WASHINGTON (NYTIMES) - The sophisticated hacks pulled off by Russia and China against a broad array of government and industrial targets in the United States - and the failure of the intelligence agencies to detect them - are driving the Biden administration and Congress to rethink how the nation should protect itself from growing cyberthreats.
Both hacks exploited the same gaping vulnerability in the existing system: They were launched from inside the United States - on servers run by Amazon, GoDaddy and smaller domestic providers - putting them out of reach of the early-warning system run by the National Security Agency.
The agency, like the CIA and other US intelligence agencies, is prohibited by law from conducting surveillance inside the United States, to protect the privacy of American citizens.
But the FBI and Department of Homeland Security - the two agencies that can legally operate inside the United States - were also blind to what happened, raising additional concerns about the nation's capacity to defend itself from both rival governments and nonstate attackers like criminal and terrorist groups.
In the end, the hacks were detected long after they had begun - not by any government agency, but by private computer security firms.
The full extent of the damage to US interests from the hacks is not yet clear, but the latest, attributed by Microsoft to China, is now revealing a second vulnerability.
As Microsoft releases new "patches" to close the holes in its system, that code is being reverse-engineered by criminal groups and exploited to launch rapid ransomware attacks on corporations, industry executives said.
So a race is on - between Microsoft's efforts to seal up systems, and criminal efforts to get inside those networks before the patches are applied.
"When not one but two cyberhacks have gone undetected by the federal government in such a short period of time, it's hard to say that we don't have a problem," said Rep. Mike Gallagher, R-Wis. and a co-chair of a congressionally mandated cyberspace commission.
"The system is blinking red."
The failures have prompted the White House to begin assessing options for overhauling the nation's cyberdefences even as the government investigates the hacks. Some former officials believe the hacks show Congress needs to give the government additional powers.
But briefing reporters on Friday (March 12) about the progress of the investigations, senior administration officials said the White House had no plans to urge Congress to rewrite the laws that prevent US intelligence agencies from operating inside America's borders.
One senior adviser to President Joe Biden said, however, that a new structure was needed, one that combined traditional intelligence collection with the talents of private-sector firms.
It was FireEye, a cybersecurity company, that ultimately found the SolarWinds attack organised by Russia, and a small Virginia firm named Volexity that revealed to Microsoft the fact that Chinese hackers found four previously unknown vulnerabilities in their systems, exposing hundreds of thousands of computer servers that use Microsoft Exchange software.
But even as officials try to assemble the lessons of those attacks, the one on Microsoft's systems, used by companies and government agencies, has grown more complex.
On Friday, Microsoft warned that cybercriminals are using the backdoors Chinese hackers left behind to deploy ransomware, which is used to lock up computer systems until payment is made.
The first efforts to freeze up US systems began Thursday night, Microsoft said, and US officials warned Friday that its customers had limited time, "measured in hours, not days," to patch their systems to avoid a costly nightmare.
Mr Biden was briefed last week on the effort to seal up the holes in federal defences, a senior administration official told reporters Friday, adding that the federal government was in the third week of a month-long effort to plug holes made obvious by the SolarWinds hack. A presidential order on longer-range fixes is coming.
But the first problem is detecting attacks - and there the United States has enormous work to do.
America's foremost hacking teams and digital defenders reside in Fort Meade, Maryland, home to the National Security Agency and its military counterpart, US Cyber Command. Over more than a decade, with billions of dollars in new technology, they have littered foreign networks with various forms of "beacons" that give them access to detect attacks as they are coming together or begin.
But, like missile defence, that is hardly an impermeable shield. And foreign actors have begun to identify America's blind spot: If hackers can assemble an attack from inside America's borders, the US government's best hunt teams can be blindsided.
"The NSA cannot operate in the domestic infrastructure," retired Adm. Michael Rogers, the former director of the agency, said Friday at the Kellogg School of Management at Northwestern University. "You can't defend something you can't see." But there is no political appetite to reverse decades of limits on intelligence agencies to monitor and defend network traffic inside the United States.
Instead, Biden administration officials said they would seek a deeper partnership with the private sector, tapping the knowledge of emerging hacking threats gathered by technology companies and cybersecurity firms.
The hope, current and former officials say, is to set up a real-time threat-sharing arrangement, whereby private companies would send threat data to a central repository where the government could pair it with intelligence from the National Security Agency, the CIA and other spy shops to provide a far earlier warning than is possible today.
"You could stop attacks dead in their tracks," said Glenn Gerstell, a former general counsel for the National Security Agency.
"We need a way to get threat intelligence into a one-stop shopping centre." The question is how to set up such a system.
After revelations in 2013 by former intelligence contractor Edward Snowden that set off a debate about government surveillance, US technology companies are wary of the appearance of sharing data with US intelligence agencies, even if that data is just warnings about malware. Google was stung by the revelation in the Snowden documents that the National Security Agency was intercepting data transmitted between its servers overseas. Several years later, under pressure from its employees, it ended its participation in Project Maven, a Pentagon effort to use artificial intelligence to make its drones more accurate.
Amazon, in contrast, has no such compunctions about sensitive government work: It runs the cloud server operations for the CIA. But when the Senate Intelligence Committee asked company officials to testify last month - alongside executives of FireEye, Microsoft and SolarWinds - about how the Russians exploited systems on US soil to launch their attacks, they declined to attend.
Companies say that before they share reporting on vulnerabilities, they would need strong legal liability protections.
There are other hurdles. The process of getting a search warrant is too cumbersome for tracking nation-state cyberattacks, Gerstell said.
"Someone's got to be able to take that information from the NSA and instantly go take a look at that computer," he said. "But the FBI needs a warrant to do that, and that takes time, by which point the adversary has escaped."
Another obstacle is the slowness of identifying attackers. While the director of national intelligence concluded that the SolarWinds attack, carried out last year, was "likely" Russian in origin, a definitive assessment is not expected until this week or next. Only then can the United States respond with sanctions or cyberoperations - nearly a year after the attack began.
"The thing that worries me in both of these cases, too, is just how slowly we tend to attribute and respond," Gallagher said.
