WASHINGTON — The sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States — and the failure of the intelligence agencies to detect them — are driving the Biden administration and Congress to rethink how the nation should protect itself from growing cyberthreats.
Both hacks exploited the same gaping vulnerability in the existing system: They were launched from inside the United States — on servers run by Amazon, GoDaddy and smaller domestic providers — putting them out of reach of the early warning system run by the National Security Agency.
The agency, like the C.I.A. and other American intelligence agencies, is prohibited by law from conducting surveillance inside the United States, to protect the privacy of American citizens.
But the F.B.I. and Department of Homeland Security — the two agencies that can legally operate inside the United States — were also blind to what happened, raising additional concerns about the nation’s capacity to defend itself from both rival governments and nonstate attackers like criminal and terrorist groups.
In the end, the hacks were detected long after they had begun not by any government agency but by private computer security firms.
The full extent of the damage to American interests from the hacks is not yet clear, but the latest, attributed by Microsoft to China, is now revealing a second vulnerability. As Microsoft releases new “patches” to close the holes in its system, that code is being reverse-engineered by criminal groups and exploited to launch rapid ransomware attacks on corporations, industry executives said. So a race is on — between Microsoft’s efforts to seal up systems, and criminal efforts to get inside those networks before the patches are applied.
“When not one but two cyberhacks have gone undetected by the federal government in such a short period of time, it’s hard to say that we don’t have a problem,” said Representative Mike Gallagher, Republican of Wisconsin and a co-chairman of a congressionally mandated cyberspace commission. “The system is blinking red.”
The failures have prompted the White House to begin assessing options for overhauling the nation’s cyberdefenses even as the government investigates the hacks. Some former officials believe the hacks show Congress needs to give the government additional powers.
But briefing reporters on Friday about the progress of the investigations, senior administration officials said the White House had no plans to urge Congress to rewrite the laws that prevent American intelligence agencies from operating inside America’s borders.
One senior adviser to President Biden said, however, that a new structure was needed, one that combined traditional intelligence collection with the talents of private-sector firms.
It was FireEye, a cybersecurity company, that ultimately found the SolarWinds attack organized by Russia, and a small Virginia firm named Volexity that revealed to Microsoft the fact that Chinese hackers found four previously unknown vulnerabilities in their systems, exposing hundreds of thousands of computer servers that use Microsoft Exchange software.
But even as officials try to assemble the lessons of those attacks, the one on Microsoft’s systems, used by companies and government agencies, has grown more complex. On Friday, Microsoft warned that cybercriminals are using the back doors Chinese hackers left behind to deploy ransomware, which is used to lock up computer systems until payment is made.
The first efforts to freeze up American systems began Thursday night, Microsoft said, and American officials warned Friday that its customers had limited time, “measured in hours, not days” to patch their systems to avoid a costly nightmare.
Mr. Biden was briefed last week on the effort to seal up the holes in federal defenses, a senior administration official told reporters on Friday, adding that the federal government was in the third week of a monthlong effort to plug holes made obvious by the SolarWinds hack. A presidential order on longer-range fixes is coming.
But the first problem is detecting attacks — and there the United States has enormous work to do.
America’s foremost hacking teams and digital defenders reside in Fort Meade, Md., home to the National Security Agency and its military counterpart, United States Cyber Command. Over more than a decade, with billions of dollars in new technology, they have littered foreign networks with various forms of “beacons” that give them access to detect attacks as they are coming together or begin.
But, like missile defense, that is hardly an impermeable shield. And foreign actors have begun to identify America’s blind spot: If hackers can assemble an attack from inside America’s borders, the U.S. government’s best hunt-teams can be blindsided.
“The N.S.A. cannot operate in the domestic infrastructure,” retired Adm. Michael S. Rogers, the former director of the agency, said on Friday at the Kellogg School of Management at Northwestern University. “You can’t defend something you can’t see.”
But there is no political appetite to reverse decades of limits on intelligence agencies to monitor and defend network traffic inside the United States.
Instead, Biden administration officials said they would seek a deeper partnership with the private sector, tapping the knowledge of emerging hacking threats gathered by technology companies and cybersecurity firms.
The hope, current and former officials say, is to set up a real-time threat sharing arrangement, whereby private companies would send threat data to a central repository where the government could pair it with intelligence from the National Security Agency, the C.I.A. and other spy shops, to provide a far earlier warning than is possible today.
