Hackers infiltrated SolarWinds, a software company based in Austin, Texas. When SolarWinds’ customers — which include government agencies and more than 400 of the top Fortune 500 companies — downloaded new versions of the targeted software, hackers gained access to internal networks and email accounts. It’s an embarrassment that US cyberdefenses did not detect the cyberattack for months — a cybersecurity company that was also a victim of the attack was the first to raise the alarm.
It’s still unclear whether they were able to take intellectual property, access sensitive information, monitor US government activities, or even disrupt US government operations. Even if hackers only gained access to unclassified data like email addresses, that still is a major security risk, since they can then use that information to conduct more sophisticated phishing campaigns. And plenty of information on unclassified US government servers is still considered sensitive. Just the ability to see what is happening on these government servers could provide our attackers with intelligence that can give them an advantage in diplomatic negotiations, for example.
Based on my own experiences, I know it takes time to declassify intelligence about these kinds of attacks. But given information from the private sector and declassification protocols, it seems Trump could call out Russia if he wanted to. The problem is, he likes to placate Putin. With Trump leaving office during an ongoing Russian attack on the US government, it’s now more clear than ever that he leaves behind a legacy of empowering Russia, rather than deterring it.
The likelihood that Trump will dance around the attribution issue is high, but whether or not he calls Russia out is a secondary point right now. I’m not holding my breath to see if Trump does the right thing — he’s leaving soon, and his track record shows that nothing he says about Russia is credible. What matters most is that his team is fully empowered to mitigate and investigate the attack and that they’re authorized to fully brief the incoming administration.
That’s why, at a minimum, this is a PR win for Putin. The fact that these hackers were more sophisticated than even the Department of Homeland Security bolsters the broader Russian mission to broadcast our weaknesses and undermine confidence in the United States and our institutions. It’s a perfectly tailored talking point for Russian influence operations.
It’s clear that this is going to be Biden’s problem, both in terms of cleaning up the mess and securing US government systems to make sure this doesn’t happen again. In the unlikely event that the current Administration chooses to launch retributive cyberattacks against Russia in the next few weeks, Biden may find himself in the middle of an escalating cyberwar when he assumes office.
That’s why it is important that Biden, Vice President-elect Kamala Harris, and appropriate members of their team get all of the same information Trump does on this attack. It is also critical that the transition team is updated on investigative and mitigation efforts within the federal government, not to mention any policy responses under consideration.
Biden’s team will have to reckon with what to do. The President-elect released a statement Thursday saying, his administration would “elevate cybersecurity as an imperative across the government … and expand our investment and the infrastructure and people we need to defend against malicious cyberattacks.” He went on to say it was necessary to deter adversaries from making these attacks and said, “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks.” This suggests a range of policy responses from sanctions to potentially more offensive cyberops against Russia.
Biden’s relationship with Putin was always going to be complicated. But, unlike President Trump, Biden will approach that relationship informed by actual intelligence and unhindered by any personal political needs. When it comes to cybersecurity, Biden will have to rely on his team of experts to improve the US’ defenses and come up with new ways to convince Putin that he needs to knock it off after Trump’s legacy of defending us from Russia has proved to be an utter failure.