Lawmakers are raising questions about whether the attack on the federal government widely attributed to Russia constitutes an act of war.
The hacking may represent the biggest cyberattack in U.S history, and officials are scrambling to respond.
The response is further complicated by the presidential transition — President Trump has yet to comment publicly on the attack — and the fact that the U.S. has no clear cyber warfare strategy.
“We can’t be buddies with Vladimir Putin and have him at the same time making this kind of cyberattack on America,” Senate Minority Whip Dick Durbin (D-Ill.) said of the attack during an interview Wednesday on CNN. “This is virtually a declaration of war by Russia on the United States and we should take that seriously.”
Sen. Mitt Romney (R-Utah) on Thursday compared the incident to Russian bombers "flying undetected over the entire country," and harshly criticized Trump for not doing enough to counter the attack.
"Our national security is extraordinarily vulnerable," Romney said on SiriusXM's "The Big Picture with Olivier Knox." "In this setting, not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary."
Hackers believed to be part of a nation state have had access to federal networks since March after exploiting a vulnerability in updates to IT group SolarWinds’s Orion software. The hack has compromised the Treasury, State and Homeland Security departments and branches of the Pentagon, though it is expected to get worse. SolarWinds counts many more federal agencies as customers, along with the majority of U.S. Fortune 500 companies.
On Thursday, Politico reported that the Energy Department’s National Nuclear Security Administration, which maintains the nation’s nuclear weapons stockpile, was also compromised, further raising the stakes.
Lawmakers say the scope of the attack, widely presumed to be by Russia, which has denied responsibility, demands some kind of response.
“No response is not appropriate, and that’s been our national policy by and large for the past 10 or 15 years,” Sen. Angus King (I-Maine), the co-chair of the Cyberspace Solarium Commission (CSC), said during an event hosted by Defense One on Thursday. “I want somebody in the Kremlin, sitting around that table to say, ‘wait a minute boss, if we do this we are liable to get whacked in some way,’ and right now they are not making that calculus.”
It's not the first time the U.S. has been hit by a nation state.
The Office of Personnel Management was breached by Chinese hackers in 2015, when the records of more than 22 million people were compromised.
North Korean hackers in 2014 breached Sony Pictures, while Kremlin-backed hackers were credited with launching a sweeping and sophisticated attack on the 2016 presidential election.
Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies, blamed those attacks on the fact that all those countries felt they could do so without incurring a U.S. response.
He compared the state of U.S. cyber defenses to the unprepared state of U.S. health care systems at the beginning of 2020, and advocated for both Congress and the incoming administration of President-elect Joe Biden to immediately take steps to respond to the latest attack.
“I think we need to look at all the different tools, law enforcement tools such as indictments, and if necessary, military tools that remove the ability of the adversary to use similar tools to attack us,” Montgomery said.
Rep. Mike Gallagher (R-Wis.), the other co-chair of the CSC, on Thursday stressed that the incident appeared so far to be espionage rather than an attack. He stressed, however, that this could change as more details come to light, and that some type of response was necessary.
“There needs to be some response, and until those responsible feel pain in response to this intrusion, we can expect more of this to happen,” Gallagher said at the same Defense One event.
The intrusions by Russian hackers came to light right as the U.S. is facing a presidential transition, a global pandemic, and is without much of its cybersecurity leadership.
Under the Trump administration, both the White House cybersecurity coordinator position and the State Department's cybersecurity office were eliminated.
The Cybersecurity and Infrastructure Security Agency (CISA), created in 2018, has stepped into the breach, but is currently without Senate-confirmed leadership after Trump fired former Director Christopher Krebs and forced three other top leaders to step down after the agency took steps to assure the public that the 2020 election was secure.
The U.S. also generally lacks overall international agreements on cyber warfare or cyber espionage.
“If somebody flew a plane into our airspace, a military plane, we have an international accord for that, and we don't really have that for the digital domain,” said Theresa Payton, White House chief information officer during the George W. Bush administration and the current CEO of the cyber consultancy group Fortalice Solutions.
Biden on Thursday vowed to make a response to the attack and cybersecurity generally a “top priority” once in office.
“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said in a statement. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”
“Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation,” Biden said.
While Trump has been silent, his national security adviser, Robert O’Brien, cut short a foreign trip earlier this week to return to the U.S. to help address the incident, and the CISA, the FBI, and the Office of the Director of National Intelligence have stood up a cyber response group.
Members of Congress united Thursday around highlighting the need to sign the 2021 National Defense Authorization Act (NDAA) into law as a way of immediately responding to the espionage incident without crossing over into a dicey international situation.
The bill, which Trump has said he intends to veto, includes a raft of cyber-related priorities aimed at increasing the nation’s ability to prevent and respond to attacks. These include the reestablishment of a White House cyber czar and the expansion of CISA’s powers.
“The cyber intrusion appears to be ongoing and has the hallmarks of a Russian intelligence operation,” Senate Armed Services Committee Chairman James Inhofe (R-Okla.) and ranking member Jack Reed (D-R.I.) said in a joint statement on Thursday.
“One of the immediate steps the Administration can take to improve our cyber posture is signing the NDAA into law,” they added. “The NDAA is always ‘must-pass’ legislation – but this cyber incident makes it even more urgent that the bill become law without further delay.”
Montgomery agreed with the urgent need to sign the bipartisan bill into law, noting that if Trump chose not to, it could further dampen his legacy on cyber defense.