Democrats and some Republicans raised the alarm Thursday about a massive and growing cybersecurity breach that many experts blame on Russia, with President-elect Joe Biden implicitly criticizing the Trump administration for allowing the hacking attack to occur.
“We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place,” Biden said in a statement. “Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.”
President Trump, by contrast, has said nothing about the hack affecting numerous federal agencies as well as U.S. companies. U.S. national security agencies are still assessing the scope and severity of the breach, which was discovered by a commercial firm.
The president’s silence about an organized attack on the U.S. government marks the latest example of his persistent reluctance to criticize Russia, which U.S. intelligence agencies have accused of interfering in the 2016 election to help Trump. Throughout his presidency, Trump has contradicted his own government’s findings about 2016 election hacking and disinformation efforts, and he has publicly accepted Russian President Vladimir Putin’s word that Moscow was blameless.
Sen. Mitt Romney (R-Utah), the GOP’s 2012 presidential nominee and a frequent Trump critic, assailed the administration’s handling of the attack.
“What I find most astonishing is that a cyberhack of this nature is really the modern equivalent of almost Russian bombers reportedly flying undetected over the entire country,” Romney said in an interview with SiriusXM Chief Washington Correspondent Olivier Knox. “So our national security is extraordinarily vulnerable. And in this setting, not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary.”
In his statement Thursday afternoon, Biden said he has instructed his team to learn as much about as possible about the breach and indicated the team is being briefed on the attack. He received a presidential daily briefing Thursday afternoon, according to his transition office.
Biden pledged that he will make cybersecurity more of a priority in his administration and declared that foes should know they will incur “substantial costs” for penetrating U.S. systems.
The president-elect did not pin blame on Russia, but his phrase “stand idly by” appeared to be a reference to Trump’s response to Russia’s sophisticated cyberspying.
The breach affected the Department of Homeland Security, the State, Treasury and Commerce departments and the National Institutes of Health, officials have said.
Ned Price, a Biden transition spokesman on national security issues, declined to answer more specific questions about Biden’s response to the hack. “We respect the principle of ‘one president at a time,’ ” he said.
In late July, Biden put out a statement on election security and specifically called out the Kremlin for its effort to interfere with democracy. The statement laid out potential responses, including “financial-sector sanctions, asset freezes, cyber responses, and the exposure of corruption” along with “other actions could also be taken, depending on the nature of the attack.”
Biden, who was then the presumptive Democratic nominee for president, added: “I will direct our response at a time and in a manner of our choosing.”
On Capitol Hill, the House and Senate Intelligence committees on Wednesday received the first of what are expected to be several briefings from intelligence officials, including representatives from the Office of the Director of National Intelligence, the National Security Agency, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Senior Democrats emerged from the briefings sounding a note of alarm.
“The seriousness and duration of this attack demonstrate that we still have enormous and urgent work to do to defend our critical information and networks,” Rep. Adam B. Schiff (D-Calif.), chairman of the House Intelligence Committee, said in a statement Wednesday night. “We must move quicker than our adversaries do to adapt.”
Most Republicans have been more cautious about expressing their concern.
“They’re still assessing this one,” Sen. John Cornyn (R-Tex.), a member of the Senate Intelligence Committee, told reporters, explaining that officials had not yet determined whether this hack rose to the level of a series of earlier attacks on the Office of Personnel Management database, which Cornyn called “the mother of all hacks.”
When asked whether Trump should be responding more forcefully, Cornyn said: “I don’t really care what he says, but I do care what he does.”
Cornyn added that “to get the Russians to stop,” the government would need to employ “equal and opposite reactions that cause them to pay a price.”
“Old fashioned deterrence,” Cornyn said. “Words mean nothing.”
“There is still much we don’t know about the massive cyberhack that breached U.S. cyberdefenses, including federal agencies and major private-sector companies.”
Sens. James M. Inhofe (R-Okla.) and Jack Reed (D-R.I.), chairman and senior Democrat of the Senate Armed Services Committee, said in a statement that “the cyber intrusion appears to be ongoing and has the hallmarks of a Russian intelligence operation. The U.S. government must do everything possible to counter it.”
Sen. James Lankford (R-Okla.) said the U.S. investigation is only beginning and suggested patience in waiting for Trump to respond.
“It’s early. It’s early for this kind of thing. Attribution is hard,” he said in an interview. “You’ve got to have it rock-solid before you respond.”
Outside the intelligence panels, the reaction to the hack has been relatively muted, as a last push to finalize legislation to address the pandemic consumed the attention of most lawmakers this week.
But other committees in both the House and Senate have announced they will be launching investigations.
In the GOP-led Senate, Finance Committee leaders Charles E. Grassley (R-Iowa) and Ron Wyden (D-Ore.) asked the commissioner of the Internal Revenue Service for an immediate briefing into whether taxpayer data had been caught up in the hack, noting that “the IRS appears to have been a customer of SolarWinds as recently as 2017.” SolarWinds is the Texas-based firm whose software was exploited in the hacking.
Sen. Richard Blumenthal (D-Conn.) said information U.S. investigators have amassed so far points squarely at Cozy Bear, a group considered part of Russian foreign intelligence.
“This massive cyberattack demands a massive response. Assess the damage, clean it up, secure systems, make the attacker pay a price, & more. So far, not a word from any responsible official. Right now come clean with the American people,” Blumenthal tweeted Thursday.
In the Democratic-led House, the chairs of the Homeland Security and Oversight committees jointly announced Thursday that they would be launching a general investigation into the scope and targets of the hack, requesting a briefing from the FBI, the Homeland Security Department and the Office of the Director of Intelligence on Friday.
“It is imperative that our Committees receive the latest information on the number of federal departments, agencies, and other entities affected by the breach, the extent to which sensitive information and data — including classified information — may have been compromised or exposed, the threat actor or actors responsible, and the Administration’s ongoing efforts to prevent further damage,” they wrote in letters asking for the briefing.
Spokesmen for the White House and National Security Council did not immediately respond to requests for comment.
On Dec. 8, the cybersecurity firm FireEye announced that hackers had broken into its servers and stolen sensitive security-testing tools as part of a breach it had discovered in recent weeks. FireEye later determined that software updates from SolarWinds had been corrupted and contacted the company shortly after, The Washington Post reported on Tuesday, citing people familiar with the matter.
Putin deflected questions about Russian hacking during his annual news conference on Thursday. He claimed the United States was waging similar efforts into Moscow’s affairs but did not expand on Kremlin denials that Russian government hackers were behind the recent digital spying operation.
The most important news stories of the day, curated by Post editors and delivered every morning.