US officials suspect that a Russian intelligence agency has carried out the most successful cyber infiltrations of the US government and corporate institutions in history.
It is described as an epic hack. But was it an attack?
This is a more complicated question than one might imagine and the way it is answered can dictate how the Biden administration responds.
For Microsoft President Brad Smith, the wording is clear: “This latest cyber attack is indeed an attack on the United States and its government and other critical institutions, including security firms,” he wrote in a blog post on Thursday. , after the emergence of its own company was violated by what US officials say is probably Russian SVR, a rough equivalent to the CIA.
But for many current and former American officials, this is not the right way to look at it. Spying on dozens of corporations and government agencies, they say, the hackers accomplished an amazing and painful feat of espionage. But he notes that it is just the kind of cyber espionage that the National Security Agency regularly tries against Russia, China and any number of foreign opponents.
It could be an attack if intruders destroy data, for example, or use their access to cause damage to the physical world, for example, by shutting down power grids. But penetration into unclassified government and corporate networks? Do you read other people’s emails? And spies.
“I don’t think there is any kind of cyber attack in the definition of anyone working in this field,” said Gary Brown, a former Pentagon cyber official who is a professor of cyber law at the National Defense University.
“This is indeed a very successful espionage operation. It’s the kind of thing we’d love to do. And it’s kind of a wake-up call – we need to get better. The Russians are much better at this than I knew. “
Jamil Jaffer, a former senior adviser to the House Information Committee and vice president of IronNet Security, noted that “we have no evidence yet that any information has been deleted, destroyed, manipulated or altered, which leads me to believe that this is a collection. Operation Information. ”
It is alarming, but not surprising, for example, that the Department of Energy’s National Nuclear Safety Administration was among those agencies violated – its unclassified business networks were broken, according to the agency.
“If we could access Russia’s or China’s nuclear programs and information, we would do so,” he said.
U.S. officials should be careful how they describe the incident, said a senior congressional official overseeing the secret services. It is different from what North Korea says Sony Pictures did in 2014, breaking into its networks, destroying data and computers and making public emails private.
It is also different from the US and Israeli operation known as Stuxnet, which a decade ago used a cyber attack to damage Iran’s nuclear centrifuges. It was clearly a cyber attack.
Russia’s latest cyber intrusion is more like China’s hacking of the Office of Personnel Management (OPM), giving Chinese access to millions of sensitive personnel records.
After that incident, then-National Intelligence Director James Clapper said, “You have to salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we would hesitate for a minute.”
“Obviously, if someone enters your systems and starts destroying things, as happened with Sony, well, this is an attack,” the official said.
“But in the case of OPM, when hackers enter and filter out piles of data, although this is not welcome, it is not necessarily at the same stage as the offensive action. We have to be careful here, because the United States should also lead cyber espionage, so if we sit around and label as “attacks” things that would normally fall into the bucket of espionage and intelligence, we risk reaping what we have ”I sowed. “
He added: “We are now shaking hands with what others are doing to us, without much public visibility in what we are doing to others.”
In fact, American officials have been careful in their language. Top senators on the Armed Services Committee, Republican James Inhofe and Democrat Jack Reed, issued a joint statement calling what happened a “significant and sophisticated cyber intrusion” – not an attack.
Likewise, Mark Warner, a Democrat on the Senate intelligence committee, called it a “devastating violation,” a “malicious effort,” and an intrusion.
“International law on cyber operations is not well developed, but for something to be considered an attack, it must involve force or the use of force,” said James Lewis, a former State Department official now at the Center for Strategic and International Studies. .
There is still much to understand about exactly what intruders did with nine months of unrestricted access to government and corporate networks. He may have done things that would have been considered more than mere espionage, said a Western intelligence official who did not call to discuss a sensitive issue.
If he only took data, that would be one thing, he said, but planting “cyber bombs” that could cause physical destruction if detonated would be at least one position to attack, he said.
Again, he and others noted that this would not be much different from what Russian officials have already done by positioning cyber weapons on parts of the U.S. power grid or by stationing nuclear-armed submarines off the coast. US.
The Russian SVR, which is believed to have carried out hacks, has no history of manipulating or destroying the data – they are an espionage outfit, the congressional official said.
But even if this remains only a success of Russian espionage, it has shown, experts say, that the Russians do not feel that they will pay a price for such a mad operation. President Trump has not said anything about the issue, but President-elect Joe Biden has promised to respond.
In doing so, he used the exact language that some intelligence officials said went too far, raising expectations for a more robust response than he might eventually be prepared to offer.
“A good defense is not enough; we must stop and discourage our opponents from carrying out significant cyber attacks in the first place, ”Biden said in a statement. “I will not stand idly by in the face of cyber attacks on our nation.”