Trump Contradicts Pompeo Over Russia’s Role in Hack



Hours after Secretary of State Mike Pompeo told a conservative radio show host that “we can say pretty clearly that it was the Russians” behind the vast hack of the federal government and American industry, he was contradicted on Saturday by President Trump, who sought to muddy the intelligence findings by raising the possibility that China was responsible.

Defying the conclusions of experts inside and outside the government who say the attack was a cybersecurity breach on a scale Washington has never experienced, Mr. Trump also played down the severity of the hack, saying “everything is well under control,” insisting that the news media has exaggerated the damage and suggesting, with no evidence, that the real issue was whether the election results had been compromised.

“There could also have been a hit on our ridiculous voting machines during the election,” he wrote on Twitter in his latest iteration of that unfounded conspiracy theory. He tagged Mr. Pompeo, the latest cabinet member to anger him, in his Twitter post.

With 30 days left in office, Mr. Trump’s dismissive statements made clear there would be no serious effort by his administration to punish Russia for the hack, and national security officials say they are all but certain to hand off the fallout and response to President-elect Joseph R. Biden Jr.

So in the midst of a global pandemic, Mr. Biden will inherit a government so laced with electronic tunnels bored by Russian intelligence that it may be months, years even, before he can trust the systems that run much of Washington.

And in his first days in office, even as he has to deal with Russia on arms control and other issues, he will have to confront a quandary that has confounded his predecessors for a quarter of a century: Retaliation for cyber intrusions often results in escalation.

As Michael Sulmeyer, now a senior adviser to United States Cyber Command, put it before he entered government, America “lives in the glassiest of glass houses.” The United States is more reliant than almost any other nation on fragile computer networks that make the government and economy hum, making it an especially ripe target for short-of-war attacks like the one executed by the Kremlin.

In contrast to Mr. Trump, who has always been reluctant to confront Moscow and President Vladimir V. Putin, Mr. Biden has signaled that he will not let the intrusion, whose full extent is not yet known, go unanswered.

“A good defense isn’t enough,’’ Mr. Biden said Thursday, vowing to impose “substantial costs on those responsible for such malicious attacks.”

He will not find that easy.

Mr. Trump’s tweet was his first comment on the hack, which came to light a week ago. Privately, the president has called the hack a “hoax” and pressured associates to downplay its significance and push alternate theories for who is responsible, two people familiar with the exchanges said. Larry Kudlow, his economic adviser, told reporters on Friday, “People are saying Russia. I don’t know that. It could be other countries.”

The president’s unexplained reluctance to blame Russia — which through its embassy in Washington has denied complicity in the attack — has only complicated the response, investigators say.

The government only learned of the hack from FireEye, a cybersecurity company, after the firm was itself breached. And Microsoft’s president, Brad Smith, said Thursday that government agencies are approaching Microsoft — not the national security establishment — to understand the extent of the Russian breach.

“This is the most consequential cyberespionage campaign in history and the fact that the government is absent is a huge problem for the nation,” said Dmitri Alperovitch, a co-founder of CrowdStrike, a security firm, who is now chairman of Silverado Policy Accelerator, a think tank.

“The response has been a total disaster, not just because of the president, but because whoever is left is just polishing up their resumes,” he said. “There’s no coordination and every agency is just doing whatever they can to help themselves.”

Mr. Trump’s comments on Saturday had echoes of his stance toward the hacks during 2016 presidential campaign, when he contradicted intelligence findings to claim it was China, or a “400 pound” person “sitting on his bed,” not Russia, who interfered in that election. Two years later, Mr. Trump’s own Justice Department indicted 12 Russian intelligence officers.

“Never has there been a President work so hard to provide cover for Russia,” said Clint Watts, a former F.B.I. special agent and Russian information warfare expert at the Foreign Policy Research Institute.

All countries spy on each other, of course, and — for now — that appears to have been the first objective of the Russian campaign, one that researchers said on Friday appears to date back to October 2019, six months earlier than initially believed.

That was when hackers, presumed to be working for the SVR, one of the most elite and talented of the Russian spy agencies, first broke into the SolarWinds network management software, which is used across the federal government and by three-quarters of the nation’s Fortune 500 companies.

