海角大神

The cyberattack appears to be one of the worst in U.S. history. Hackers 鈥� likely linked to Russian intelligence 鈥� last spring broke into computer networks at a half-dozen or so American government agencies and hundreds of private companies via clever malware that carves secret 鈥渂ack doors鈥� into systems, according to elected officials and private cybersecurity firms.

and others have described the hack as an 鈥渋nvasion鈥� that went on for months and likely resulted in the loss of crucial security and corporate secrets.

But it could have been even worse than it was, say some computer experts. The alleged Russian intruders were in essence spies who apparently were looking for, and then exfiltrating, data. This was espionage, something virtually all nations engage in 鈥� even, and perhaps especially, the United States.

The attack does not appear to have resulted in physical damage or personal injury, shut down an electricity grid, or frozen the nation鈥檚 financial transactions. In that sense it was under international law, however reckless and compromising it might have been.

What it should be, say experts, is a wake-up call. Common hacker targets such as the Pentagon and big banks are aware of cyber danger and generally fund defenses accordingly. But smaller agencies and many private companies may still not give it the attention and dollars it deserves, particularly when budgets are tight. The U.S. needs to invest more in cybersecurity across the whole spectrum of government and industry, says Mark Montgomery, senior fellow at the Foundation for the Defense of Democracies.

鈥淲e鈥檇 be very fortunate if this is what gets us on the right track,鈥� says Mr. Montgomery, who served as policy director of the Senate Armed Services Committee under the late Republican Sen. John McCain.

A supply chain attack

The nature of this latest intrusion into U.S. computer systems is what made it so worrisome to government cybersecurity officials. It was what they call a 鈥渟upply chain attack,鈥� meaning it affected a popular software product made by the U.S. firm SolarWinds that monitors the networks of many government entities and businesses.

Hackers slipped malicious code into updates to SolarWinds products. When downloaded, the corrupted code opened access to the infected computers so the attackers could steal information. It wasn鈥檛 discovered until the private cybersecurity firm FireEye noticed it had been hacked and went public with the information.

Microsoft, which has helped to try and limit the breach, announced last week that it has identified at least 40 government agencies, nongovernmental organizations, and big information technology firms that have been affected. The Treasury Department, for instance, has had multiple systems compromised, including computers used by its highest-ranking officials, .

Tech giants Cisco Systems, Intel Corp., and Belkin International are .

Even if these systems contained only unclassified information 鈥� as so far seems to be the case 鈥� the aggregate data collected can give the assailant a classified-level understanding of some government efforts, according to Mr. Montgomery. Data can hint toward future policy and regulatory decisions.

Data from the private sector can expose closely held research-and-development information, plans for the future, and system vulnerabilities that might lead to more hacks.

鈥淚f an adversary can get inside your system undetected and then wipe away his fingerprints of entry and then establish a new method for transferring the information in and out of your system, they can, in a detailed, organized manner, go through your data,鈥� Mr. Montgomery says.

The supply chain aspect of the attack multiplies this negative effect many times over. SolarWinds has some 18,000 customers, public and private. The firm鈥檚 malware infection shows the dangers inherent in the government鈥檚 use of third-party suppliers for information technology, says Erica Borghard, a senior fellow at the Atlantic Council.

It鈥檚 not as if SolarWinds was a cookie jar with a loose lid, says Ms. Borghard. It was simply a cookie jar with an enormous amount of tempting cookies inside.

鈥淭his is really an intelligence failure at scale,鈥� she says.

鈥淰irtually a declaration of war鈥�

Some U.S. elected officials have used bellicose language to respond to the SolarWinds attack. This tendency has been bipartisan: As noted, Senator Romney, a Republican, called it an 鈥渋nvasion.鈥� Democratic Sen. Dick Durbin of Illinois called it 鈥渧irtually a declaration of war.鈥�

Incoming White House Chief of Staff Ron Klain said the Biden administration would respond aggressively to 鈥渁n attack like this.鈥� On CBS鈥檚 鈥淔ace the Nation鈥� last Sunday : 鈥淚 want to be very clear, it鈥檚 not just sanctions. It鈥檚 also steps and things we could do to degrade the capacity of foreign actors to repeat this sort of attack, or [we鈥檒l face] even more dangerous attacks.鈥�

But talking about the SolarWinds episode in military terms, or equating cybersecurity with 鈥渄eterrence鈥� in a military sense, may be a misleading way of discussing hacker intrusions and other aspects of a shadowy competition between nations waged entirely with keyboards and bits and bytes.

The operation may simply demonstrate the developing nature of great power competition in the information technology age, where rivals use hacker teams to conduct traditional espionage missions and limited operations meant to disrupt and degrade, co-written by Dr. Benjamin Jensen, professor of strategic studies at Marine Corps University.

鈥淭hough media reports often characterize cyber operations as attacks, many operations are better thought of as instruments of political warfare and weak forms of coercion that do not seek destruction,鈥� Dr. Jensen and his co-authors write.

In addition, the rest of the world may regard the U.S. as the largest and most aggressive actor in cyberspace. The U.S. government hacks foreign counterparts on a huge scale every day, , a Harvard Law School professor and former Defense Department attorney under President George W. Bush, in The Dispatch.

Some of this presence reflects the Trump administration鈥檚 鈥淒efend Forward鈥� policy for U.S. Cyber Command, which involves maintaining a persistent presence within foreign networks from which to confront adversaries when they launch attacks.

Defend Forward may have headed off Russian interference in the 2018 and 2020 elections, but it did nothing to help detect or block the SolarWinds attack, writes Mr. Goldsmith. The new hack in fact may be a tit-for-tat Russian deterrent response to what Moscow deems as American cyber interference.

鈥淚t is hard to know where we are in the retaliatory cycle, but it is pretty clear that the United States has more to lose from escalating retaliation,鈥� writes Professor Goldsmith.

A three-pronged response

The first priority of the U.S. should be to secure existing hacked systems, which by itself could be a hugely expensive and difficult endeavor, says the Atlantic Council鈥檚 Ms. Borghard.

As they do that, cybersecurity defenders need to try and understand what the Russians were really up to with the attack. Was it a response to the U.S., or the beginning of a larger and more nefarious endeavor?

鈥淚 hope that this incident could be a kind of watershed event to prompt us to rethink about the security of our federal government networks,鈥� says Ms. Borghard.

The response could be three-pronged, according to Mr. Montgomery of the Foundation for the Defense of Democracies: traditional sanctions, such as the expulsion of diplomats; retaliation against the Russians in terms of a cyber response; and denial via improved cyber defense.

It is that last category in which the U.S. has made the least progress, he says. While financial institutions and tech firms and other obvious targets take cybersecurity seriously, many other companies make it a lower priority, particularly when budgets are tight. Government agencies face the same dynamic, says Mr. Montgomery.

Passing the Defense Authorization bill, which President Donald Trump has threatened to veto, would also help. It contains around 30 provisions that will help remedy U.S. cyber vulnerabilities, according to Mr. Montgomery.