Expelling Russian hackers from US government networks and getting them to re-consider their malign behavior is going to take time, more comprehensive dialogue and fundamental changes to American cybersecurity, deputy national security adviser Anne Neuberger told CNN in an interview.
A week after the Biden Administration called out Russia’s foreign intelligence service for the first time for carrying out the most serious breach ever of US government networks, Neuberger didn’t deny that Russian hackers are active inside those networks and made clear she hasn’t yet seen a significant change in Russia’s malicious behavior in cyberspace.
“We’ll know when we see a change with regards to [Russia’s] broad use of cyber to achieve national objectives and that’s something that will take time,” Neuberger said.
Two sources familiar with the internal investigation of the SolarWinds breach told CNN that the hackers from Russia’s SVR intelligence agency likely still maintain access to US networks despite the administration’s efforts to patch vulnerabilities that were exploited.
“I am not confident that they’re off of the board yet,” one of the sources said. “They’re still very much out there, probably carrying out all sorts of operations.”
Asked directly whether that’s the case, Neuberger responded that attributing the hack to the SVR was designed to change its “calculus.”
“To really shape a country’s use of cyber, you have to shape the calculus they use on the value and the cost,” she added. “The SVR is a sophisticated, persistent actor. They play a role as part of Russia’s intelligence collection, as part of their malign influence mission. And we know that to shape that calculus is not going to be one action.”
‘Significant gaps in cybersecurity’
The SolarWinds breach prompted a two-month review by the Biden administration that revealed “significant gaps” in cybersecurity across the federal government that was an “unpleasant” surprise,” said Neuberger, who had served during the Trump administration as the head of cybersecurity at the National Security Agency.
“Clearly our strategy heretofore hasn’t been working, because we see a growth in [Russian] cyber activity,” said Neuberger.
In response, the SVR director called the moves “very ill-considered.”
For weeks leading up to the raft of actions against Russia, senior national security officials, including Neuberger and her boss, national security adviser Jake Sullivan, had said the measures they would take would be “seen and unseen.”
Neuberger declined to say whether any unseen actions have been taken, telling CNN: “You know what was conveyed and I’ll leave it at that.” Earlier this month Neuberger said it would include “private messaging,” warning which activities the government considers unacceptable.
Multiple sources told CNN that covert, offensive cyber operations against Russia were not mentioned by administration officials who have recently briefed lawmakers on their plans to hold Russia accountable, including the day before the measures were announced.
Cyber response options presented to NSC
In the weeks of discussions leading up to the announcement, various agencies sent a range of cyber response options to the National Security Council for consideration, according to a source familiar with the planning. It remains unclear whether the Biden administration has plans to act on any of those options.
The menu of potential cyber responses presented to the NSC only consisted of options that are considered legal, ethical, moral and proportional, the source added, noting that it did not include anything that would be considered escalatory or cause serious blowback.
Two more major hacks have come to light since SolarWinds, on Microsoft Exchange servers and Pulse Connect Secure, both believed to have been carried out by Chinese hackers. At least two dozen federal agencies use Pulse Connect Secure software and this week the Department of Homeland Security issued a rare emergency directive revealing the hack started almost a year ago.
This string of high-profile and deeply damaging breaches by hackers from — or connected to — foreign governments has forced the Biden administration to examine the root causes of why they’re doing it, Neuberger says.
A primary reason is that US cyber defenses aren’t hard or modern enough, an issue the White House says is going to be addressed with a new executive order in the coming weeks. Despite Neuberger’s senior role in intelligence and cybersecurity under President Donald Trump, she says “inheriting a crisis” in SolarWinds exposed how serious the country’s vulnerabilities are.
“I think what surprised me the most was, as we did the review of SolarWinds, seeing the significant gaps across federal government cybersecurity and the need for rapid, effective modernization,” she said.
It was an “unpleasant” surprise, she added, understanding “the degree of focus and modernization needed to really be where we need to be and make the federal government the gold standard.”
The hackers behind the SolarWinds breach managed to get into at least nine federal agencies in a highly sophisticated operation that is believed to have begun last March and was only discovered in December by the cybersecurity firm FireEye. There has been a fierce debate among officials and experts over whether the breach constitutes an attack by Russia, which may call for a counterattack.
“I call it a successful hack,” Neuberger said, “There’s a lot of word definitions around the word ‘attack’ that different people have different understandings of.”
The information accessed by the hackers helped Russia gather intelligence on how the US government works, said Neuberger, who had previously called the hack “more than an isolated case of espionage.”