Pompeo on cyberattack against US government: Fairly clear that Russia was behind activity
All fingers are pointing to Russia as the source of .
Speaking with Mark Levin of Fox News, Secretary of State Mike Pompeo said that "now we can say pretty clearly that it was the Russians that engaged in this activity," noting the "significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems and it now appears systems of private companies and companies and governments across the world as well."
U.S. government statements had previously not mentioned Russia.
The hack compromised federal agencies and 鈥渃ritical infrastructure鈥� in a sophisticated attack that was hard to detect and will be difficult to undo, the Cybersecurity and Infrastructure Security Agency said in an unusual warning message Thursday. The Department of Energy acknowledged it was among those that had been hacked.
Democratic Sens. Dick Durbin and Richard Blumenthal, who were briefed Tuesday on the hacking campaign in a classified Armed Services Committee session, were unequivocal in blaming Russia.
There are other signs within the administration of a clear-eyed recognition of the severity of the attack, which happened after elite cyber spies injected malicious code into the software of a company that provides network services. For instance, the civilian cybersecurity agency warned in an advisory Thursday that the hack posed a 鈥済rave risk" to government and private networks.
But President Donald Trump, long wary of blaming Moscow for cyberattacks, has been silent.
The lack of any statement seeking to hold Russia responsible casts doubt on the likelihood of a swift response and suggests any retaliation 鈥� whether through sanctions, criminal charges or cyber actions 鈥� will be left in the hands of President-elect Joe Biden鈥檚 administration.
Video: Dem lawmakers call hacking briefing 'incomplete'
鈥淚 would imagine that the incoming administration wants a menu of what the options are and then is going to choose,鈥� said Sarah Mendelson, a Carnegie Mellon University public policy professor and former U.S. ambassador to the U.N.鈥檚 Economic and Social Council. 鈥淚s there a graduated assault? Is there an all-out assault? How much out of the gate do you want to do?鈥�
To be sure, it's not uncommon for administrations to refrain from leveling public accusations of blame for hacks until they've accumulated enough evidence. Here, U.S. officials say they only recently became aware of devastating breaches at multiple government agencies in which foreign intelligence agents rooted around undetected for as much as nine months.
But Trump's response, or lack thereof, is being closely watched because of his preoccupation with a fruitless effort to overturn the results of last month's election and because of his reluctance to consistently acknowledge that Russian hackers interfered in the 2016 presidential election in his favor.
Exactly what action Biden might take is unclear, or how his response might be shaped by criticism that the Obama administration did not act aggressively enough to thwart interference in 2016. He offered clues in a statement Thursday, saying his administration would be proactive in preventing cyberattacks and impose costs on any adversaries behind them.
It took weeks after the incidents became public for the Obama administration to blame North Korea in the Sony Pictures Entertainment hack in 2014 and for then-national intelligence director James Clapper to confirm China as the 鈥渓eading suspect鈥� in hacks of the Office of Personnel Management.
Public naming-and-shaming is always part of the playbook. Trump's former homeland security adviser Thomas Bossert wrote this week in a that 鈥渢he United States, and ideally its allies, must publicly and formally attribute responsibility for these hacks.鈥�
Another possibility is a federal indictment, assuming investigators can accumulate enough evidence to implicate individual hackers. Such cases are labor-intensive and often take years, and though they may carry slim chances of courtroom prosecution, the Justice Department regards them as having powerful deterrent effects.
Sanctions, a time-honored punishment, can have even more bite and will almost certainly be weighed by Biden. President Barack Obama after the 2016 election interference and expelled Russian diplomats. The Trump administration and Western allies over Moscow's alleged poisoning of an ex-intelligence officer in Britain.
Exposing Kremlin corruption, including how Russian President Vladimir Putin accrues and hides his wealth, may amount to even more formidable retaliation.
鈥淭his isn't just a tit-for-tat or hacking back into their systems,鈥� Mendelson said. 鈥淚t's, 鈥榃e鈥檙e going to go for what you really care about, and what you really care about is the funds that are stashed, and revealing the larger network and how it鈥檚 connected to the Kremlin.鈥欌�
The U.S. can also retaliate in cyberspace, a path made easier by a Trump administration authorization that has already resulted in some operations.
Former national security adviser John Bolton told reporters at a 2018 briefing that offensive cyber operations against foreign rivals would now be part of the U.S. arsenal and that the U.S. response would no longer be primarily defensive.
鈥淲e can totally melt down their home networks,鈥� said Jason Healey, a Columbia University cyberconflict scholar. 鈥淎nd any time we see their operators popping up they know that we are going to go after them, wherever they are.鈥�
U.S. Cyber Command has also taken more proactive measures, engaging in what officials describe as 鈥渉unt forward鈥� operations designed to detect cyber threats in other countries before they reach their intended target.
Military cyber fighters, for instance, before the U.S. presidential election in a joint operation aimed at identifying and defending against threats from Russia.
While the U.S. is also prolific in its offensive cyberintelligence-gathering 鈥� tapping allied foreign leaders鈥� phones and inserting spyware into commercial routers, for instance 鈥� such efforts are measured compared with the infection of 18,000 government and private-sector organizations in the SolarWinds hack, Healey said.
The better response 鈥� since espionage itself is not a crime 鈥� is to triple down on defensive cybersecurity, Healey said.
David Simon, a cybersecurity expert and former Defense Department special counsel, said there must be consequences for those responsible for attacks 鈥� and the Trump administration 鈥渉as fallen far short in holding the Kremlin accountable.鈥�
鈥淯ntil it鈥檚 clear the U.S. will impose meaningful costs on adversaries," he said in an email, 鈥渁 material change in the Kremlin鈥檚 behavior is not likely to be seen.鈥