How the US Lost to Hackers

Three decades ago, the United States spawned, then cornered, the market for hackers, their tradecraft, and their tools. But over the past decade, its lead has been slipping, and those same hacks have come boomeranging back on us.

Yet no one in government has seriously paused to recalibrate the strategy. Not with Michelle Obama’s emails caught in an American contractor’s dragnet in 2015. And not today, with Russian hackers inside our government networks. We went from occasional wake-up calls to one continuous, blaring alarm — and got better and better at ignoring it all.

Months after Mr. Evenden returned home, in 2016, the N.S.A.’s own hacking tools were hacked, by a still unknown assailant. Those tools were picked up first by North Korea, then Russia, in the most destructive cyberattack in history.

Over the next three years, Iran emerged from a digital backwater into one of the most prolific cyber armies in the world. China, after a brief pause, is back to pillaging America’s intellectual property. And, we are now unwinding a Russian attack on our software supply chain that compromised the State Department, the Justice Department, the Treasury, the Centers for Disease Control, the Department of Energy and its nuclear labs and the Department of Homeland Security, the very agency charged with keeping Americans safe.

We know this not because of some heroic N.S.A. hack, or intelligence feat, but because the government was tipped off by a security company, FireEye, after it discovered the same Russian hackers in its own systems.

The hubris of American exceptionalism — a myth of global superiority laid bare in America’s pandemic death toll — is what got us here. We thought we could outsmart our enemies. More hacking, more offense, not better defense, was our answer to an increasingly virtual world order, even as we made ourselves more vulnerable, hooking up water treatment facilities, railways, thermostats and insulin pumps to the web, at a rate of 127 new devices per second.