Analysis: How Russian hackers were able to access DHS secretary’s email

In January, the U.S. government confirmed that federal agencies had been targeted by a massive hack, widely known as SolarWinds.

The Associated Press now says, “Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of Homeland Security and members of cybersecurity staff whose jobs included hunting threats from foreign countries.”

The key question is how does that happen to an agency so critical to U.S. national security?

A DHS spokesperson told WTOP in a statement, “This widespread intrusion campaign has again shown that our strategic adversaries are sophisticated, persistent, and have increasing capabilities.”

A U.S. official, with deep knowledge of DHS internal security matters during the previous administration, said there were two problems — a lack of interest and understanding of certain strands of intelligence and an inability to keep up with threats.

Lack of interest driven by political pressure

Instability roiled the agency for years.

From 2017-2021, seven DHS secretaries, confirmed or acting, served the Trump administration. They ranged in tenure from one year and 159 days, to just nine days. That’s more than all the DHS secretaries, for every administration combined, since the creation of the agency in 2002.

Unofficial and often implied mandates from top Trump administration officials to downplay anything negative related to Russia allegedly drove the lack of interest, according to the official.

As a result, “several key intelligence officials did not regularly take intelligence briefings on the issues relevant to Russian hacking,” the official said.

In addition to political pressure, the official said, “Concerns about career stability often impeded initiatives that might have deterred attacks by nation-state adversaries.”

Outdated technology and approach

According to the Cybersecurity and Infrastructure Security Agency (CISA), a key tool in detecting cyber threats is the Einstein system. It serves two key roles.

According to the CISA website, “First, Einstein detects and blocks cyberattacks from compromising federal agencies. Second, Einstein provides CISA with the situational awareness to use threat information detected in one agency to protect the rest of the government and to help the private sector protect itself.”

However, numerous officials have said publicly that Einstein — even though it is thought of as cutting edge — the technology is not effective.

Here’s why.

The system helps the nation’s network defenders build a firewall against known threat actors. Those actors are often tracked by Internet Protocol (IP) addresses.

The problem, according to the source, is that top nation-state hackers, such as Russia and China, never reuse those IP addresses — thus, they circumvent the system designed to detect them.

The DHS spokesperson said, “As we consider lessons learned, we have identified a number of steps we must take to modernize federal cybersecurity defenses and build back better. We have shared these lessons learned with the White House and other agencies, so that they can be fully integrated into cybersecurity modernization efforts.”

The Einstein system cost approximately $5.7 billion, but according to some national security sources, it was never intended to do what some expect it do, all by itself.

It is supposed to work with components deployed by other U.S. national security agencies.

However, there are concerns that some of those agencies may not want to expose what they know about certain cyber threats because then the actors behind them might disappear, eliminating their ability to be tracked.


SIGN UP TODAY for J.J. Green’s new national security newsletter, “Inside the SCIF.” The weekly email delivers unique insight into the intelligence, national security, military, law enforcement and foreign policy communities.


J.J. Green

JJ Green is the National Security Correspondent at WTOP radio. He reports daily on international security, intelligence, foreign policy, terrorism and cyber developments and provides regular on-air analysis.

Like WTOP on Facebook and follow @WTOP on Twitter to engage in conversation about this article and others.

Get breaking news and daily headlines delivered to your email inbox by signing up here.

© 2021 WTOP. All Rights Reserved. This website is not intended for users located within the European Economic Area.

More from WTOP

Log in to your WTOP account for notifications and alerts customized for you.

Sign up