How should the U.S. respond to the massive Russia-linked hack?

Mike Bebernes
·6 min read

“The 360” shows you diverse perspectives on the day’s top stories and debates.

What’s happening

Hackers believed to be connected to the Russian government breached the computer networks of both the private sector and some of the top agencies in the United States government, including the Department of Defense, the State Department, the Department of Homeland Security, the Treasury Department and the Commerce Department.

The full extent of the hack, which began as early as March, is unknown. But it is already considered one of the most expansive cyber intrusions in U.S. history. It’s also unclear whether the hackers merely gained access to information on the networks or if they took active steps to sabotage government systems.

The attack wasn’t limited to the American government. Tech giant Microsoft on Thursday said it had “isolated and removed” a vulnerability in its systems. Many cybersecurity experts expect that intrusions into more private companies and possibly other governments will be revealed in the near future. The hackers inserted malicious code into software from the networking company SolarWinds, which gave them access to the networks of as many as 18,000 SolarWinds customers. They appear to have conducted a “dry run” of the breach late last year.

Secretary of State Mike Pompeo said evidence showed that Russian intelligence agencies were “pretty clearly” responsible for the breach, echoing a broad consensus among national security officials. After days of silence on the issue, President Trump attempted to downplay the severity of the attack and suggested it may have in fact been conducted by China.

Why there’s debate

News of the hack has prompted calls from some U.S. lawmakers and cybersecurity experts for an aggressive response. “America must retaliate,” GOP Sen. Marco Rubio tweeted. Some argue that the steps the U.S. has taken after other recent Russian hacks — primarily economic sanctions and the expulsion of Russian diplomats — are an insufficient reaction to what one Democratic senator called “virtually a declaration of war.” The most common suggestion is for the U.S. to mount a cyberoffensive of its own. Others say financial penalties and public pressure are the best tactics.

Some experts say the U.S. should focus on ramping up its defensive capabilities. Striking back at Russia’s networks risks sparking an escalating series of reprisals that could lead to an actual war, they argue. Launching a cyberattack would also show the Russians where the U.S. has penetrated into their systems and give them the opportunity to close off those pathways.

Another group has called for patience. It’s critical, they say, to have a full accounting of what the Russians were able to access and what they intended to do. A hack used to strictly gather unclassified information requires a much smaller response than an all-out cyberattack designed to destroy critical American infrastructure, they argue.

What’s next

Given the president’s statement questioning Russia’s role in the hack, it seems unlikely that the U.S. will mount any significant response before the end of Trump’s term. President-elect Joe Biden said his administration would impose “substantial costs on those responsible” when he takes office, but did not provide any specifics.


The U.S. should show its own cyber strength

“In the wake of this attack, the U.S. must find subtle ways of showing that it can achieve equivalent or greater breaches of Russian networks — those used by Putin’s security services and propaganda organs, for instance, or by financial firms that are linked to the Kremlin and handle the flow of dirty money that lubricates that regime.” — Hal Brands, Bloomberg

The focus should be on cyber defense to avoid escalation

“Instead of actively courting conflict that could well escalate into a shooting war, Washington should focus on making its own house secure. Stop playing hacker abroad and shore up our defenses.” — Bonnie Kristian, Newsweek

Russia needs to be shown that cyberattacks like this won’t be tolerated

“[The] effort could start with better signaling that the US is serious about these responding to significant cyberattacks, including a frank conversation with Russian President Vladimir Putin, reminding him that while he may have scored an intelligence coup in SolarWinds, Russia is still overmatched in economic and military power by the US.” — Erica Borghard and Jacquelyn Schneider, Wired

It would be foolish to respond without all of the facts

“I think the question of whether and how to respond to Solarwinds hack is complicated. But it’ll be, at a minimum, weeks until government has the relevant information needed to *begin* assessing an appropriate response. Those calling for massive retaliation are just being silly.” — Lawfare executive editor Susan Hennessey

Harsh financial penalties will be most effective

“This isn’t just a tit-for-tat or hacking back into their systems. It’s, ‘We’re going to go for what you really care about, and what you really care about is the funds that are stashed, and revealing the larger network and how it’s connected to the Kremlin.’” — Public policy expert Sarah Mendelson to Associated Press

It’s wise for the U.S. to keep its cyber capabilities secret until they’re really needed

“The U.S. has the same, if not greater, offensive capabilities than other nation states out there. But cyberspace isn’t like more traditional domains of conflict, where you want your adversary to know you have the bigger and better weapon to act as a deterrent; it’s wiser to keep your most advanced capabilities under wraps.” — Ian Bremmer, Time

The U.S. should do everything it can to deescalate ongoing cyberwarfare

“The United States has failed miserably for decades in protecting its public and private digital networks. What it apparently has not done is to ask itself, in a serious way, how its aggressive digital practices abroad invite and justify digital attacks and infiltrations by our adversaries, and whether those practices are worth the costs.” — Jack Goldsmith, the Dispatch

The hack should lead to more transparency from the government on cyber issues

“There’s a natural inclination to hide the damage (no one likes seeing headlines about how they might have been hacked), but an effective response depends on agencies being brutally honest. It’s the only way to understand the scale of the mess and start to clean it up.” — Russell Brandom, Verge

Trump should pay a political price for failing to protect the U.S.

“Trump’s failure to protect America has not yet received the attention it deserves — perhaps because it is overshadowed by the coronavirus pandemic, another example of Trump failing to protect Americans.” — David A. Graham, Atlantic

The U.S. shouldn’t just sit on its hands until Biden is president

“There are still about 40 days left in the Trump administration. That means that Putin’s free license to loot will expire soon. In these waning days, we should expect even more attacks and compromises of key computer systems. Congress should do all that it can to demand answers and insist on a response from the White House.” — Frank Figliuzzi, MSNBC

There won’t be any U.S. response as long as Trump is president

“We shouldn’t expect much from Trump on this. ... It’s clear that this is going to be Biden’s problem, both in terms of cleaning up the mess and securing US government systems to make sure this doesn’t happen again.” — Samantha Vinograd, CNN

Is there a topic you’d like to see covered in “The 360”? Send your suggestions to

Read more “360s”

Photo illustration: Yahoo News; photos: Getty Images (2)