Editor’s Note: Samantha Vinograd is a CNN national security analyst. She is a senior adviser at the University of Delaware’s Biden Institute, which is not affiliated with the Biden campaign. Vinograd served on President Barack Obama’s National Security Council from 2009 to 2013 and at the Treasury Department under President George W. Bush. Follow her @sam_vinograd. The views expressed in this commentary are her own. View more opinion articles on CNN.
President Donald Trump is leaving Joe Biden with a mess. With just weeks to go before the President-elect enters office, Trump administration officials revealed several federal agencies, including the State Department, the Department of Homeland Security, along with parts of the Pentagon, have been compromised in what could be one of the largest cyberattacks in US history.
Hackers infiltrated SolarWinds, a software company based in Austin, Texas. When SolarWinds’ customers – which include government agencies and more than 400 of the top Fortune 500 companies – downloaded new versions of the targeted software, hackers gained access to internal networks and email accounts. It’s an embarrassment that US cyberdefenses did not detect the cyberattack for months – a cybersecurity company that was also a victim of the attack was the first to raise the alarm.
While we still don’t know the scale, scope, and impact of this attack, the US Cybersecurity and Infrastructure Security Agency said on Thursday that the attack poses a “grave risk” to all levels of government, critical infrastructure, and parts of the private sector. Because the attack – which started as early as March 2020 – is still ongoing, one of the primary objectives for the US government right now is to stop it. (The DHS ordered federal civilian executive branch departments and agencies to disconnect affected devices, but that’s just the tip of the iceberg, since the government does not yet know who was compromised). Each day, we’re learning about more affected US government entities. Putting an end to the attack and containing the damage is critical, but that’s only one piece of the puzzle.
It’s impossible to do full damage control without knowing the extent of the damage – and identifying who and what was compromised will take some time. SolarWinds may not have been the only access point, according to CISA, and intelligence analysts are still trying to map out what Russian hackers were able to glean from this attack.
It’s still unclear whether they were able to take intellectual property, access sensitive information, monitor US government activities, or even disrupt US government operations. Even if hackers only gained access to unclassified data like email addresses, that still is a major security risk, since they can then use that information to conduct more sophisticated phishing campaigns. And plenty of information on unclassified US government servers is still considered sensitive. Just the ability to see what is happening on these government servers could provide our attackers with intelligence that can give them an advantage in diplomatic negotiations, for example.
The fact that this attack can be traced back to March and that as many as 18,000 entities may have been affected makes the “magnitude of this ongoing attack hard to overstate,” according to Trump’s former homeland security adviser Tom Bossert. This investigation will span months, at a minimum, and it will be handed to President-elect Biden the moment he enters office.
An easier task at hand is attribution. Only a handful of nation-state actors have the ability to carry out a hack of this sophistication, and US officials and cybersecurity experts have identified specific indicators that point to the group APT29, or Cozy Bear, which has deep ties to Russian intelligence. Cozy Bear is a familiar name to anyone who has been tracking cybersecurity issues in recent years – the same group recently tried to steal coronavirus vaccine research this summer. It was also suspected of breaching the Democratic National Committee in 2016 and successfully hacked the State Department and White House email servers during the Obama Administration. If news of this latest hack feels like a macabre “Groundhog Day” moment, it’s because we’ve been here before.
Yet, despite all the evidence that suggests Russia was responsible, we still haven’t heard a peep from POTUS. Instead, White House press secretary Kayleigh McEnany gave a general response to a question about the attack, saying the US government is aware of the reports and “taking all necessary steps to identify and remedy any possible issues.” Secretary of State Mike Pompeo acknowledged that the attack was consistent with Russian efforts to breach American servers but refused to directly point the finger at Russian President Vladimir Putin.
Based on my own experiences, I know it takes time to declassify intelligence about these kinds of attacks. But given information from the private sector and declassification protocols, it seems Trump could call out Russia if he wanted to. The problem is, he likes to placate Putin. With Trump leaving office during an ongoing Russian attack on the US government, it’s now more clear than ever that he leaves behind a legacy of empowering Russia, rather than deterring it.
The likelihood that Trump will dance around the attribution issue is high, but whether or not he calls Russia out is a secondary point right now. I’m not holding my breath to see if Trump does the right thing – he’s leaving soon, and his track record shows that nothing he says about Russia is credible. What matters most is that his team is fully empowered to mitigate and investigate the attack and that they’re authorized to fully brief the incoming administration.
The US has stepped up offensive cyberoperations against Russian targets in the last year as a warning to Putin, but Russia has simply responded by escalating its attacks against the United States. While the US government was successful in defending the 2020 election from cyberattacks, the billions of dollars it spent on cybersecurity systems and new, cyberoffensive capabilities were not enough to avert (or detect) the latest breach.
That’s why, at a minimum, this is a PR win for Putin. The fact that these hackers were more sophisticated than even the Department of Homeland Security bolsters the broader Russian mission to broadcast our weaknesses and undermine confidence in the United States and our institutions. It’s a perfectly tailored talking point for Russian influence operations.
We shouldn’t expect much from Trump on this. After Russia supported him in the 2016 election, he’s avoided upsetting or confronting Putin, even on life and death issues like Russia putting bounties on US soldiers. In 2017, Trump even went so far as to tweet that he would form “an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded.”
It’s clear that this is going to be Biden’s problem, both in terms of cleaning up the mess and securing US government systems to make sure this doesn’t happen again. In the unlikely event that the current Administration chooses to launch retributive cyberattacks against Russia in the next few weeks, Biden may find himself in the middle of an escalating cyberwar when he assumes office.
That’s why it is important that Biden, Vice President-elect Kamala Harris, and appropriate members of their team get all of the same information Trump does on this attack. It is also critical that the transition team is updated on investigative and mitigation efforts within the federal government, not to mention any policy responses under consideration.
Biden’s team will have to reckon with what to do. The President-elect released a statement Thursday saying, his administration would “elevate cybersecurity as an imperative across the government … and expand our investment and the infrastructure and people we need to defend against malicious cyberattacks.” He went on to say it was necessary to deter adversaries from making these attacks and said, “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks.” This suggests a range of policy responses from sanctions to potentially more offensive cyberops against Russia.
Biden will also likely have a new, internal cybersecurity structure to work with. If the National Defense Authorization Act goes into effect, there will be a new cybersecurity czar in the federal government along with new authorizations affecting cybersecurity. Clearly, there will also have to be a review of how and why our cyberdefenses failed us across the board.
Get our free weekly newsletter
Biden’s relationship with Putin was always going to be complicated. But, unlike President Trump, Biden will approach that relationship informed by actual intelligence and unhindered by any personal political needs. When it comes to cybersecurity, Biden will have to rely on his team of experts to improve the US’ defenses and come up with new ways to convince Putin that he needs to knock it off after Trump’s legacy of defending us from Russia has proved to be an utter failure.