A Trump administration official tells Axios that the cyberattack on the U.S. government and corporate America, apparently by Russia, is looking worse by the day — and secrets may still be being stolen in ways not yet discovered.
The big picture: "We still don't know the bottom of the well," the official said. Stunningly, the breach goes back to at least March, and continued all through the election. The U.S. government didn't sound the alarm until this Sunday. Damage assessment could take months.
Microsoft President Brad Smith told the N.Y. Times that at least 40 companies, government agencies and think tanks had been infiltrated.
8 countries: Microsoft, which has helped respond to the breach, said in a statement that 80% of its 40 customers known to have been targeted are in the U.S., plus others in U.K., Israel, UAE, Canada, Mexico, Belgium and Spain.
In unusually vivid language for a bureaucracy, the U.S. Cybersecurity and Infrastructure Security Agency, part of Homeland Security, said yesterday that the intruder "demonstrated sophistication and complex tradecraft."
The agency said the breach "poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations."
If this had been a physical attack on America's secrets, we could be at war.
Sen. Chris Coons (D-Del.) told Andrea Mitchell on MSNBC: "It's pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war. ... [T]his is as destructive and broad scale an engagement with our military systems, our intelligence systems as has happened in my lifetime."
The gravity wasn't immediately apparent because this wasn't the "cyber Pearl Harbor" that experts have warned about: No one took out a power grid, or stole a bunch of money or destabilized the markets.
What's next: President Trump has stayed silent on the hack, meaning that President-elect Biden's overflowing in-box now includes Russian reprisal, damage mitigation and future deterrence.
Promising to impose "substantial costs" on the perpetrator, Biden said in a statement that his administration "will make cybersecurity a top priority": "I will not stand idly by in the face of cyber assaults on our nation."