WASHINGTON—Despite its size, a sprawling computer hack blamed on Russia could leave President Trump and the incoming Biden administration struggling to find the right response, former U.S. cybersecurity officials and experts said.
While Sen. Dick Durbin (D., Ill.) called the breaches that hit at least six cabinet-level departments as well as private companies “virtually a declaration of war,” the former officials said the intrusions fell more along the lines of classic digital espionage, however brazen. As far as is known from descriptions of the hack, no data was altered or destroyed, and no computer systems or other infrastructure damaged.
Further complicating any consideration of response options is that U.S. officials are only now beginning to understand the breadth and severity of the hack. Because of the careful and stealthy nature of the incursion, a full damage assessment and recovery operation “is a months, if not yearslong, ordeal,” a senior intelligence official said.
“The scope of it is pretty stunning,” the official said. “The most disconcerting thing is the uncertainty around what [computer] systems they are in.” The official added that there was no evidence that classified systems had been violated, but cautioned that was a preliminary conclusion.
Past U.S. responses to Russian hacking and disinformation operations—sanctions, property seizures, diplomatic expulsions, even the cyber equivalent of warning shots—appear to have done little to dissuade the Kremlin. Moscow has denied responsibility for the latest incursion.
“It’s a clear dilemma for this nation about how we continue to be pounded by other countries…and don’t have a response,” said a former top U.S. intelligence official with decades of cybersecurity experience. “We’re incredibly vulnerable, and nothing that any administration has been able to do has changed that.”
Mr. Trump has made no public comment on the hack, nor given any hint about whether or how he would retaliate before leaving office Jan. 20.
The U.S. sometimes doesn’t respond, at least overtly, even to major computer incursions, such as the 2014-2015 theft of personal data on an estimated 22 million people from the federal Office of Personnel Management, which U.S. authorities blamed on China.
White House national security adviser Robert O’Brien is overseeing the U.S. response. In a statement late Wednesday, the Federal Bureau of Investigation, Department of Homeland Security and Office of the Director of National Intelligence called the hacking campaign “significant and ongoing.”
Current and former officials said the response from the Trump administration has been slow and disjointed, in part because the hack was discovered during the presidential transition.
“Just a bad and odd time in any administration for a crisis to happen,” a U.S. official involved in the response said.
The National Security Council didn’t immediately respond to a request for comment.
While some Capitol Hill briefings have been held, lawmakers in both parties in recent days expressed frustration at the lack of information being shared by the administration about the scope and severity of the espionage.
At a Tuesday evening NSC meeting, senior agency officials were instructed not to grant briefings to Congress on the issue without direct permission from the White House, the U.S. official said.
The breach appeared to have begun when hackers compromised systems belonging to SolarWinds Corp. , a U.S. network-management company that counts national security agencies, local governments, large corporations and defense contractors among its 300,000 customers.
SolarWinds has said it is working with FireEye Inc., a U.S.-based cybersecurity firm that also was breached, and with intelligence and law-enforcement officials to investigate.
Computer systems at the departments of State, Commerce, Treasury, Energy, Homeland Security and the National Institutes of Health, part of the Department of Health and Human Services, were penetrated, according to people familiar with the matter, although the compromise is thought to be far broader.
“It’s a hack. It’s a breach. It’s espionage. It’s not an attack,” said former White House and Justice Department official Jamil Jaffer, executive director of George Mason University’s National Security Institute. “I don’t think some major offensive response is warranted based on what we know now.”
U.S. intelligence agencies engage in cyberspying all the time, although U.S. officials say they don’t generally conduct destructive attacks or steal intellectual property. Because traditional cyber espionage is typically considered fair intelligence activity by most countries—even, sometimes, among allies—retaliation or public condemnation isn’t usually an option that is considered.
Others said the sheer breadth of the SolarWinds hack makes it different from traditional cyberspying.
“The fact that this took place on such a massive scale sort of puts it in a different category,” said John Dermody, counsel at the O’Melveny law firm and former deputy legal adviser at the National Security Council. The economic costs could be enormous, as companies scour their networks to determine whether the perpetrators installed additional malware, he said.
The Trump administration likely is considering sanctions against those responsible, as well as criminal investigations and prosecutions in response, Mr. Dermody said. But there are limits to both.
Some Russian entities and individuals may have been sanctioned already, he said, and “double-sanctioning them doesn’t really have an impact on their behavior.” Criminal charges have limited impact “if you can’t get handcuffs on someone,” he said, because the U.S. is seldom able to arrest hackers working in places such as Russia, China and Iran.
The U.S. has retaliated against Russian cyber actions before, but with unclear results.
Then-President Barack Obama ejected several dozen Russian diplomats, closed two Russian compounds and sanctioned Russian intelligence agencies and officials in response to Moscow’s interference in the 2016 U.S. presidential election.
During the 2018 midterm election, the Pentagon’s Cyber Command took offensive cyber action to disrupt the St. Petersburg-based Internet Research Agency, which U.S. officials said had played a central role in the election interference two years earlier.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies think tank, said that Washington should exact a penalty for the SolarWinds hack. He cited the Cyber Command’s Task Force ARES, which in 2016 disrupted Islamic State’s ability to communicate, spread propaganda and recruit for the terrorist network, one of the first instances of U.S. offensive cyberwarfare.
“You interfere with the opponents’ ability to conduct operations. You sit on their networks,” Mr. Lewis said. “We really have to take a look at taking some kind of action against the Russians.”
—Dustin Volz contributed to this article.
Write to Warren P. Strobel at Warren.Strobel@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the December 19, 2020, print edition as ‘Broad Cyberattack Linked to Russia Leaves U.S. Struggling for Response.’