THE DISCLOSURE from software vendor SolarWinds that “fewer than 18,000 customers” were compromised by a Russian hack announced this week was apparently meant to be reassuring — a sign of just how big and just how bad this attack is. Responsible officials must explain how it happened, as well as how they plan to prevent such a thing from happening again.

Several federal agencies are already confirmed victims of the digital spying campaign carried out by Vladimir Putin’s government, which denies the incursion. That includes the Departments of Defense, State, Homeland Security, Treasury and Commerce, as well as the National Institutes of Health. This is only the worst we are aware of so far: SolarWinds services 300,000 clients, and the state hackers known as APT29 or Cozy Bear, who wormed their way in by disguising the incursion in otherwise legitimate software updates, may have unfettered access to as many of their systems as it wishes.

Damage control to contain the attack and to rebuild networks now that they’re infiltrated is essential. Yet it’s also essential to hold accountable those who were supposed to protect those networks, and who failed. The Stanford Internet Observatory’s Alex Stamos recommended in a Post commentary the creation of an investigative board that tracks attacks, learns lessons and issues public recommendations. It’s a good idea that could improve how third-party vendors are vetted nationwide, especially by federal agencies that have done a poor job managing their supply chains. But the questions for the government here are also bigger.

Why did the multibillion-dollar detection tool, called Einstein, fail to catch the perpetrators in the act — even after a 2018 Government Accountability Office report suggested that the technology needed to evolve to catch novel malware? Why, despite this administration’s touting of its intention to “defend forward” through a newly unified Cyber Command, were the Russians able to carry out so massive a strike? The answer may be that plain old defending deserves greater attention, a problem that could be mitigated by investing more heavily in self-protection, elevating information security experts and reducing reliance on commercial software used by hundreds of thousands of others.

We don’t know what the hackers are planning to do with whatever information they’ve gained. We may not know for years to come. This could be a matter of traditional espionage: extracting secrets to aid the Kremlin in understanding the upper echelons of U.S. power. Or it could be something more, with capabilities crippled or data manipulated in a manner that could harm even civilians. The message to our adversaries must be that there are lines the United States won’t permit them to cross — and that now we are watching.

Read more: