Nearly a decade ago, the United States began naming and shaming China for an onslaught of online espionage, the bulk of it conducted using low-level phishing emails against American companies for intellectual property theft.
On Monday, the United States again accused China of cyberattacks. But these attacks were highly aggressive, and they reveal that China has transformed into a far more sophisticated and mature digital adversary than the one that flummoxed U.S. officials a decade ago.
The Biden administration’s indictment for the cyberattacks, along with interviews with dozens of current and former American officials, shows that China has reorganized its hacking operations in the intervening years. While it once conducted relatively unsophisticated hacks of foreign companies, think tanks and government agencies, China is now perpetrating stealthy, decentralized digital assaults of American companies and interests around the world.
Hacks that were conducted via sloppily worded spearphishing emails by units of the People’s Liberation Army are now carried out by an elite satellite network of contractors at front companies and universities that work at the direction of China’s Ministry of State Security, according to U.S. officials and the indictment.
like Microsoft’s Exchange email service and Pulse VPN security devices, which are harder to defend against and allow China’s hackers to operate undetected for longer periods.
“What we’ve seen over the past two or three years is an upleveling” by China, said George Kurtz, the chief executive of the cybersecurity firm CrowdStrike. “They operate more like a professional intelligence service than the smash-and-grab operators we saw in the past.”
China has long been one of the biggest digital threats to the United States. In a 2009 classified National Intelligence Estimate, a document that represents the consensus of all 16 U.S. intelligence agencies, China and Russia topped the list of America’s online adversaries. But China was deemed the more immediate threat because of the volume of its industrial trade theft.
But that threat is even more troubling now because of China’s revamping of its hacking operations. Furthermore, the Biden administration has turned cyberattacks — including ransomware attacks — into a major diplomatic front with superpowers like Russia, and U.S. relations with China have steadily deteriorated over issues including trade and tech supremacy.
China’s prominence in hacking first came to the fore in 2010 with attacks on Google and RSA, the security company, and again in 2013 with a hack of The New York Times.
breach of the U.S. Office of Personnel Management. In that attack, Chinese hackers made off with sensitive personal information, including more than 20 million fingerprints, for Americans who had been granted a security clearance.
White House officials soon struck a deal that China would cease its hacking of American companies and interests for its industrial benefit. For 18 months during the Obama administration, security researchers and intelligence officials observed a notable drop in Chinese hacking.
After President Donald J. Trump took office and accelerated trade conflicts and other tensions with China, the hacking resumed. By 2018, U.S. intelligence officials had noted a shift: People’s Liberation Army hackers had stood down and been replaced by operatives working at the behest of the Ministry of State Security, which handles China’s intelligence, security and secret police.
Hacks of intellectual property, that benefited China’s economic plans, originated not from the P.L.A. but from a looser network of front companies and contractors, including engineers who worked for some of the country’s leading technology companies, according to intelligence officials and researchers.
It was unclear how exactly China worked with these loosely affiliated hackers. Some cybersecurity experts speculated that the engineers were paid cash to moonlight for the state, while others said those in the network had no choice but to do whatever the state asked. In 2013, a classified U.S. National Security Agency memo said, “The exact affiliation with Chinese government entities is not known, but their activities indicate a probable intelligence requirement feed from China’s Ministry of State Security.”
announced a new policy requiring Chinese security researchers to notify the state within two days when they found security holes, such as the “zero-days” that the country relied on in the breach of Microsoft Exchange systems.
arrested its founder. Two years later, Chinese police announced that they would start enforcing laws banning the “unauthorized disclosure” of vulnerabilities. That same year, Chinese hackers, who were a regular presence at big Western hacking conventions, stopped showing up, on state orders.
“If they continue to maintain this level of access, with the control that they have, their intelligence community is going to benefit,” Mr. Kurtz said of China. “It’s an arms race in cyber.”
Prosecutors in Italy can try four Egyptian security agents on charges of kidnapping, torturing and murdering an Italian doctoral student whose brutalized body was found on the outskirts of Cairo in 2016, a judge in Rome ruled on Tuesday.
