Four days ago, on December 13, Reuters broke the story that computer hackers had breached U.S. government agencies, including the Treasury Department and the Commerce Department. It was serious enough that the National Security Council had been called into an emergency meeting on Saturday. While no nation has yet been charged with this attack, officials agree that it looks like a Russian operation.
On Monday, the story got worse. Also hit were the Department of Homeland Security, the State Department, and the National Institutes of Health. Officials at the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security told all federal agencies to disconnect the products containing the malware that had been used to breach the firewalls. Those products had been installed as far back as March, meaning that the attackers had been able to observe crucial aspects of our government from the inside for as much as nine months. Government officials found out about the breach only after a private cybersecurity firm, FireEye, realized it had been hacked and alerted the FBI. Hackers planted the malware they used to get into the systems on a patch issued by the software company, SolarWinds, which produces widely used management software.
The story is getting worse still.
Today CISA said that the hackers used many different tools to get into government systems, taking them into critical infrastructure, which could include the electrical grid, telecommunications companies, defense contractors, and so on. Officials said that the hacks were “a grave risk to the federal government.”
Later in the day, it came out that the Energy Department and the National Nuclear Security Administration, which oversees our nuclear weapons, was also hit, although a Department of Energy spokesperson said that there is no evidence that the hackers breached critical defense systems, including the NNSA.
Microsoft’s president, Brad Smith, today said the company had identified 40 different companies, government agencies, and think tanks the hackers infiltrated, and that those forty were just the tip of the iceberg. Smith said that more companies had been hit than government agencies, “with a big focus on I.T. companies, especially in the security industry.”
The Associated Press quoted a U.S. official as saying: “This is looking like it’s the worst hacking case in the history of America. They got into everything.” Tom Kellermann, the cybersecurity strategy chief of the software company VMware, told Ben Fox of the Associated Press that the hackers could now see everything in the federal agencies they’ve hacked, and that, now that they have been found out, “there is viable concern that they might leverage destructive attacks within these agencies.”
It is not clear yet how far the hackers have penetrated, and we will likely not know for months. But given the fact they have had access to our systems since March and have almost certainly been planting new ways into them (known as “back doors”), all assumptions are that this is serious indeed.
Initially, Secretary of State Mike Pompeo downplayed the attack, saying that such attacks are common and that China, not Russia, is the biggest offender. Trump has said nothing about the attacks, and administration officials say that they are simply planning to hand the crisis off to Biden.
But this attack does not come out of the blue for the Trump administration. There was discussion of strengthening our security systems against attackers after the 2016 election, and on July 9, 2017, Trump suggested we would partner with Russia to address the issue. “Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded,” he tweeted.
Congress instead created the CISA within the Department of Homeland Security in 2018 to protect against precisely the sort of attack which has just occurred, shortly after Russia hacked our electrical grid, including “multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors,” according to the FBI and Department of Homeland Security report.
In response to the Russian attack, the U.S. hit Russia’s electrical grid in June 2019.
Since then, administration officials have deliberately forced out of CISA key cybersecurity officials. The destruction was so widespread, according to Dr. Josephine Wolff, a professor of cybersecurity policy at Tufts University’s Fletcher School who holds her PhD from the Massachusetts Institute of Technology (MIT), “they signify the systematic decimation of the personnel most directly responsible for protecting critical infrastructure, shielding our elections from interference and guarding the White House’s data, devices and networks.”
Almost exactly a year ago, on December 19, 2019, Wolff warned in the New York Times that “As we head into 2020, worrying about the integrity of our elections, the growing scourge of ransomware and the increasingly sophisticated forms of cyberespionage and cybersabotage being developed by our adversaries, it’s disconcerting to feel that many of our government’s best cybersecurity minds are walking out the front door and leaving behind too few people to monitor what’s coming in our back doors.”
Just a month ago, Trump continued this process, firing Christopher Krebs, the former director of CISA, on November 18, saying he was doing so because Krebs defended the 2020 election as “the most secure in American history.” Krebs said that there “is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
And now, here we are. Senator Mitt Romney (R-UT) said to SiriusXM about the hack: "Our national security is extraordinarily vulnerable. And, in this setting, to not have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary."
The timing of the exposure of this hack might be coincidence, but it is curiously well timed. It illustrates to the world that Russia now holds power over the U.S. while the perpetrators can assume, after four years of Trump’s refusal to stand up to Putin, that they will not have to face immediate retaliation for the attack as they would have to if it were revealed just a month later.
President-elect Biden was briefed on the attack today. He warned that his administration would impose “substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.” “A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said. “I will not stand idly by in the face of cyberassaults on our nation.”