Security Agency has been largely silent, hiding behind the classification of the intelligence. Even the Cybersecurity and Infrastructure Security Agency, the group within the Department of Homeland Security charged with defending critical networks, has been conspicuously quiet on the Russian mega hack.
Blumenthal’s message on Twitter was the first official acknowledgment that Russia was behind the intrusion.
Trump administration officials have acknowledged that several federal agencies — the State Department, the Department of Homeland Security, parts of the Pentagon as well as the Treasury and the Department of Commerce — had been compromised in the Russian hacking. But investigators are still struggling to determine the extent to which the military, intelligence community and nuclear laboratories were affected.
Inside banks and Fortune 500 companies, executives are also trying to understand the impact of the breach. Many use the network management tool that the hackers quietly bored into, which is called Orion and made by Austin, Texas-based company SolarWinds. Los Alamos National Laboratory, where nuclear weapons are designed, also uses it, as do major military contractors.
“How is this not a massive intelligence failure, particularly since we were supposedly all over Russian threat actors ahead of the election?” Robert Knake, a senior Obama administration cybersecurity official, asked on Twitter.
The intrusion, said the person briefed on the matter, shows that the weak point for the American government computer networks remains administrative systems, particularly ones that have a number of private companies working under contract. The Russian spies found that by gaining access to these peripheral systems, they could make their way into more central parts of the government networks.
SolarWinds was a ripe target, former employees and advisers say, not only for the breadth and depth of its software, but for its own dubious security precautions.
Reuters earlier reported that a researcher informed the company last year that he had uncovered the password to SolarWinds’ update mechanism — the vehicle through which 18,000 of its customers were compromised. The password was “solarwinds123.”
Even if the Russians did not breach classified systems, there is a lot of highly sensitive data in places that do not have layers of classification. That was the lesson of the Chinese hacking of the Office of Personnel Management five years ago, during the Obama administration, when the security-clearance files on 22.5 million Americans, and 5.6 million sets of fingerprints, were being stored on lightly protected computer systems in, of all places, the Department of the Interior.
They are now all in Beijing.
Saved Stories – None