Tag: Alarm

Categories
Politics

Crypto’s Speedy Transfer Into Banking Elicits Alarm in Washington

Crypto’s Rapid Move Into Banking Elicits Alarm in Washington

BlockFi, a fast-growing financial start-up whose headquarters in Jersey City are across the Hudson River from Wall Street, aspires to be the JPMorgan Chase of cryptocurrency.

It offers credit cards, loans and interest-generating accounts. But rather than dealing primarily in dollars, BlockFi operates in the rapidly expanding world of digital currencies, one of a new generation of institutions effectively creating an alternative banking system on the frontiers of technology.

“We are just at the beginning of this story,” said Flori Marquez, 30, a founder of BlockFi, which was created in 2017 and claims to have more than $10 billion in assets, 850 employees and more than 450,000 retail clients who can obtain loans in minutes, without credit checks.

But to state and federal regulators and some members of Congress, the entry of crypto into banking is cause for alarm. The technology is disrupting the world of financial services so quickly and unpredictably that regulators are far behind, potentially leaving consumers and financial markets vulnerable.

In recent months, top officials from the Federal Reserve and other banking regulators have urgently begun what they are calling a “crypto sprint” to try to catch up with the rapid changes and figure out how to curb the potential dangers from an emerging industry whose short history has been marked as much by high-stakes speculation as by technological advances.

In interviews and public statements, federal officials and state authorities are warning that the crypto financial services industry is in some cases vulnerable to hackers and fraud and reliant on risky innovations. Last month, the crypto platform PolyNetwork briefly lost $600 million of its customers’ assets to hackers, much of which was returned only after the site’s founders begged the thieves to relent.

“We need additional authorities to prevent transactions, products and platforms from falling between regulatory cracks,” Gary Gensler, the chairman of the Securities and Exchange Commission, wrote in August in a letter to Senator Elizabeth Warren, Democrat of Massachusetts, about the dangers of cryptocurrency products. “We also need more resources to protect investors in this growing and volatile sector.”

The S.E.C. has created a stand-alone office to coordinate investigations into cryptocurrency and other digital assets, and it has recruited academics with related expertise to help it track the fast-moving changes. Acknowledging that it could take at least a year to write rules or get legislation passed in Congress, regulators may issue interim guidance to set some expectations to exert control over the industry.

BlockFi has already been targeted by regulators in five states that have accused it of violating local securities laws.

Regulators’ worries reach to even more experimental offerings by outfits like PancakeSwap, whose “syrup pools” boast that users can earn up to 91 percent annual return on crypto deposits.

Treasury Secretary Janet L. Yellen and Jerome H. Powell, the chair of the Federal Reserve, have also voiced concerns, even as the Fed and other central banks study whether to issue digital currencies of their own.

Mr. Powell has pointed to the proliferation of so-called stablecoins, digital currencies whose value is typically pegged to the dollar and are frequently used in digital money transfers and other transactions like lending.

“We have a tradition in this country where, you know, where the public’s money is held in what is supposed to be a very safe asset,” Mr. Powell said during congressional testimony in July, adding, “That doesn’t exist really for stablecoins.”

The cryptocurrency banking frontier features a wide range of companies. At one end are those that operate on models similar to those of traditional consumer-oriented banks, like BlockFi or Kraken Bank, which has secured a special charter in Wyoming and hopes by the end of this year to take consumers’ cryptocurrency deposits — but without traditional Federal Deposit Insurance Corporation insurance.

On the more radical end is decentralized finance, or DeFi, which is more akin to Wall Street for cryptocurrency. Players include Compound, a company in San Francisco that operates completely outside the regulatory system. DeFi eliminates human intermediaries like brokers, bank clerks and traders, and instead uses algorithms to execute financial transactions, such as lending and borrowing.

“Crypto is the new shadow bank,” Ms. Warren said in an interview. “It provides many of the same services, but without the consumer protections or financial stability that back up the traditional system.”

“It’s like spinning straw into gold,” she added.

Lawmakers and regulators are worried that consumers are not always fully aware of the potential dangers of the new banklike crypto services and decentralized finance platforms. Crypto deposit accounts are not federally insured and holdings may not be guaranteed if markets go haywire.

People who borrow against their crypto could face liquidation of their holdings, sometimes in entirely automated markets that are unregulated.

BlockFi’s extraordinary growth — and the recent crackdown by state regulators — illustrates the fraught path of cryptocurrency financial services companies amid confusion about what they do.

