Russia has not been deterred
Opinion by the editorial board : 29 May. 2021
RUSSIA IS not stopping. This is the only conclusion to draw from news that hackers linked to the country’s main intelligence service compromised an email system used by the U.S. Agency for International Development within the State Department. The attack targeted the computer networks of human rights groups and other organizations critical of President Vladimir Putin — and it continues even now.Support our journalism. Subscribe today.
Microsoft discovered and disclosed the breach on Thursday, identifying the culprit as the Nobelium group also responsible for the SolarWinds operation, which recently wormed its way into the innards of hundreds of companies and at least seven government agencies. President Biden last month announced the U.S. response to that incursion: levying some sanctions on Russian companies and individuals, expelling some diplomats and taking other “unseen” actions to deter further malfeasance. Many punches, however, were pulled — ostensibly to avoid escalation. Now it appears not only that Russia has not been deterred, but may itself have escalated.
Adding insult to injury, the latest salvo took advantage of the same weakness in the country’s cybersecurity as did SolarWinds: insufficient safeguards in critical supply chains that run from private enterprise up to the most sensitive public entities. In this case, widely employed email software from a company called Constant Contact was the way in. Spear-phishing messages were blasted out from USAID to more than 150 organizations and reached more than 3,000 accounts. These contained malicious code to let the hackers into recipients’ computer systems, where they could infect others on the network or make off with data. The emails were coming ever faster and ever more furious upon the effort’s discovery — designed, it seems, not to hurt the State Department but civil society, including groups that analyze Russian foreign policy and those that oppose the Kremlin.
One lesson from this mess should have been learned already, which is that sensitive digital supply chains must be shored up. The White House issued an executive order earlier this month to build baseline standards with which all commercial suppliers to the federal government must comply. That should provide some more protection, but efforts to hunt for threats and defeat what’s found must also improve.
Another lesson, however, remains: Mr. Putin will not respond to the traditional playbook of sanctions and expulsions by backing down, but rather by stepping up to the boundaries of Internet-age espionage and pushing them. Mr. Biden must make very clear what the United States is and is not willing to tolerate. He must also have a plan for how to respond when an adversary refuses to listen.