The intelligence agencies missed massive intrusions by Russia and China, forcing the administration and Congress to look for solutions, including closer partnership with private industry.

By David E. Sanger, Julian E. Barnes and Nicole Perlroth

WASHINGTON — The sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States — and the failure of the intelligence agencies to detect them — are driving the Biden administration and Congress to rethink how the nation should protect itself from growing cyberthreats.

Both hacks exploited the same gaping vulnerability in the existing system: They were launched from inside the United States — on servers run by Amazon, GoDaddy and smaller domestic providers — putting them out of reach of the early warning system run by the National Security Agency.

The agency, like the C.I.A. and other American intelligence agencies, is prohibited by law from conducting surveillance inside the United States, to protect the privacy of American citizens.

But the F.B.I. and Department of Homeland Security — the two agencies that can legally operate inside the United States — were also blind to what happened, raising additional concerns about the nation’s capacity to defend itself from both rival governments and nonstate attackers like criminal and terrorist groups.

In the end, the hacks were detected long after they had begun not by any government agency but by private computer security firms.

The full extent of the damage to American interests from the hacks is not yet clear, but the latest, attributed by Microsoft to China, is now revealing a second vulnerability. As Microsoft releases new “patches” to close the holes in its system, that code is being reverse-engineered by criminal groups and exploited to launch rapid ransomware attacks on corporations, industry executives said. So a race is on — between Microsoft’s efforts to seal up systems, and criminal efforts to get inside those networks before the patches are applied.

“When not one but two cyberhacks have gone undetected by the federal government in such a short period of time, it’s hard to say that we don’t have a problem,” said Representative Mike Gallagher, Republican of Wisconsin and a co-chairman of a congressionally mandated cyberspace commission. “The system is blinking red.”

The failures have prompted the White House to begin assessing options for overhauling the nation’s cyberdefenses even as the government investigates the hacks. Some former officials believe the hacks show Congress needs to give the government additional powers.

But briefing reporters on Friday about the progress of the investigations, senior administration officials said the White House had no plans to urge Congress to rewrite the laws that prevent American intelligence agencies from operating inside America’s borders.

One senior adviser to President Biden said, however, that a new structure was needed, one that combined traditional intelligence collection with the talents of private-sector firms.

It was FireEye, a cybersecurity company, that ultimately found the SolarWinds attack organized by Russia, and a small Virginia firm named Volexity that revealed to Microsoft the fact that Chinese hackers found four previously unknown vulnerabilities in their systems, exposing hundreds of thousands of computer servers that use Microsoft Exchange software.

But even as officials try to assemble the lessons of those attacks, the one on Microsoft’s systems, used by companies and government agencies, has grown more complex. On Friday, Microsoft warned that cybercriminals are using the back doors Chinese hackers left behind to deploy ransomware, which is used to lock up computer systems until payment is made.

Source: Read Full Article