The agents from Egypt’s National Security Agency will be tried in absentia in the death of the student, Giulio Regeni, after the legal authorities in Rome were unable to talk to them or find their addresses in Egypt.
The judge, Pier Luigi Balestrieri, ruled that, given the attention given to the case in the Italian and international media, it was impossible for the defendants to be unaware of the legal proceedings against them, and ordered a trial to start in October.
“It took us 64 months,” Alessandra Ballerini, the lawyer for Paola and Claudio Regeni, the parents of the murdered student, told reporters before leaving the court. “But today is a good finish line and a good starting point.”
“Paola and Claudio often say that all human rights were violated against Giulio,” Ms. Ballerini added. “Today we have hope that at least the right to justice won’t be violated.”
Maj. Madgi Ibrahim Abdelal Sharif, Maj. Gen. Tariq Sabir, Col. Athar Kamel Mohamed Ibrahim and Col. Uhsam Helmi are accused of the “aggravated kidnapping” of Mr. Regeni, who was researching labor unions in Cairo when he vanished, and could face up to 10 years in prison on that charge. Public defenders were automatically appointed for them in the Italian judicial system.
Maj. Sharif, who is also charged with “conspiracy to commit aggravated murder,” could also receive a life sentence. If the defendants are found guilty, Italian authorities could decide to seek their extradition from Egypt.
More than five years after the killing, the case still receives intense media coverage in Italy, and the Regeni family and their lawyer often speak at conferences on human rights and before student groups, and appear on national television in their campaign to seek the truth about the killing. Last week, they met with Prime Minister Mario Draghi.
Many Italian politicians have promised to help the Regenis in their quest for justice, but Egypt has in recent years stopped cooperating with investigators on the case, making extradition unlikely.
The inquiry in Rome is mostly based on evidence gathered in Cairo by the Italian police, or from their analysis of video footage from the subway station where Mr. Regeni disappeared and cellphone traffic in the area. A number of witnesses have come forward in recent months. Their nationalities and identities are being kept secret by Italian authorities to protect them.
According to court documents, one witness saw Mr. Regeni, 28, handcuffed and with evident signs of torture in an office of Egypt’s Interior Ministry, another overheard a confession that Maj. Sharif allegedly made to a colleague during a mission in Nairobi, Kenya.
A third said that a vendor who is believed to have betrayed Mr. Regeni and spied on him on behalf of the National Security Agency, was aware that Mr. Regeni was taken to the agency’s offices, the documents say. A fourth said that the officials firmly believed that Mr. Regeni was a spy, finding it suspicious that he was doing his Ph.D. at Cambridge University in Britain.
On Chinese iPhones, Apple forbids apps about the Dalai Lama while hosting those from the Chinese paramilitary group accused of detaining and abusing Uyghurs, an ethnic minority group in China.
The company has also helped China spread its view of the world. Chinese iPhones censor the emoji of the Taiwanese flag, and their maps suggest Taiwan is part of China. For a time, simply typing the word “Taiwan” could make an iPhone crash, according to Patrick Wardle, a former hacker at the National Security Agency.
Sometimes, Mr. Shoemaker said, he was awakened in the middle of the night with demands from the Chinese government to remove an app. If the app appeared to mention the banned topics, he would remove it, but he would send more complicated cases to senior executives, including Mr. Cue and Mr. Schiller.
Apple resisted an order from the Chinese government in 2012 to remove The Times’s apps. But five years later, it ultimately did. Mr. Cook approved the decision, according to two people with knowledge of the matter who spoke on the condition of anonymity.
Apple recently began disclosing how often governments demand that it remove apps. In the two years ending June 2020, the most recent data available, Apple said it approved 91 percent of the Chinese government’s app-takedown requests, removing 1,217 apps.
