U.S. lawmakers briefed on the massive cybersecurity security breach that has affected government agencies and the private sector are calling for the country to act, warning that, so far, all evidence is pointing to Russia as the culprit.
The admonitions, from both Republicans and Democrats, follow warnings from U.S. cybersecurity officials that the scope of the hack is potentially much bigger than originally thought, encompassing multiple software platforms going back at least as far as March of this year.
"There was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems," U.S. Secretary of State Mike Pompeo said on The Mark Levin Show on Friday, according to a report by Agence France-Presse.
"This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” Pompeo said of the cyberattack on U.S. agencies as well as targets worldwide.
Republican Marco Rubio, the acting chairman of the Senate Intelligence Committee, tweeted on Friday: “The full extent of the cyberhack is still unknown but we already know it is unprecedented in scale & scope.”
"The methods used to carry out the cyberhack are consistent with Russian cyber operations," Rubio added, warning that once officials can attribute the intrusion with complete certainty, "America must retaliate, and not just with sanctions."
The full extent of the cyberhack is still unknown but we already know it is unprecedented in scale & scope, in all likelihood ongoing & at a level of sophistication only a few nation-states are capable of.
— Marco Rubio (@marcorubio) December 18, 2020
The top Democrat on the Senate Intelligence Committee likewise expressed alarm about the hack, describing the breach as devastating.
"An incident of this magnitude and lasting impact requires an engaged and public response by the U.S. government," Senator Mark Warner said in a statement issued Friday. "It is extremely troubling that the president does not appear to be acknowledging, much less acting upon, the gravity of this situation."
Indications of a cyber intrusion first went public earlier this month when the private cybersecurity firm FireEye announced its systems had been penetrated and that sensitive information had been stolen.
The hack was later traced to updates for network management software from a Texas-based company called SolarWinds, which the hackers exploited to get into the networks of at least 18,000 users.
In an updated alert issued Friday, the cybersecurity unit of the U.S. Department of Homeland Security warned the hackers had been exploiting the SolarWinds software update going back to at least March.
But the Cybersecurity and Infrastructure Security Agency (CISA) further warned the problem was not contained to SolarWinds.
"CISA has evidence of initial access vectors other than the SolarWinds Orion platform," the alert warned, saying the agency is investigating instances in which other platforms were used to access critical networks.
"This threat poses a grave risk to the federal government and state, local, tribal and territorial governments, as well as critical infrastructure entities and other private sector organizations," CISA said. "This is a patient, well-resourced and focused adversary that has sustained long duration activity on victim networks."
Research by tech giant Microsoft, made public Thursday, indicated the hackers precisely targeted at least 40 organizations. The vast majority were in the United States, but companies in Canada, Mexico, Britain, Belgium, Israel and the United Arab Emirates were also attacked.
"This is not 'espionage as usual,' even in the digital age," Microsoft President Brad Smith wrote on the company's blog. "This is not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure."
Former U.S. government officials also worried about the impact of the hack.
"The scope of it is large but exactly how large remains to be seen, and exactly how severe remains to be seen," Michael Daniel, who served as a special assistant to former U.S. President Barack Obama on cyber issues, told VOA's Russian Service.
"The damage could be very, very significant to U.S. national security and to our economic security," he said.
Yet despite the warnings from current and former government officials, and private security firms, as of late Friday, U.S. President Donald Trump had yet to comment on the breach.
Instead, Trump's Twitter feed was full of unsubstantiated allegations of election fraud, praise for the distribution of coronavirus vaccines and threats to veto the $740 billion defense spending bill, which drew the ire of some key lawmakers.
I will Veto the Defense Bill, which will make China very unhappy. They love it. Must have Section 230 termination, protect our National Monuments and allow for removal of military from far away, and very unappreciative, lands. Thank you! https://t.co/9rI08S5ofO
— Donald J. Trump (@realDonaldTrump) December 17, 2020
"This year's National Defense Authorization Act provides critical tools and authorities to help defend against and disrupt malicious cyber activity and effectively hunt for threats and vulnerabilities on the federal cyber network," the chairman and ranking member of the Senate Armed Services Committee said in a joint statement late Friday.
"The NDAA is always 'must-pass' legislation," Republican Jim Inhofe and Democrat Jack Reed added. "But this cyber incident makes it even more urgent that the bill become law without further delay."
NEW: Senate Armed Services Committee statement on #SolarWindsHack
— Jeff Seldin (@jseldin) December 17, 2020
"significant, sophisticated, and ongoing cybersecurity intrusion against the United States... has the hallmarks of a #Russia|n intelligence operation" per @JimInhofe @SenJackReed pic.twitter.com/2d5KqPrECR
Already, officials have determined that the hackers gained access to systems for the departments of Energy, Treasury and Commerce, though the Energy Department said networks related to nuclear security appeared to have been spared.
"At this point, the investigation has found that the malware has been isolated to business networks only and has not impacted the mission essential national security functions of the department," spokeswoman Shaylyn Hynes said in a statement Thursday.
DOE UPDATE ON CYBER INCIDENT RELATED TO SOLAR WINDS COMPROMISE pic.twitter.com/l9X1AH4VJw
— DOE Press Staff (@EnergyPress) December 17, 2020
U.S. President-elect Joe Biden called the cybersecurity breach "a matter of great concern."
"I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office," he said in a statement Thursday, shortly after the latest CISA alert was issued.
"Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation," he added.
Biden is set to be inaugurated as the 46th U.S. president on January 20.
Russian Service's Danila Galperovich contributed to this report.