WASHINGTON — With President Biden’s aides struggling to find innovative ways to retaliate against Russia for the most sophisticated hacking of government and corporations in history, key senators and corporate executives warned on Tuesday that the “scope and scale” of the operation were unclear, and that the attack might still be continuing.
“Who knows the entirety of what happened here?” Brad Smith, the president of Microsoft, told the Senate Intelligence Committee on Tuesday. “Right now, the attacker” — which appears to be the S.V.R., one of Russia’s main intelligence agencies — “is the only one who knows the entirety of what they did.” Microsoft was one of the first to raise the alarm about the intrusion into networks across the government and private sector.
The hearing was a rare public airing of one of the biggest failures of American intelligence since Pearl Harbor and the Sept. 11, 2001, terrorist attacks: an assault on the “supply chain” of network management software used by governments and most of the nation’s largest companies.
The National Security Agency, despite spending billions of dollars planting sensors in networks around the world, missed the evidence for more than a year — a point made by Democratic and Republican senators, who asked how long the United States would have remained in the dark.
“It could have been exponentially worse,” Senator Mark Warner, Democrat of Virginia and the new chairman of the Senate Intelligence Committee, said at the end of two and a half hours of testimony.
In fact, it may prove to be worse. At a White House briefing last week, Anne Neuberger, President Biden’s new national security adviser for cyber and emerging threats, said the White House was preparing a comprehensive response because of “the ability of this to become disruptive.” She was referring to the possibility that the same access that gave the Russians the ability to steal data could, in the next phase of an operation, enable them to alter or destroy it.
But no representative of the United States’ intelligence agencies, chiefly the National Security Agency, appeared at the hearing. Several senators castigated executives of Amazon Web Services for declining to attend. Amazon’s absence left no one to explain how the Russian hackers secretly used its servers inside the United States to run command-and-control centers to carry out the operation, stripping emails and other data from what Ms. Neuberger said were at least nine government agencies and more than 100 companies.
Mr. Biden’s aides are contemplating a range of responses that his national security adviser, Jake Sullivan, referred to over the weekend as “a mix of tools seen and unseen.”
Mr. Sullivan promised that when a response came, it would “not simply be sanctions,” the most common way the government reacted in response to North Korea’s attack on Sony Pictures Entertainment and Iran’s attacks on American banks and a dam in Westchester County, N.Y.
Those options, according to officials familiar with the discussions, include variants of steps that President Barack Obama considered and rejected after the 2016 hacking of state election systems. They included using cybertools to reveal or freeze assets secretly held by President Vladimir V. Putin of Russia, exposure of his links to oligarchs or technological moves to break through Russian censorship to help dissidents communicate to the Russian people at a moment of political protest.
At a news briefing at the White House on Tuesday, Jen Psaki, the press secretary, said that an American response would come in “weeks, not months.” But first the United States will have to make a definitive declaration that one of Russia’s intelligence agencies was responsible.
“There is not a lot of suspense at this moment about what we are talking about,” said Mr. Smith, who added that while Microsoft had not identified the intruders, it saw nothing to contradict the tentative finding of American intelligence that Russia was “likely” to be the culprit.
Mr. Biden will then have to surmount another problem: Differentiating what the Russians did from the kind of espionage the United States does, including against its allies. Officials are already preparing the grounds for that argument. Last week, Mr. Biden called the intrusion of the malware “reckless” because it affected more than 18,000 companies, mostly in the United States. In private, American officials are already testing an argument that Russia needs to be punished for “indiscriminate” hacking, while the United States uses similar tools for only targeted purposes. It is unclear that argument will prove convincing to others to join in steps to make Russia pay.
Mr. Biden’s coming actions appear likely to include executive orders on improving the resiliency of government agencies and companies to attacks and proposals for mandatory disclosure of hackings. Many of the companies that lost data to the Russians have not admitted to it, either out of embarrassment or because there is no legal requirement to disclose even a major breach.
But the subtext of much of the testimony was that Russia’s intelligence services might have laced American networks with “backdoor” access. And that possibility — just the fear of it — could constrain the kind of punishment that Mr. Biden metes out. While he promised during the presidential transition to impose “substantial costs,” previous promises to hold Russia accountable did not create enough of a deterrent to concern them about the penalty if they were caught in the most sophisticated supply-chain hacking in history.
“The reality is that they are going to come back, and they are going to be an ever-present offense,” said Kevin Mandia, the chief executive of FireEye, the cybersecurity company that first found the intrusion after Russians stole its tools for fighting hackers. Mr. Mandia, a former Air Force intelligence officer, noted that “since the front door was locked,” the hackers turned to known but little-addressed vulnerabilities. In this case, they got into the update system of network management software made by a company called SolarWinds. When users of the SolarWinds Orion software downloaded the updated versions of the code, the Russians were in.
Among those who testified at the hearing was Sudhakar Ramakrishna, the new chief executive of SolarWinds, who took over weeks after the breach was discovered and has since been peeling back the layers of the intrusion. He told the Senate committee that the code had been eradicated from the company’s products. But that is little use to the government agencies and companies that were already breached, because once the hackers are inside their targeted computer networks, they are free to roam.
Mr. Ramakrishna also said that SolarWinds was still unclear on how the Russian hackers got into the software it was developing, embedding themselves there as early as fall 2019. When asked about the possibility that software tools made by JetBrains, which speeds the development and testing of code, was the pathway, Mr. Ramakrishna said there was still no evidence. The New York Times reported in January that JetBrains was under investigation, but the company’s senior executives, some of whom are Russian, said there was no evidence.
Mr. Smith, who has called for a “digital Geneva convention” that would begin to create norms barring some kinds of attacks, estimated that “at least a thousand very skilled, capable engineers” were involved in the hacking.
“This was an act of recklessness, in my opinion,” he said, because it infected thousands of systems that the Russians had no interest in to give them access to only a few. “It was done in a very indiscriminate way.”
Mr. Warner, Senator Marco Rubio of Florida, the ranking Republican on the committee, and others noted repeatedly that Amazon — which runs the C.I.A.’s network cloud services and is seeking other major federal contracts — was the only company that refused to send a senior executive to explain its role in the hacking. Amazon has said nothing publicly about what it knew about the command-and-control operation run from its servers in the United States.
That is a crucial issue, because the hackers appeared to understand that American intelligence agencies are prohibited from examining network activity in the United States. So by initiating the attack within American borders, they were taking advantage of domestic privacy protections to avoid being detected.
Several senators said they were concerned that such a technique, once known, would be widely used by others. “The bottom-line question is how did we miss this, and what are we still missing?” Mr. Rubio said.
In an interview, Ellen M. Lord, a former senior Pentagon official in the Trump administration, said the challenge now would be getting law enforcement agencies, the National Security Agency, the Pentagon and others to coordinate more quickly about specific cyberintrusions.
Some laws meant to protect data have made sharing information harder, she said.
“After 9/11, everybody said, ‘Oh my God, all these different groups had information,’ but they weren’t sharing,” Ms. Lord said. “It’s the same exact situation in my mind, with all of these cyberintrusions on the defense industrial base. There needs to be a clean sheet review of regulations and policies prohibiting information-sharing among local, state and federal government, so we don’t have all these stove pipes.”
Julian Barnes contributed reporting.