In every other country combined over that period, Apple approved 40 percent of requests, removing 253 apps. Apple said that most of the apps it removed for the Chinese government were related to gambling or pornography or were operating without a government license, such as loan services and livestreaming apps.
Yet a Times analysis of Chinese app data suggests those disclosures represent a fraction of the apps that Apple has blocked in China. Since 2017, roughly 55,000 active apps have disappeared from Apple’s App Store in China, according to a Times analysis of data compiled by Sensor Tower, an app data firm. Most of those apps have remained available in other countries.
WASHINGTON — In early 2020, members of a Taliban-linked criminal network in Afghanistan detained in raids told interrogators that they had heard that Russians were offering money to reward killings of American and coalition troops.
The claim, that Russia was trying to pay to generate more frequent attacks on Western forces, was stunning, particularly because the United States was trying at the same time to negotiate a deal with the Taliban to end the long-running war in Afghanistan. C.I.A. analysts set out to see whether they could corroborate or debunk the detainees’ accounts.
Ultimately, newly declassified information shows, those analysts discovered a significant reason to believe the claim was accurate: Other members of the same Taliban-linked network had been working closely with operatives from a notorious unit of the G.R.U., the Russian military intelligence service, known for assassination operations.
“The involvement of this G.R.U. unit is consistent with Russia encouraging attacks against U.S. and coalition personnel in Afghanistan given its leading role in such lethal and destabilizing operations abroad,” the National Security Council said in a statement provided to The New York Times.
U.S. sanctions and other punishments against Russia. The White House took diplomatic action — delivering a warning and demanding an explanation for suspicious activities — about the bounty issue, but did not base sanctions on it. The Biden administration did impose sanctions for Russia’s SolarWinds hacking and election interference.
The Times had reported last summer that different intelligence agencies, while agreeing on the assessment itself, disagreed on whether to put medium or lower confidence in it. The evidence available to analysts — both alarming facts and frustrating gaps — essentially remains the same.
The release of the full talking points as a statement is the government’s most detailed public explanation yet about how the C.I.A. came to the judgment that Russia had most likely offered financial incentives to reward attacks on American and allied troops. It also sheds new light on the gaps in the evidence that raised greater concerns among other analysts.
not intercepted any smoking-gun electronic communication about a bounty plot. (The Defense Intelligence Agency shares that view, while the National Counterterrorism Center agrees with the C.I.A.’s “moderate” level, officials have said.)
But the statement reveals that despite that disagreement over how to rate the quality of available information underlying the core assessment, the intelligence community also had “high confidence” — meaning the judgment is based on high-quality information from multiple sources — in the key circumstantial evidence: Strong ties existed between Russian operatives and the Afghan network where the bounty claims arose.
“We have independently verified the ties of several individuals in this network to Russia,” the National Security Council statement said. It added, “Multiple sources have confirmed that elements of this criminal network worked for Russian intelligence for over a decade and traveled to Moscow in April 2019.”
The declassified statement also opened a window into American officials’ understanding of the Russian operatives, known as Unit 29155 of the G.R.U. The government has previously resisted talking openly about group, although a Times investigation in 2019 linked it to various operations, citing Western security officials who spoke on the condition of anonymity.
By contrast, the National Security Council statement identified other “nefarious operations” around the world that the government thought the squad had carried out — to explain why the discovery of its involvement with the Afghan network was seen as bolstering the credibility of the detainees’ claims about Russian bounties.
the 2018 poisoning of a former G.R.U. officer, Sergei V. Skripal, in Salisbury, England, and of “assassinations across Europe.”
Unit 29155 was involved in two explosions at ammunition depots that killed two Czechs in 2014. He said the government would expel nearly 80 Russian diplomats.
Days later, the prosecutor general’s office in Bulgaria announced that it was investigating a possible connection between Unit 29155 and four explosions at ammunition depots over the past decade. At least two happened while members of the unit were frequently traveling in and out of Bulgaria, the office said.
