American officials suspect a Russian spy agency has carried out what may be the most successful cyber infiltrations of U.S. government and corporate institutions in history.
It’s being described as an epic hack. But was it an attack?
That’s a more complicated question than might be imagined, and how it is answered may dictate how the incoming Biden administration responds.
For Microsoft president Brad Smith, the formulation is clear: “This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms,” he wrote in a blog post Thursday, after it emerged his own company was breached by what U.S. officials say was likely the Russian SVR, a rough equivalent to the CIA.
But for many current and former American officials, that’s not the right way to look at it. By hacking into dozens of corporations and government agencies, they say, the hackers have pulled off a stunning and distressing feat of espionage. But they note that it’s just the sort of cyber spying that the American National Security Agency attempts on a regular basis against Russia, China and any number of foreign adversaries.
It might constitute an attack if the intruders destroyed data, for example, or used their access to do damage in the physical world, say, by shutting down power grids. But breaking into unclassified government and corporate networks? Reading other people’s emails? That’s spying.
“I don’t think under anybody’s definition who works in this field is this any kind of cyber attack,” said Gary Brown, a former Pentagon cyber official who is Professor of Cyber Law at National Defense University.
“This is really just a very successful espionage operation. It’s the kind of thing we would love to carry out. And it’s sort of a wake-up call – we have got to get better. The Russians are way better at this than we even knew about.”
Jamil Jaffer, former senior counsel to the House Intelligence Committee and a vice president at IronNet Security, noted that “we have no evidence yet that any information has been deleted, destroyed, manipulated or modified, leading me to believe that this is an intelligence collection operation.”
It’s alarming but not surprising, for example, that the Energy Department’s National Nuclear Security Administration was among those agencies breached—its unclassified business networks were hacked, according to the agency.
“If we could access Russia or China’s nuclear programs and information, we would,” he said.
American officials should be careful how they describe this incident, said one senior Congressional official who oversees intelligence. It is different from what North Korea is said to have done in 2014 to Sony Pictures, hacking into its networks, destroying data and computers and making public private emails.
It’s also different from the U.S. and Israeli operation known as Stuxnet, which a decade ago used a cyber attack to damage Iranian nuclear centrifuges. That was clearly a cyber attack.
The latest suspected Russian cyber intrusion is more akin to China’s hack of the Office of Personnel Management (OPM), gaining the Chinese access to millions of sensitive personnel records.
After that incident, then Director of National Intelligence James Clapper said: "You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don't think we'd hesitate for a minute."
“Obviously if somebody breaks into your systems and starts destroying stuff, as happened with Sony, well, that’s an attack,” the official said.
“But in the case of OPM, when hackers come in and exfiltrate reams of data, while that is not welcome, it’s not necessarily in the same ballpark as offensive action. We need to be careful here, because the United States should be conducting cyber espionage as well, so if we’re sitting around and labeling as ‘attacks’ stuff that would normally fall into the espionage and intelligence bucket, we risk reaping what we’ve sown.”
He added: “We are now wringing our hands over what other people are doing to us without a great visibility for the public into what we are doing to others.”
In fact, American officials have been careful in their language. The top senators on the armed services committee, Republican James Inhofe and Democrat Jack Reed, issued a joint statement calling what happened a “significant, sophisticated cyber intrusion” -- not an attack.
Likewise, Mark Warner, the ranking Democrat on the Senate intelligence committee, called it a “devastating breach,” a “malign effort,” and an intrusion.
“International law on cyber operations is not well developed, but for something to be considered an attack, it must involve force or the use of force,” said James Lewis, a former State Department official now with the Center for Strategic and International Studies.
Much is still yet to be understood about exactly what the intruders have done with nine months of unfettered access to government and corporate networks. It’s possible they have done things that would be considered more than simple espionage, said a Western intelligence official who would not be named discussing a sensitive matter.
If they just took data, that would be one thing, he said, but if they planted “cyber bombs” that could cause physical destruction if detonated, that would be at least positioning for attack, he said.
Then again, he and others noted, that wouldn’t be much different from what officials say the Russians have already done by positioning cyber weapons on parts of the American power grid, or by stationing nuclear weapons-equipped submarines off the U.S. coast.
The Russian SVR, which is believed to have carried out the hacks, has no history of manipulating or destroying data – they are a spying outfit, the congressional official said.
But even if this remains merely a Russian espionage success, it has shown, experts say, that the Russians don’t feel they will pay a price for such a brazen operation. President Trump has said nothing about the matter, but President-elect Joe Biden has vowed to respond.
In doing so, he used the exact language that some intelligence officials said went too far, raising expectations for a more robust response than, in the end, he may be prepared to deliver.
“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said in a statement. “I will not stand idly by in the face of cyber assaults on our nation.”