Pompeo: Russia ‘pretty clearly’ behind massive cyberattack

Secretary of State Mike Pompeo on Friday blamed Russia for the massive cyberattack against multiple U.S. agencies and thousands of individual federal and private entities, saying the country was “pretty clearly” behind the attack.

“I can’t say much more, as we’re still unpacking precisely what it is, and I’m sure some of it will remain classified. But suffice it to say there was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems and it now appears systems of private companies and companies and governments across the world as well,” Pompeo said on “The Mark Levin Show.”

“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,” he added.

Pompeo is the first major Trump administration official to attribute the hack directly to Russia, though the sophisticated large-scale attack has widely been presumed to be tied to the country.

Experts say the effort, which targeted third-party software contractor SolarWinds, blindsided the U.S. government. Numerous federal agencies, including the departments of Energy, Homeland Security, State and Treasury, were reportedly breached.

Pressed on any public response from President Trump to the hack, Pompeo suggested that “a wiser course of action to protect the American people is to calmly go about your business and defend freedom.”

While Trump has not weighed in on the attack, President-elect Joe Biden has vowed to “elevate” cybersecurity throughout government and “make dealing with this breach a top priority from the moment we take office.”

“Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation,” Biden said Thursday, adding his administration would impose “substantial costs” on anyone responsible for malicious attacks to deter such action.

Experts have described the SolarWinds attack as one of the most successful cyber intrusions in U.S. history, with hackers able to obtain access to systems going back as early as March.

SolarWinds counts among its clients numerous government agencies and Fortune 500 companies. As many as 18,000 clients downloaded compromised software from the company that delivered malware inserted by hackers.

FireEye, a top cybersecurity firm, revealed the hack earlier this month, saying its systems were penetrated by “a nation with top-tier offensive capabilities.”

Federal officials have said it will likely take weeks if not months to fully determine the scope of the attack.

Lawmakers have raised alarms and criticized Trump for not addressing the breach publicly.

“I think the White House needs to say something aggressive about what happened. This is almost as if you had a Russian bomber flying undetected over the country, including over the nation’s capital, and not to respond in a setting like that is really stunning,” Sen. Mitt Romney (R-Utah) said in an interview this week.

Lawmakers have urged Trump to take immediate action, including by signing the annual defense policy bill. The legislation includes a number of cybersecurity provisions, including one to reestablish the position of federal cyber czar and another to strengthen defensive measures against cyberattacks. Trump has threatened to veto the bill over an unrelated tech issue.

“One of the immediate steps the Administration can take to improve our cyber posture is signing the NDAA [National Defense Authorization Act] into law,” Senate Armed Services Committee Chairman James Inhofe (R-Okla.) and ranking member Jack Reed (D-R.I.) said in a joint statement on Thursday. “The NDAA is always ‘must-pass’ legislation – but this cyber incident makes it even more urgent that the bill become law without further delay.”

The Trump administration has set up a cyber coordination group composed of the Cybersecurity and Infrastructure Security Agency, the FBI and the Office of the Director of National Intelligence to respond to the hack, describing it as a “whole-of-government” effort.