Some of the destroyed arms in both countries, according to officials, belonged to Emilian Gebrev, a Bulgarian arms manufacturer who was poisoned in 2015 along with his son and an executive in his company. Officials have previously accused Unit 29155 in that attempted assassination.
While most previous reports about Unit 29155’s activities have centered in Europe, its leader, Maj. Gen. Andrei V. Averyanov, has experience in Central Asia. He graduated in 1988 from the Tashkent Military Academy in what was then the Soviet republic of Uzbekistan, a year before the Soviet pullout from bordering Afghanistan.
The government apparently did not declassify everything. The White House statement described but did not detail certain evidence, keeping its sources and methods of information-gathering secret. It did not specify the G.R.U. unit’s number, but officials have said it was Unit 29155, and the two prior operations the statement mentioned have been attributed to it elsewhere.
as a middleman for the Russian spies, and Habib Muradi. Both escaped capture and are said to have fled to Russia.
And it made no mention of other circumstantial evidence officials have previously described, like the discovery that money was transferred from a G.R.U. account to the Afghan network.
In an interview published April 30 in a Russian newspaper, Nikolai Patrushev, the chairman of Russia’s Security Council, again said it was false that Russia had covertly offered bounties for killing American troops in Afghanistan, adding that there was no evidence that it had done so.
The White House statement also brought into sharper focus two gaps in the available evidence that analysts saw as a reason to be cautious.
Military leaders have repeatedly pointed to one in public: The intelligence community lacks proof tying any specific attack to a bounty payment. “We cannot confirm that the operation resulted in any attacks on U.S. or coalition forces,” the National Security Council said.
The other reason for caution is an absence of information showing that a Kremlin leader authorized Unit 29155 to offer bounties to Afghan militants. “We do not have evidence that the Kremlin directed this operation,” the statement said.
The Biden administration’s briefing to reporters last month reignited a debate over the political implications of the C.I.A.’s assessment — and the Trump White House’s handling of it — that unfolded last year and dwelled in part on confidence levels.
reported last June on the existence of the C.I.A. assessment and that the White House had led an interagency effort to come up with options to respond but then authorized none.
Facing bipartisan criticism, the Trump administration defended its inaction by playing down the assessment as too weak to take seriously, falsely denying that it had been briefed to President Donald J. Trump. In fact, it had been included in his written presidential daily briefing in late February, two officials have said.
In congressional testimony, military leaders based in the United States who regularly interacted with the Trump White House said they would be outraged if it were true, but they had not seen proof that any attack resulted from bounties. But some military officials based in Afghanistan, as well as some other senior Pentagon and State Department officials, thought the C.I.A. was right, according to officials familiar with internal deliberations at the time.
Among those who found the evidence and analysis persuasive was Nathan Sales, the State Department’s politically appointed top counterterrorism official during the Trump administration.
“The reporting that Russia was placing bounties on American soldiers’ heads was so serious that it warranted a robust diplomatic response,” Mr. Sales said this week in an email.
A top Pentagon official and the secretary of state at the time, Mike Pompeo, later delivered warnings over the issue to their Russian counterparts, effectively breaking with the White House.
After the briefing last month, some Trump supporters — as well as some left-wing critics of the C.I.A. and military interventions — argued that the C.I.A.’s bounty assessment had been debunked as evidence-free “fake news,” vindicating Mr. Trump’s dismissal of the issue last year as a “hoax.” Russian propaganda outlets echoed and amplified those assertions.
Michael J. Morell, a former acting director of the C.I.A., said another factor had fostered confusion. When analysts assess something with low confidence, he said, that does not mean they think the conclusion is wrong. Rather, they are expressing greater concerns about the sourcing limitations, while still judging that the assessment is the best explanation of the available facts.
“A judgment at any confidence level is a judgment that the analysts believe to be true,” he said. “Even when you have a judgment that is low confidence, the analysts believe that judgment is correct. So in this case, the analysts believe that the Russians were offering bounties.”
Charlie Savage and Eric Schmitt reported from Washington, and Michael Schwirtz from New York. Julian E. Barnes contributed reporting from Washington.