The theory is that the Russians were trying to figure out whether they could get into the “supply chain” of software that would give them broad access to the array of systems that make America tick.

What no one in the Trump administration wants to address, at least publicly, is how the Russians managed to evade billions of dollars in American-built defenses designed to alert agencies to foreign intrusions. That question, too, now seems certain to be left to Mr. Biden to answer.

From their new cyber command center in Fort Meade, Md., the NSA and Cyber Command monitor incoming attacks, the way generations of American military officials jammed underground command centers to look for incoming missile attacks. In this case, the sensors never went off, and the commander of those cyber forces, Gen. Paul M. Nakasone, one of the nation’s most experienced cyber warriors, has said not one word in public about what went wrong.

The private sector will face hard questions as well. The majority of infections, Microsoft said, were of private firms, many of them cybersecurity companies. FireEye only detected the attack after Russians cleaned it out too, taking the “Red Team” tools the firm uses to probe corporate and government systems for vulnerabilities.

The Russian attack was carefully calibrated to avoid cybersecurity defenses. It gained access to the updates of the SolarWinds software — akin to the updates Apple and other phone makers push onto cellphones as they charge overnight — betting that small changes in code would not be noticed.

By compromising the updates, they gained access to 18,000 government agencies and companies. From there they planted “back doors” into the networks of some 40 companies, government agencies and think tanks, according to Microsoft, that allowed them to come and go, steal data and — though it apparently has not happened yet — alter data or conduct destructive attacks.

“This was a cybersecurity superspreading event,’’ Mr. Smith said in an interview on Thursday evening, calling it “a moment of reckoning.”

While Mr. Trump began his time in office with a strong cybersecurity team in the White House, his third national security adviser, John R. Bolton, ousted them and eliminated the post of a cyber czar with direct access to the president.

The new National Defense Authorization Act, which Mr. Trump is threatening to veto for other reasons, would recreate such a post.

Yet until Mr. Pompeo, who ran the C.I.A. for the first two years of the Trump administration, made his assessment in an interview on “The Mark Levin Show,” the administration had all but ignored the attack in public — perhaps realizing that an administration that came into office on the heels of Russian interference in the 2016 election was leaving as the victim of one of Russia’s most well-executed cyberattacks.

“This was a very significant effort,” Mr. Pompeo said, adding that “we’re still unpacking precisely what it is.” He said he expected most of the details would remain classified.

“Given the gravity of this breach, it’s concerning that President Trump is paying so little attention to it,” said Senator Martin Heinrich, the Democrat from New Mexico, home to the Los Alamos nuclear lab that Russians breached in the attack.

He and other Democrats have pushed for an aggressive response. “We have failed to deter the Russians,” Senator Chris Coons of Delaware, a Democrat who is close to Mr. Biden, said on Thursday. “We are only going to see Putin stop this action when we stop him.”

But if history is any guide, finding the right way to retaliate will be difficult. The United States conducts its own spying missions. America has carried out supply chain attacks, too, including against Iran’s nuclear centrifuges and its missile program. It has been running them against North Korea for years.

“The U.S. government has no principled basis to complain about the Russia hack, much less retaliate for it with military means, since the U.S. government hacks foreign government networks on a huge scale every day,” Jack Goldsmith, a Harvard Law School professor who worked in the Bush administration.

“Indeed, a military response to the Russian hack would violate international law.” he added. “The United States does have options, but none are terribly attractive.”

That is the core of Mr. Biden’s problem. In the first 16 days of his presidency he will have to deal with Mr. Putin to address the renewal of New START, the nuclear arms control treaty that expires on Feb. 5. Mr. Biden has said he favors a clean renewal of the agreement, which can be extended five years without having to return to the Senate for approval.

But he will be conducting that negotiation while also dealing with the question of how to retaliate to an ongoing attack whose full extent is still unknown.

“They had unfettered access for nine months,” said Stephen Boyer, an executive at BitSight, a cybersecurity firm. “We may never know what we lost.”

Reporting was contributed by Steve Kenny, Eric Schmitt and Julian Barnes.