The revelation that foreign governments are launching cyberattacks using servers in the U.S. in an apparent attempt to avoid detection by the National Security Agency (NSA) has many lawmakers and security experts concerned, The Wall Street Journal reported on Wednesday.
An attack, apparently by China-based hackers, revealed last week by Microsoft against its Exchange software, which affected at least tens of thousands of customers, was pulled off by hackers employing U.S.-based computers from at least four service providers, according to an analysis by the threat intelligence company DomainTools LLC.
In addition, suspected Russian hackers a few months ago penetrated U.S. government and corporate networks by using American-based cloud services to support crucial stages of their attack that leveraged a hack at Solar Winds.
“The combination of these two attacks [which the NSA did not detect] definitely has pushed us to a tipping point in terms of the policy makers and the executive branch recognizing now that we need to do something,” said Glenn Gerstell, former general counsel at the NSA, which is America’s principal cyberintelligence organization.
The NSA has extensive surveillance powers, but is generally forbidden from using them to collect intelligence on domestic targets, including computer servers inside the U.S. maintained by American firms, according to the Journal.
Microsoft President Brad Smith said at a Senate hearing last week that the method in the Solar Winds attack appealed to the Russians, because it enabled them to circumvent U.S. intelligence collection
In a similar argument regarding the Exchange hack, Microsoft Corporate Vice President for Customer Security Tom Burt said that those carrying out the attack “knew that by operating from servers in the United States, it could evade some of the U.S. government’s best threat hunters.”
Security experts said Microsoft was caught in the middle of both attacks both due to the fact that it is a major software provider to the U.S. government and large corporate clients, as well as because its products are ubiquitous.
Lawmakers from both parties having been searching for methods to increase U.S. cyber defenses, including reviving a suggestion to create a national data-breach notification law that is often stalled due to privacy advocates, who have worried that new powers would lead to abuses.
“The government already has the authority to watch every bit of data going in and out of federal networks,” said Oregon’s Democratic Sen. Ron Wyden. “Some in the government now want to ask for new, warrantless surveillance of Americans’ communications to distract Congress from asking unpleasant questions.”
However, that view has detractors, with the NSA’s Gerstell saying that “It can’t possibly be the case that the Fourth Amendment ties our hands in such a way that we just have to sit there and watch the Chinese romp through our infrastructure.”
Gerstell said it was unlikely that Congress would ever give such authority directly to the NSA, but that an alternate plan involving a different agency could be possible.
A committee aide said that the Senate Intelligence Committee is scheduled this week to receive separate briefings on the Microsoft Exchange hack from the Biden administration and Microsoft,