WASHINGTON — The Biden administration warned the Kremlin on Thursday over the C.I.A.’s conclusion that Russia had covertly offered payments to militants to encourage more killings of American and coalition troops in Afghanistan, delivering the diplomatic admonition as it imposed sanctions on Moscow over its hacking and election interference.
But the administration stopped short of inflicting sanctions on any Russian officials over the suspected bounties, making clear that the available evidence about what happened — primarily what Afghan detainees told interrogators — continues to fall short of definitively proving that Russia paid money to reward attacks.
The intelligence community, a senior administration official told reporters, “assesses with low to moderate confidence that Russian intelligence officers sought to encourage Taliban attacks against U.S. and coalition personnel in Afghanistan in 2019, and perhaps earlier, including through financial incentives and compensation.”
The New York Times first reported last summer the existence of the C.I.A.’s assessment and that the National Security Council had led an interagency process to develop a range of response options — but that months had passed and the Trump White House had failed to authorize any response, not even a diplomatic protest.
financial transfers, and that the C.I.A. placed medium confidence in its conclusion.
But, it also reported, the National Security Agency — which is focused on electronic surveillance — placed lower confidence in the assessment, citing the lack of smoking-gun electronic intercepts. Analysts at two other agencies that were consulted, the National Counterterrorism Center and the Defense Intelligence Agency, were also said to split, with the former backing the C.I.A. and the latter the National Security Agency.
Former intelligence officials, including in testimony about the issue before Congress, have noted that it is rare in the murky world of intelligence to have courtroom levels of proof beyond a reasonable doubt about what an adversary is covertly doing.
The re-scrub of available evidence by President Biden’s administration had not uncovered anything new and significant enough to bring greater clarity to that muddied intelligence portrait, so the disagreement over confidence levels remained, an official familiar with internal deliberations said.
The Biden official’s explanation to reporters dovetailed with that account.
Intelligence agencies, the official explained, “have low to moderate confidence in this judgment in part because it relies on detainee reporting, and due to the challenging operating environment, in Afghanistan.”
fled to Russia — possibly while using a passport linked to a Russian spy agency.
The New Washington
As a result, the detainees who recounted to interrogators what they were told about the purported arrangement were not themselves in the room for conversations with Russian intelligence officials. Without an electronic intercept, either, there was a pattern of evidence that fit the C.I.A.’s assessment but no explicit eyewitness account of the interactions.
The Russian government has denied that it covertly offered or paid bounties to drive up attacks on American and coalition troops in Afghanistan.
The public disclosure of the C.I.A.’s assessment — and the White House’s months of inaction in response — prompted a bipartisan uproar in Congress. Defending the inaction, President Donald J. Trump labeled the reporting “a hoax” and his White House denied that he had been told about it, seeking to dismiss the intelligence assessment as too weak to be taken seriously.
In fact, it had been included in his written intelligence briefing in late February 2020 and disseminated more broadly to the intelligence community in early May.
But it was also true that analysts at the National Security Agency disagreed with the C.I.A. over how much confidence to place in the agency’s conclusion, based on the imperfect array of available evidence. The Trump administration played up that split.
In testimony before Congress about the issue, Michael J. Morell, a former acting C.I.A. director, disputed the White House’s suggestion that such an assessment had to be unanimously backed by intelligence agencies to be taken seriously.
In previous administrations, he said last July, if the intelligence community assessed such information at any level of confidence, officials would have told both the president and congressional leaders immediately about that judgment and any dissent. If the confidence level were low, he said, an administration would seek more information before acting, while a medium- or high-confidence assessment would most likely result in a response.
never raised the issue of the bounty intelligence in his conversations with President Vladimir V. Putin of Russia. But after the C.I.A.’s assessment became public, senior military and diplomatic officials, including the secretary of state at the time, Mike Pompeo, warned their counterparts after all.
