Democrats spent the four years of the Trump administration talking tough on Russia, and now with President Joe Biden in the White House, they face an immediate challenge: addressing one of the worst hacking campaigns in U.S. history.
Biden faces two main problems: how to punish Russia, if at all; and how to fully kick its hackers out of U.S. networks, a process that experts say will take months at least.
Democrats who watched Donald Trump as president consistently defer to Russian President Vladimir Putin are eager to take a stronger stance.
“You had this constant reluctance in the last White House to never call out Russia,” Sen. Mark Warner, D-Va., the incoming chairman of the Senate Intelligence Committee, told NBC News. “The intelligence community’s attribution was very, very, very good,” he said, speaking of tying that hacking campaign to the Kremlin.
But that's the easy part. The SolarWinds hack — named for the Texas software company that Russia hacked in order to gain access to tens of thousands of its customers, many of them American businesses and federal agencies — ran undetected for at least nine months, siphoning off private information before it was discovered in December.
At least five federal agencies have admitted they were affected. Several others have so far refused to comment. Few private companies have admitted to being victims, but experts say the working assumption is the number is in the hundreds.
That's left cybersecurity experts with the labor-intensive task of combing through sensitive networks.
Matthew Travis, the deputy director of the Cybersecurity and Infrastructure Security Agency, or CISA, until he resigned under pressure in November after Trump fired his boss, Chris Krebs, via a tweet, said that while his former agency is working around the clock to help fix hacked government systems, it’s both underresourced and ill-served by the sprawling bureaucracy of federal government computers.
“Just doing the forensics is a heavy lift,” he said in a phone call, noting that the damage at some agencies may be bad enough to require throwing out equipment and rebuilding from scratch. “CISA’s not resourced to do remediation and reconstitution of federal networks,” he said.
The Biden administration also faces a difficult question in what to do about the hack. Trump’s White House finally formally blamed Russia in the beginning of January, long after individual government officials told reporters that U.S. intelligence had reached that conclusion. But the U.S. never publicly retaliated for or condemned the hack, and Trump downplayed the severity of the hack on Twitter and chose to raise “the possibility that it may be China.”
How Biden chooses to respond has ramifications well beyond the SolarWinds hack. It presents a tight balancing act for how the U.S. can continue to claim moral authority in cyberspace while making sure its rivals fear repercussions.
Biden has called the hack an "attack" — an important designation in the cybersecurity world, where a certain level of digital espionage is considered fair game. He also said he would be “taking meaningful steps to hold them to account," though just what those steps will be are unclear. In the Biden administration’s first two news conferences, White House press secretary Jen Psaki stressed that dealing with the SolarWinds hack was a priority, but that it’s still early in the administration.
“We reserve the right to respond at a time and in a manner of our choosing to any cyberattack. But our team is, of course, just getting on the ground today, they're just getting onto their computers,” she said Wednesday.
Historically, the U.S. has called out a variety of government hacking campaigns when it wants to put guardrails on how other countries act in cyberspace. But it’s avoided significant public retaliations like sanctions when it’s victimized by espionage campaigns, as the country’s own intelligence agencies, particularly the National Security Agency, engage in that kind of behavior.
When China hacked the U.S. Office of Management and Budget, essentially the human resources department for the entire federal government, during President Barack Obama’s second term, the U.S. didn’t publicly retaliate or even stress Beijing’s guilt.
Michael Daniel, Obama’s cybersecurity czar at the time, said in a phone interview that “you have to be judicious in how you respond to espionage activities.”
“Because we do engage in using cyber-capabilities to conduct espionage, how much retaliation do we want to take?” he said.
While some of Biden’s team work on an appropriate response to Russia, an enormous number of computer specialists are continuing their work of rooting the hackers out of the government networks they broke into. The Commerce, Energy, Justice, Labor and Treasury departments have all admitted to falling victim to the campaign.
While cybersecurity experts quickly figured out some of the basics, like to check if anyone connected to a given network downloaded poisoned versions of SolarWinds software, the hackers also built backdoors if they hacked a victim they thought was worth their time. Those backdoors take time to find.
Lesley Carhart, a principal threat analyst at the cybersecurity company Dragos, which has been working to help utility companies deal with the aftermath of the SolarWinds hack, said that the further the hackers have gotten into a given victim’s networks, the more work it takes to make sure they’re fully kicked out.
“We’re going to keep finding out new things that this adversary did,” she said. “They had access to a lot of environments they didn’t do anything with, based on what we’re seeing right now, and that makes sense because no adversary group has the resources to compromise that many environments simultaneously in a sophisticated way. But we’re going to be figuring out how they spiderwebbed into targets they were interested in for a long time.”