The extent of the damage from the Russian hack of federal government computer systems is still being calculated, but as each day passes with new breaches discovered, one thing is clear: This one was very bad.
Since March, Russian intelligence operatives have been penetrating a long list of now-compromised institutions. Victims include the Defense, Commerce, Treasury, State and Homeland Security departments; the arm of the Department of Energy that manages our nuclear arsenal; the Federal Energy Regulatory Commission and the Sandia and Los Alamos national laboratories; and at least 40 private businesses, including tech heavyweights like Cisco and Intel and some top cybersecurity firms.
The scope is breathtaking, the potential targets worrisome.
The hackers could have been seeking the nation’s nuclear secrets, details about new weapon systems or COVID-19 vaccine research, or personal information on government officials and other leaders. They might be able to shut down critical systems like the power grid, or corrupt or destroy essential data. We just don’t know yet. And the attackers likely are still in our networks.
This must serve as a wake-up call. We cannot give short shrift to cybersecurity, or politicize it.
After the attack was revealed, President Donald Trump stayed puzzingly silent for days, while raging about his election loss to Joe Biden. When Trump did speak, he tried to shift the blame to China — a position contradicted by two of his allies, then-Attorney General William Barr and Secretary of State Mike Pompeo, and most of the cybersecurity profession. Contrary to the president’s breezy assertion, everything is not under control. His own government called the hack a "grave risk."
The attack came via malware placed on an outside vendor’s patch for network management software that went to about 18,000 customers around the world. It exposed our nation’s reliance on fragile computer networks. It made clear the need to protect them to the fullest. And it demanded that we respond with a cyberattack of our own that delivers a warning: This behavior will always draw a damaging and proportional response from the United States.
Sadly, Trump, forever deferential to Russian President Vladimir Putin, seems unwilling to deliver such a message. So this task will be added to Biden’s overflowing plate of pressing issues when he takes office Jan. 20. The president-elect has said the right things, vowing to inflict "substantial costs" on those responsible. That won’t reverse or assuage the damage already done, but making Russia hurt now will let Putin know what will befall his country if it acts this way again.
Trump’s administration has been properly criticized for not taking cybersecurity seriously. Many key positions are unfilled. Trump’s third national security adviser, John Bolton, disbanded the White House cybersecurity team in place when Trump took office. Even if some experts are correct that the Russians might only have accessed unclassified networks, we must shore up our cyber defenses.
The warning sirens are blaring. We must answer the call.
— The editorial board