“If the Russians are offering money to kill Americans or, for that matter, other Westerners as well, there will be an enormous price to pay. That’s what I shared with Foreign Minister Lavrov,” Mr. Pompeo said in August during a trip to the Czech Republic. “I know our military has talked to their senior leaders, as well. We won’t brook that. We won’t tolerate that.”
Still, in testimony before Congress and in other remarks, senior Pentagon officials — caught between not wanting to aggravate the White House and not wanting to appear indifferent about the safety of troops — said they would be outraged if the C.I.A. assessment was correct, but also had yet to see definitive proof.
“It is not closed because we never close investigations that involve threats or potential threats against U.S. forces,” Gen. Kenneth F. McKenzie Jr., the head of the Pentagon’s Central Command, said late last year when asked about the status of the inquiry. “We’re looking at it very hard.”
Mr. Biden attacked Mr. Trump for failing to do anything about the C.I.A. assessment, portraying it as part of a strange pattern of deference he said Mr. Trump had shown toward Russia. Mr. Biden mentioning the matter in his speech accepting the Democratic nomination and brought it up in his first call as president with Mr. Putin.
While the sanctions imposed on Thursday were based on alleged Russian misdeeds other than the suspected bounties, the senior administration official said the diplomatic action about the available information “puts a burden on the Russian government to explain its actions, and take steps to address this disturbing pattern of behavior.”
The official added, “We cannot and will not accept the targeting of our personnel like this.”
Julian E. Barnes and Eric Schmitt contributed reporting.
WASHINGTON — The Russian military buildup at the Ukraine border and in Crimea could provide enough forces for a limited military incursion, the C.I.A. director, William J. Burns, told senators on Wednesday as he and other senior officials outlined a range of threats facing the United States.
Russia could simply be sending a signal to the United States or trying to intimidate the Ukrainian government, but it had the abilities in place to do more, Mr. Burns told the Senate Intelligence Committee.
“That buildup has reached the point that it could provide the basis for a limited military incursion, as well,” Mr. Burns said. “It is something not only the United States but our allies have to take very seriously.”
Mr. Burns testified alongside Avril D. Haines, the director of national intelligence, and other officials about an array of threats from global powers like Russia and China as well as challenges that have been less of a focus of intelligence agencies in the past, including domestic extremism and climate change.
annual threat assessment report, released Tuesday ahead of the hearing, the intelligence community said that China’s push for global power posed a threat to the United States through its aggression in its region, its expansion of its surveillance abilities and its attempts to dominate technological advances.
Russia has also pushed for a sphere of influence that includes countries that were part of the Soviet Union, like Ukraine, the report said.
Both China and Russia, however, wanted to avoid direct confrontation with the United States, the report said.
Mr. Burns said the Russian actions have prompted internal briefings as well as consultations with allies. President Biden’s call on Tuesday to President Vladimir V. Putin of Russia was intended to “register very clearly the seriousness of our concern,” Mr. Burns said.
The United States has been tracking the Russian troops for some time, at least since late March. American officials have said privately that the Russians have done little to hide their troop buildup, unlike in 2014 when they first attacked Ukraine. That has convinced some, but not all, officials briefed on the intelligence that the Russian activities may be mostly for show.
penetrated nine federal agencies, and another by China that compromised Microsoft Exchange servers. The Biden administration is expected to respond to the Russian hacking soon, most likely with sanctions and other measures.
Ms. Haines said Russia used hackings to sow discord and threaten the United States and its allies. “Russia is becoming increasingly adept at leveraging its technological prowess to develop asymmetric options in both the military and cyberspheres in order to give itself the ability to push back and force the United States to accommodate its interests,” she said.
Lawmakers also raised the issue of a series of mysterious episodes that have injured diplomats and C.I.A. officers overseas. Some former officials believe Russia is behind the episodes, which they have called attacks.
Mr. Burns said he was working with his colleagues to ensure better medical care for C.I.A. officers. He also said he was working to “get to the bottom of the question of what caused these incidents and who might have been responsible.”