“You could stop attacks dead in their tracks,” said Glenn S. Gerstell, a former general counsel for the National Security Agency. “We need a way to get threat intelligence into a one-stop shopping center.”
The question is how to set up such a system.
After revelations in 2013 by the former intelligence contractor Edward J. Snowden that set off a debate about government surveillance, American technology companies are wary of the appearance of sharing data with American intelligence agencies, even if that data is just warnings about malware. Google was stung by the revelation in the Snowden documents that the National Security Agency was intercepting data transmitted between its servers overseas. Several years later, under pressure from its employees, it ended its participation in Project Maven, a Pentagon effort to use artificial intelligence to make its drones more accurate.
Amazon, in contrast, has no such compunctions about sensitive government work: It runs the cloud server operations for the C.I.A. But when the Senate Intelligence Committee asked company officials to testify last month — alongside executives of FireEye, Microsoft and SolarWinds — about how the Russians exploited systems on American soil to launch their attacks, they declined to attend.
Companies say that before they share reporting on vulnerabilities, they would need strong legal liability protections.
The most politically palatable headquarters for such a clearinghouse — avoiding the legal and civil liberties concerns of using the National Security Agency — would be the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Mr. Gerstell described the idea as “automated computer sensors and artificial intelligence acting on information as it comes in and instantaneously spitting it back out.”
The department’s existing “Einstein” system, which is supposed to monitor intrusions and potential attacks on federal agencies, never saw the Russian attack underway — even though it hit nine federal departments and agencies. The F.B.I., lawmakers say, does not have broad monitoring capabilities, and its focus is divided across other forms of crime, counterterrorism and now domestic extremism threats.
“I don’t want the intelligence agencies spying on Americans, but that leaves the F.B.I. as the de facto domestic intelligence agency to deal with these kinds of attacks,” said Senator Angus King, a Maine independent, member of the Senate Intelligence Committee and co-chairman of the cyberspace commission. “I’m just not sure they’re set up for this.”
There are other hurdles. The process of getting a search warrant is too cumbersome for tracking nation-state cyberattacks, Mr. Gerstell said. “Someone’s got to be able to take that information from the N.S.A. and instantly go take a look at that computer,” he said. “But the F.B.I. needs a warrant to do that, and that takes time by which point the adversary has escaped.”
Another obstacle is the slowness of identifying attackers. While the director of national intelligence concluded that the SolarWinds attack, carried out last year, was “likely” Russian in origin, a definitive assessment is not expected until this week or next. Only then can the United States respond with sanctions or cyberoperations — nearly a year after the attack began.
“The thing that worries me in both of these cases, too, is just how slowly we tend to attribute, and respond,” Mr. Gallagher said.
On Friday, Jake Sullivan, the president’s national security adviser, told reporters that an investigation was underway to identify who was behind using the hack of the Microsoft systems to spy on law firms, infectious disease research, universities, military contractors, think tanks and other targets. Microsoft has already said the hackers were a Chinese, state-backed group.
Last month, in the days before Microsoft released an emergency patch for vulnerable Exchange Servers, multiple state-backed Chinese groups were apparently tipped off that the company was testing a patch. They began gorging on vulnerable systems with a speed and aggression that some security experts said they had never seen before.
It is unclear how exactly these Chinese groups learned of Microsoft’s patch, but the timing suggests they caught wind of the moves when Microsoft rolled out a test version of its patch to its security partners at cybersecurity firms in late February.
Eighty companies participate in a longstanding partnership with Microsoft, known as the Microsoft Active Protections Program, including 10 Chinese firms. Microsoft confidentially alerts these companies to emerging cyberthreats and vulnerabilities ahead of its official patch cycle. The company is investigating whether one of its partners may have leaked to Chinese hackers or was itself hacked.
Microsoft said that if it determined a leak was responsible for the spike in attacks, the responsible partners would “face consequences.”
The attacks forced Microsoft to release its patch one week early, on March 2. Within a week, the number of vulnerable Exchange servers dropped from 400,000 to 100,000, according to RiskIQ, an internet security company.
Now, however, 82,000 servers are still awaiting updates. Among those still vulnerable are more than 400 state, local and federal government entities in the United States — including more than a dozen servers run by federal agencies — according to an analysis by BitSight, a cybersecurity risk ratings company. The Biden administration has said nothing about the scope of federal vulnerability.
If the government is able to attribute the Microsoft attack to the Chinese, Mr. Gallagher said, there are “a variety of things we could do to inflict pain” on the government in Beijing.