The Washington PostDemocracy Dies in Darkness

Opinion Russia has not been deterred

Russian President Vladimir Putin listens to Belarusian President Alexander Lukashenko during their meeting in the Black Sea resort of Sochi, Russia, on Friday.
Russian President Vladimir Putin listens to Belarusian President Alexander Lukashenko during their meeting in the Black Sea resort of Sochi, Russia, on Friday. (Mikhail Klimentyev/AP)

RUSSIA IS not stopping. This is the only conclusion to draw from news that hackers linked to the country’s main intelligence service compromised an email system used by the U.S. Agency for International Development within the State Department. The attack targeted the computer networks of human rights groups and other organizations critical of President Vladimir Putin — and it continues even now.

Microsoft discovered and disclosed the breach on Thursday, identifying the culprit as the Nobelium group also responsible for the SolarWinds operation, which recently wormed its way into the innards of hundreds of companies and at least seven government agencies. President Biden last month announced the U.S. response to that incursion: levying some sanctions on Russian companies and individuals, expelling some diplomats and taking other “unseen” actions to deter further malfeasance. Many punches, however, were pulled — ostensibly to avoid escalation. Now it appears not only that Russia has not been deterred, but may itself have escalated.

Adding insult to injury, the latest salvo took advantage of the same weakness in the country’s cybersecurity as did SolarWinds: insufficient safeguards in critical supply chains that run from private enterprise up to the most sensitive public entities. In this case, widely employed email software from a company called Constant Contact was the way in. Spear-phishing messages were blasted out from USAID to more than 150 organizations and reached more than 3,000 accounts. These contained malicious code to let the hackers into recipients’ computer systems, where they could infect others on the network or make off with data. The emails were coming ever faster and ever more furious upon the effort’s discovery — designed, it seems, not to hurt the State Department but civil society, including groups that analyze Russian foreign policy and those that oppose the Kremlin.

One lesson from this mess should have been learned already, which is that sensitive digital supply chains must be shored up. The White House issued an executive order earlier this month to build baseline standards with which all commercial suppliers to the federal government must comply. That should provide some more protection, but efforts to hunt for threats and defeat what’s found must also improve.

Another lesson, however, remains: Mr. Putin will not respond to the traditional playbook of sanctions and expulsions by backing down, but rather by stepping up to the boundaries of Internet-age espionage and pushing them. Mr. Biden must make very clear what the United States is and is not willing to tolerate. He must also have a plan for how to respond when an adversary refuses to listen.

Read more:

The Post’s View: Russia’s massive hack demands a reckoning for U.S. cyber defenses

Fareed Zakaria: Russia hasn’t just hacked our computer systems. It’s hacked our minds.

Alex Stamos: Enough is enough. Here’s what we should do to defend against the next Russian cyberattacks.

David Ignatius: Russia’s SolarWinds hack was espionage, not an act of war

David Ignatius: How Russia and China are attempting to rewrite cyberworld order