Questions on China dominated the earlier Senate confirmation hearings for Ms. Haines and Mr. Burns, and lawmakers again pressed on Wednesday for assessments on China and its efforts to steal American technology. Ms. Haines outlined how China uses technological might, economic influence and other levers of power to intimidate its neighbors.
“China is employing a comprehensive approach to demonstrate its growing strength and compel regional neighbors to acquiesce to Beijing’s preferences,” she told senators.
another recent intelligence report, on global trends, highlighted how the coronavirus pandemic and climate change, along with technological change, were testing “the resilience and adaptability” of society. The “looming disequilibrium,” she said, compels intelligence agencies to broaden their definition of national security.
But at least one lawmaker, Senator Richard M. Burr, Republican of North Carolina, also asked a more practical question: How many intelligence officers have received coronavirus vaccines?
Mr. Burns said 80 percent of the C.I.A. work force was fully vaccinated and another 10 percent have had their first shot. He said all C.I.A. officers serving overseas “have the vaccine available to them directly.”
Mr. Wray was unable to give an estimate of how many of his agents had received a shot, saying that the vaccination rates varied in field offices in different states. Ms. Haines said 86 percent of her work force had had at least one shot, with a “fair percentage” being fully vaccinated. General Nakasone also had no estimate but said a vaccination center had been set up at Fort Meade, Md., where the National Security Agency’s headquarters is.
Lawmakers have also been pressing intelligence agencies to help examine the problem of domestic extremism. Senator Mark Warner, Democrat of Virginia and the chairman of the intelligence committee, linked the rise of domestic extremism to the same trends promoting disinformation produced by Russia and others. And he said he wanted the intelligence chiefs to outline how they could help provide better warnings of potential violence like the Jan. 6 attack on the U.S. Capitol.
“go back to school.” Mr. Trump’s last director of national intelligence, John Ratcliffe, chose not to release a threat assessment or testify before Congress last year.
After revelations in 2013 by the former intelligence contractor Edward J. Snowden that set off a debate about government surveillance, American technology companies are wary of the appearance of sharing data with American intelligence agencies, even if that data is just warnings about malware. Google was stung by the revelation in the Snowden documents that the National Security Agency was intercepting data transmitted between its servers overseas. Several years later, under pressure from its employees, it ended its participation in Project Maven, a Pentagon effort to use artificial intelligence to make its drones more accurate.
Amazon, in contrast, has no such compunctions about sensitive government work: It runs the cloud server operations for the C.I.A. But when the Senate Intelligence Committee asked company officials to testify last month — alongside executives of FireEye, Microsoft and SolarWinds — about how the Russians exploited systems on American soil to launch their attacks, they declined to attend.
Companies say that before they share reporting on vulnerabilities, they would need strong legal liability protections.
The most politically palatable headquarters for such a clearinghouse — avoiding the legal and civil liberties concerns of using the National Security Agency — would be the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Mr. Gerstell described the idea as “automated computer sensors and artificial intelligence acting on information as it comes in and instantaneously spitting it back out.”
The department’s existing “Einstein” system, which is supposed to monitor intrusions and potential attacks on federal agencies, never saw the Russian attack underway — even though it hit nine federal departments and agencies. The F.B.I., lawmakers say, does not have broad monitoring capabilities, and its focus is divided across other forms of crime, counterterrorism and now domestic extremism threats.
“I don’t want the intelligence agencies spying on Americans, but that leaves the F.B.I. as the de facto domestic intelligence agency to deal with these kinds of attacks,” said Senator Angus King, a Maine independent, member of the Senate Intelligence Committee and co-chairman of the cyberspace commission. “I’m just not sure they’re set up for this.”
There are other hurdles. The process of getting a search warrant is too cumbersome for tracking nation-state cyberattacks, Mr. Gerstell said. “Someone’s got to be able to take that information from the N.S.A. and instantly go take a look at that computer,” he said. “But the F.B.I. needs a warrant to do that, and that takes time by which point the adversary has escaped.”