Secretary of State Mike Pompeo on Friday blamed Russia for the massive cyberattack against multiple U.S. agencies and thousands of individual federal and private entities, saying the country was “pretty clearly” behind the attack.
“I can’t say much more, as we’re still unpacking precisely what it is, and I’m sure some of it will remain classified. But suffice it to say there was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems and it now appears systems of private companies and companies and governments across the world as well,” Pompeo said on “The Mark Levin Show.”
“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” he added.
Pompeo is the first major Trump administration official to attribute the hack directly to Russia, though the sophisticated large-scale attack has widely been presumed to be tied to the country.
Experts say the effort, which targeted third-party software contractor SolarWinds, blindsided the U.S. government. Numerous federal agencies, including the departments of Energy, Homeland Security, State and Treasury, were reportedly breached.
Pressed on any public response from President Trump to the hack, Pompeo suggested that “a wiser course of action to protect the American people is to calmly go about your business and defend freedom.”
While Trump has not weighed in on the attack, President-elect Joe Biden has vowed to “elevate” cybersecurity throughout government and “make dealing with this breach a top priority from the moment we take office.”
“Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation,” Biden said Thursday, adding his administration would impose “substantial costs” on anyone responsible for malicious attacks to deter such action.
Experts have described the SolarWinds attack as one of the most successful cyber intrusions in U.S. history, with hackers able to obtain access to systems going back as early as March.
SolarWinds counts among its clients numerous government agencies and Fortune 500 companies. As many as 18,000 clients downloaded compromised software from the company that delivered malware inserted by hackers.
Russia has long been viewed as a threat in cyberspace. But after one of the most successful cyber intrusion campaigns in U.S. history, questions are being raised over how the federal government was so completely blindsided by an attack many experts have seen coming.
The successful hacking of multiple federal agencies and tens of thousands of individual federal and private entities — widely presumed to be a Russian intrusion and which federal officials warn is ongoing — managed to subvert sophisticated protections by targeting third-party software contractor SolarWinds.
“We shouldn’t have been surprised, the Russians are very sophisticated, they are very dedicated and relentless, and this appeared to be a soft target they were able to exploit,” Christopher Painter, the former State Department cybersecurity coordinator under both the Trump and Obama administrations, told The Hill on Friday.
Russia, alongside China, North Korea and Iran, is considered one of the pressing threats to the U.S. in multiple fields.
Following the 2016 presidential election, when Russian agents launched a sweeping and sophisticated campaign designed to sway the election toward now-President Trump, top federal agencies began a four-year process designed to shore up the election and ensure this type of attack could never happen again.
These officials, led by the two-year-old Cybersecurity and Infrastructure Security Agency (CISA), largely succeeded, with Election Day seeing few security incidents.
However, some say the U.S. may have turned attention away from other attack vectors used by Russia.
As of Friday, agencies including the Department of Energy and its National Nuclear Security Administration, the Department of Homeland Security, the State Department, and the Treasury Department had reportedly been breached as part of the espionage incident. SolarWinds has reported it believes at least 18,000 of its customers were compromised by the hack.
The hackers accessed systems as early as March, and questions have mounted over how much they took or were able to access.
“This is the most significant cyberattack in the history of the United States,” Tom Kellermann, a former member of an Obama administration cybersecurity commission and current head of cybersecurity at VMWare CarbonBlack, told The Hill. “It’s unprecedented in the 22 years I’ve been in the business.”
Kellermann said he and his team believed that Russia had stepped up its cyberattacks against the U.S. in retaliation for the success of securing the 2020 elections and following the disruption of international botnet group “TrickBot” that targeted U.S. critical infrastructure with ransomware viruses.
He noted that ransomware attacks on hospitals over the fall “should have been a signal and a red line that dramatic escalation is occurring.”
Key details are emerging of overlooked vulnerabilities.
“It’s important to focus-in on this nuance that there is a small set of actions that can help prevent incidents like this in the future and that, could have, potentially discovered it earlier,” said David Springer, who has served at the National Counterterrorism Center and the Defense Intelligence Agency and is currently at the law firm Bracewell.
“The penetration of SolarWinds appears to be the product of poor cyber hygiene at the company,” said Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies. “And let’s not undersell the skill sets of the perpetrators. The Russian intelligence services – SVR – are capable adversaries.”
The idea of strengthening cybersecurity defenses and zeroing on critical supply chains for federal agencies is not a new issue on Capitol Hill, with both gaining wide bipartisan support. However, partisan gridlock on other issues has made it increasingly difficult for legislation to move through Congress, slowing down cyber priorities.
One item that has gained bipartisan support is the 2021 National Defense Authorization Act (NDAA), which includes the widest range of federal cybersecurity improvements in years, including provisions establishing a White House cyber czar and strengthening CISA’s powers.
President Trump has announced his intention to veto the bill over other concerns, drawing bipartisan backlash, and has not yet commented on the breach, despite being reportedly briefed on the topic.
“This cyber attack likely perpetrated by the Russians spotlights the glaring vulnerabilities of our federal cybersecurity system,” Sen. Susan Collins (R-Maine), a member of the Senate Select Committee on Intelligence, tweeted Friday.
“The President should immediately sign the NDAA not only to keep our military strong but also because it contains significant cyber security provisions that would help thwart future attacks,” she added.
The leaders of the Senate Armed Services Committee put out a statement Thursday night describing the NDAA as “must-pass legislation” in light of the breach. Sens. Rob Portman (R-Ohio) and Gary Peters (D-Mich.), the incoming leaders of the Senate Homeland Security and Governmental Affairs Committee, vowed Friday to produce “bipartisan comprehensive legislation” next year to ensure this type of attack never happened again.
National security officials are challenged by how to respond to foreign cyber espionage, resistant to imposing high costs that could be inflicted on the U.S. over its own intelligence gathering.
Officials have taken action when espionage activities have risen to the level of threatening national security, such as the Trump administration’s closure of the Chinese consulate in Houston in July over what it said were espionage activities that went beyond intelligence gathering.
Singer, the former federal counterterrorism official, said the information available on the SolarWinds attack points to traditional espionage, but is worrying over what national security infrastructure is compromised.
“Based on the very early days, limited information we have so far, it appears that this was mostly traditional intelligence gathering, but I think it’s a real concern that the same access to these critical targets and systems could easily be used for another purpose, in the future, had it not been discovered,” he said.
John Bolton, Trump’s former national security advisor, said the response from the U.S. needs to be at least three times more than the cost of the attack that was incurred, during an interview with MSNBC.
“The top priority has got to be, if we determine it’s the Russians, that’s where the information tends to point, what the retaliation is going to be,” he said. “And I think it ought to be, whatever we assess what the cost we incur to be — plus, plus, plus. That’s how you reestablish deterrence.”