The recently revealed SolarWinds hack unfolded like a scene from a horror movie: Victims frantically barricaded the doors, only to discover that the enemy had been hiding inside the house the whole time. For months, intruders have been roaming wild inside the nation’s government networks, nearly all of the Fortune 500, and thousands of other companies and organizations. The breach—believed to be the work of an elite Russian spy agency—penetrated the Pentagon, nuclear labs, the State Department, the Department of Homeland Security (DHS), and other offices that used network-monitoring software made by Texas-based SolarWinds. America’s intelligence agencies and cyberwarriors never detected a problem. Instead, the breach was caught by the cybersecurity firm FireEye, which itself was a victim.
The full extent of the damage won’t be known for months, perhaps years. What’s clear is that it’s massive—“a grave risk to the federal government … as well as critical infrastructure entities and other private sector organizations,” declared DHS’s Cybersecurity and Infrastructure Security Agency, an organization not known for hyperbole.
The immediate question is how to respond. President-elect Joe Biden issued a statement vowing to “disrupt and deter our adversaries from undertaking significant cyber attacks in the first place” by “imposing substantial costs.” Members of Congress were far less measured, issuing ever more forceful threats of retaliation. It was a weird bipartisan moment in which liberal Senate Democrats sounded like hawkish House Republicans, issuing statements about “virtually a declaration of war” and the need for a “massive response.”