ARGUMENT: Russian hackingQuick Thoughts on the Russia Hack

Published 14 December 2020

David Sanger, building on a Reuters story, reports in the New York Times that some country, probably Russia, “broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.” The breach appears to be much broader. Jack Goldsmith writes that The U.S. approach to preventing these breaches appears to involve five elements, but that, on the whole, these elements have failed to stop, prevent or deter high-level breaches.

David Sanger, building on a Reutersstory,reports in the New York Times that some country, probably Russia, “broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.” The breach appears to be much broader. “[N]ational security-related agencies were also targeted, though it was not clear whether the systems contained highly classified material.” The Department of Homeland Security appears to be one of those agencies. Sanger says that the “intrusions have been underway for months,” and that “the hackers have had free rein for much of the year.” The original Reuters story on 13 December13 noted that people familiar with the hacks “feared the hacks uncovered so far may be the tip of the iceberg.” On the evening of 13 December, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive to all federal civilian agencies to review their networks for indicators of compromise.

Jack Goldsmith writes in Lawfare that this attack is the latest in a long string of other serious breaches of government networks by insiders and outsiders in the last decade—for example, theOffice of Personnel Management in 2014-15, the White House, State Department, and Joint Chiefsemail breach during those same years, the 2016theft of CIA hacking tools, the Shadow Brokerstheft of NSA tools in 2017, and Edward Snowden’smammoth disclosures in 2013 and beyond. “These events constitute a stunning display of the U.S. government’s porous defenses of sensitive government networks and databases,” he writes, adding that

The U.S. approach to preventing these breaches appears to involve five elements: (1) tighten insider controls, (2) thicken defenses, (3) indict (but very rarely prosecute) responsible individuals, (4) impose sanctions on the responsible countries and (5) live in adversary networks to monitor and interrupt actions against the United States before they begin—the so-called “Defend Forward” strategy. The United States is probably retaliating for some of these breaches, but there is little information on that in the public record.

On the whole, these elements have failed to stop, prevent or deter high-level breaches. Of course, we do not know what we don’t know, both about unreported or undetected breaches and about successful interruption of attempted breaches. Nor does the public know anything about how the costs of these breaches compare to the huge benefits, on the whole, of the digitalization of government information. But the public record is not a happy one for the U.S. government across the last few administrations.

Goldsmith says that this latest Russian breach of U.S. cybersecurity defenses raises three questions:

First, is “Defend Forward” all it’s built up to be? Cyber Command has been touting its successes in, for example, preventing interference in the2018 and2020 elections. But the strategy did not prevent the Russia breach.

Second, is what the Russians did to U.S. government networks different from what the National Security Agency does on a daily basis? Government-to-government electronic espionage and data theft, including on this scale, is almost certainly commonplace.

Third, knowledge of what the U.S. government is doing in this realm is necessary to assess, among other things, whether the current posture of U.S. activity in foreign networks is optimal. One important question is: does the United States gain more from living in adversary networks than adversaries gain from living in American networks? If not, might the United States pull back on some of its digital activities abroad in exchange for relief from the pain caused by our adversaries’ activities in our digital networks?