“We’d be very fortunate if this is what gets us on the right track,” says Mr. Montgomery, who served as policy director of the Senate Armed Services Committee under the late Republican Sen. John McCain.
A supply chain attack
The nature of this latest intrusion into U.S. computer systems is what made it so worrisome to government cybersecurity officials. It was what they call a “supply chain attack,” meaning it affected a popular software product made by the U.S. firm SolarWinds that monitors the networks of many government entities and businesses.
Hackers slipped malicious code into updates to SolarWinds products. When downloaded, the corrupted code opened access to the infected computers so the attackers could steal information. It wasn’t discovered until the private cybersecurity firm FireEye noticed it had been hacked and went public with the information.
Microsoft, which has helped to try and limit the breach, announced last week that it has identified at least 40 government agencies, nongovernmental organizations, and big information technology firms that have been affected. The Treasury Department, for instance, has had multiple systems compromised, including computers used by its highest-ranking officials, according to Democratic Sen. Ron Wyden of Oregon.
Tech giants Cisco Systems, Intel Corp., and Belkin International are among the corporate victims.
Even if these systems contained only unclassified information – as so far seems to be the case – the aggregate data collected can give the assailant a classified-level understanding of some government efforts, according to Mr. Montgomery. Data can hint toward future policy and regulatory decisions.
Data from the private sector can expose closely held research-and-development information, plans for the future, and system vulnerabilities that might lead to more hacks.
“If an adversary can get inside your system undetected and then wipe away his fingerprints of entry and then establish a new method for transferring the information in and out of your system, they can, in a detailed, organized manner, go through your data,” Mr. Montgomery says.
The supply chain aspect of the attack multiplies this negative effect many times over. SolarWinds has some 18,000 customers, public and private. The firm’s malware infection shows the dangers inherent in the government’s use of third-party suppliers for information technology, says Erica Borghard, a senior fellow at the Atlantic Council.
It’s not as if SolarWinds was a cookie jar with a loose lid, says Ms. Borghard. It was simply a cookie jar with an enormous amount of tempting cookies inside.
“This is really an intelligence failure at scale,” she says.
“Virtually a declaration of war”
Some U.S. elected officials have used bellicose language to respond to the SolarWinds attack. This tendency has been bipartisan: As noted, Senator Romney, a Republican, called it an “invasion.” Democratic Sen. Dick Durbin of Illinois called it “virtually a declaration of war.”
Incoming White House Chief of Staff Ron Klain said the Biden administration would respond aggressively to “an attack like this.” On CBS’s “Face the Nation” last Sunday Mr. Klain said: “I want to be very clear, it’s not just sanctions. It’s also steps and things we could do to degrade the capacity of foreign actors to repeat this sort of attack, or [we’ll face] even more dangerous attacks.”
But talking about the SolarWinds episode in military terms, or equating cybersecurity with “deterrence” in a military sense, may be a misleading way of discussing hacker intrusions and other aspects of a shadowy competition between nations waged entirely with keyboards and bits and bytes.
The operation may simply demonstrate the developing nature of great power competition in the information technology age, where rivals use hacker teams to conduct traditional espionage missions and limited operations meant to disrupt and degrade, according to a Lawfare analysis co-written by Dr. Benjamin Jensen, professor of strategic studies at Marine Corps University.
“Though media reports often characterize cyber operations as attacks, many operations are better thought of as instruments of political warfare and weak forms of coercion that do not seek destruction,” Dr. Jensen and his co-authors write.
In addition, the rest of the world may regard the U.S. as the largest and most aggressive actor in cyberspace. The U.S. government hacks foreign counterparts on a huge scale every day, notes Jack Goldsmith, a Harvard Law School professor and former Defense Department attorney under President George W. Bush, in The Dispatch.
Some of this presence reflects the Trump administration’s “Defend Forward” policy for U.S. Cyber Command, which involves maintaining a persistent presence within foreign networks from which to confront adversaries when they launch attacks.
Defend Forward may have headed off Russian interference in the 2018 and 2020 elections, but it did nothing to help detect or block the SolarWinds attack, writes Mr. Goldsmith. The new hack in fact may be a tit-for-tat Russian deterrent response to what Moscow deems as American cyber interference.
“It is hard to know where we are in the retaliatory cycle, but it is pretty clear that the United States has more to lose from escalating retaliation,” writes Professor Goldsmith.
A three-pronged response
The first priority of the U.S. should be to secure existing hacked systems, which by itself could be a hugely expensive and difficult endeavor, says the Atlantic Council’s Ms. Borghard.
As they do that, cybersecurity defenders need to try and understand what the Russians were really up to with the attack. Was it a response to the U.S., or the beginning of a larger and more nefarious endeavor?
“I hope that this incident could be a kind of watershed event to prompt us to rethink about the security of our federal government networks,” says Ms. Borghard.
The response could be three-pronged, according to Mr. Montgomery of the Foundation for the Defense of Democracies: traditional sanctions, such as the expulsion of diplomats; retaliation against the Russians in terms of a cyber response; and denial via improved cyber defense.
It is that last category in which the U.S. has made the least progress, he says. While financial institutions and tech firms and other obvious targets take cybersecurity seriously, many other companies make it a lower priority, particularly when budgets are tight. Government agencies face the same dynamic, says Mr. Montgomery.
Passing the Defense Authorization bill, which President Donald Trump has threatened to veto, would also help. It contains around 30 provisions that will help remedy U.S. cyber vulnerabilities, according to Mr. Montgomery.