David Sanger, building on a Reuters story, reports in the New York Times that some country, probably Russia, “broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.” The breach appears to be much broader. “[N]ational security-related agencies were also targeted, though it was not clear whether the systems contained highly classified material.” The Department of Homeland Security appears to be one of those agencies. Sanger says that the “intrusions have been underway for months” and that “the hackers have had free rein for much of the year.” The original Reuters story on Dec. 13 noted that people familiar with the hacks “feared the hacks uncovered so far may be the tip of the iceberg.” On the evening of Dec. 13, the Cybersecurity and Infrastructure Security Agency issued an Emergency Directive to all federal civilian agencies to review their networks for indicators of compromise.
This attack is the latest in a long string of other serious breaches of government networks by insiders and outsiders in the past decade—for example, the Office of Personnel Management (OPM) in 2014-2015; the White House, State Department, and Joint Chiefs email breach during those same years; the 2016 theft of CIA hacking tools; the Shadow Brokers theft of National Security Agency tools in 2017; and Edward Snowden’s mammoth disclosures in 2013 and beyond. These events constitute a stunning display of the U.S. government’s porous defenses of sensitive government networks and databases.
The U.S. approach to preventing these breaches appears to involve five elements: (a) tighten insider controls, (b) thicken defenses, (c) indict (but very rarely prosecute) responsible individuals, (d) impose sanctions on the responsible countries and (e) live in adversary networks to monitor and interrupt actions against the United States before they begin—the so-called “defend forward” strategy. The United States is probably retaliating for some of these breaches, but there is little information on that in the public record.
On the whole, these elements have failed to stop, prevent or deter high-level breaches. Of course, we do not know what we don’t know, both about unreported or undetected breaches and about successful interruption of attempted breaches. Nor does the public know anything about how the costs of these breaches compare to the huge benefits, on the whole, of the digitalization of government information. But the public record is not a happy one for the U.S. government across the past few administrations.
For me, the Russia breach raises three questions.
First, is “defend forward” all it’s built up to be? Cyber Command has been touting its successes in, for example, preventing interference in the 2018 and 2020 elections. But the strategy did not prevent the Russia breach. As Sanger notes, “while the government was worried about Russian intervention in the 2020 election, key agencies working for the administration—and unrelated to the election—were actually the subject of a sophisticated attack that they were unaware of until recent weeks.” I have always wondered how Cyber Command possibly possessed the intelligence resources and cyber tools to monitor, detect and prevent all possible major cyber threats. It will be interesting to see what Commander of Cyber Command Gen. Paul Nakasone, who has not been shy about the value and power of defend forward, says about how the strategy worked here, whether and why it failed, and what those answers imply about the value of the defend forward overall.
Second, is what the Russians did to U.S. government networks different from what the National Security Agency does on a daily basis? Government-to-government electronic espionage and data theft, including on this scale, is almost certainly commonplace. As then-Director of National Intelligence James Clapper said after the OPM breach: “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don't think we'd hesitate for a minute” (emphasis added). It is important to keep this in mind when assessing the Russian operation. The public in the United States receives asymmetric information both about the cyber exploitations of our adversaries (Americans hear loads more about adversary activity than U.S. government activity abroad) and about breaches (Americans hear loads more about adversary breaches of U.S. systems than U.S. breaches in adversary systems).
Third, knowledge of what the U.S. government is doing in this realm is necessary to assess, among other things, whether the current posture of U.S. activity in foreign networks is optimal. One important question is: Does the United States gain more from living in adversary networks than adversaries gain from living in American networks? If not, might the United States pull back on some of its digital activities abroad in exchange for relief from the pain caused by our adversaries’ activities in our digital networks? I have suggested before that cooperation (in the sense of mutual restraint) may be the least bad approach to defending our networks, since the other approaches don’t seem to be working very well. There would be many challenges, of course, including clarity on what counts as cooperation—that is, what precisely will each side not do—and verification. But these challenges do not seem to me insurmountable in theory and are worth at least exploring. And yet U.S. government officials never publicly discuss restraint as a possible strategy.