BlockFi’s business is not dissimilar to that of a regular bank. It takes deposits of cryptocurrencies and pays interest on them. It makes loans in dollars to people who put up cryptocurrency as collateral. And it lends crypto to institutions that need it.

For consumers, the main allure of BlockFi is the chance to take loans in dollars up to half of the value of their crypto collateral, allowing customers to get cash without the tax hit of selling their digital assets, or to leverage the value of holdings to buy more cryptocurrency. The company also offers interest of up to 8 percent per year on crypto deposits, compared with a national average of 0.06 percent for savings deposits at banks in August.

How can BlockFi offer such a high rate? In addition to charging interest on the loans it makes to consumers, it lends cryptocurrency to institutions like Fidelity Investments or Susquehanna International Group that use those assets for quick and sometimes lucrative cryptocurrency arbitrage transactions, passing on high returns to customers. And because BlockFi is not officially a bank, it does not have the large costs associated with maintaining required capital reserves and following other banking regulations.

Also unlike a bank, BlockFi does not check credit scores, relying instead on the value of customers’ underlying crypto collateral. The company’s executives argue that the approach democratizes financial services, opening them to people without the traditional hallmarks of reliability — like good credit — but with digital assets.

The model has worked for BlockFi. It is hiring employees from London to Singapore, while prominent investors — like Bain Capital, Winklevoss Capital and Coinbase Ventures — have jumped in to fund its expansion. The company has raised at least $450 million in capital.

But to regulators, BlockFi’s offerings are worrying and perplexing — so much so that in California, where BlockFi first sought a lender’s license, officials initially advised it to instead apply for a pawnbroker license. Their reasoning was that customers seeking a loan from BlockFi hand over cryptocurrency holdings as collateral in the same way that a customer might give a pawnshop a watch in exchange for cash.

Ms. Marquez of BlockFi called the sheriff’s office in San Francisco about a pawnbroker license, only to be redirected again. “No, pawnbrokers’ licenses are only for physical goods,” she recounted being told. “And because crypto is a virtual asset, this license actually does not apply to you.”

Undeterred, she returned to the state’s banking regulators and persuaded them BlockFi qualified as a lender, albeit of a new variety. The company now has licenses in at least 28 states, which it uses for cryptocurrency deposits from its more than 450,000 clients — many of whom are outside the United States. In the first three months of this year, the value of crypto held in BlockFi interest-bearing accounts more than tripled to $14.7 billion from $4.4 billion, a jump driven in part by the rise in the price of Bitcoin and other cryptocurrencies.

As the company has expanded, regulators have become increasingly concerned. New Jersey’s attorney general sent it a “cease and desist” letter in July, saying it sells a financial product that requires a securities license, with all the associated obligations, including mandated disclosures.

“No one gets a free pass simply because they’re operating in the fast-evolving cryptocurrency market,” the acting attorney general, Andrew J. Bruck, said.

BlockFi does not adequately notify customers of risks associated with its use of their cryptocurrency deposits for borrowing pools, including the “creditworthiness of borrowers, the type and nature of transactions,” officials in Texas added in their own complaint, echoing allegations made by state officials in Alabama, Kentucky and Vermont.

Zac Prince, BlockFi’s chief executive, said that the company was complying with the law but that regulators did not fully understand its offerings. “Ultimately, we see this as an opportunity for BlockFi to help define the regulatory environment for our ecosystem,” he wrote in a note to customers.

The regulatory challenge is even greater when it comes to other emerging crypto finance developers in the world of DeFi, such as Compound, SushiSwap and Aave as well as PancakeSwap.

They are all essentially automated markets run by computer programs facilitating transactions without human intervention — the crypto-era version of trading floors. The idea is to eliminate intermediaries and bring together buyers and sellers on the blockchain, the technology behind cryptocurrency. The sites do not even collect users’ personal information.

Founders of those kinds of platforms argue that they are just building a “protocol” ultimately led by a community of users, with the computer code effectively running the show.

Robert Leshner, 37, started Compound in 2018 after spending a year in a tiny attic office sublet in the Mission district in San Francisco with five colleagues, experimenting with a computer program that would become part of the foundation of the DeFi movement.

Compound — backed by prominent crypto venture capitalists like Andreessen Horowitz and Coinbase Ventures — now has more than $20 billion in assets. Each of the nearly 300,000 “customers” is represented by a unique 42-character list of letters and numbers. But Compound does not know their names or even what country they are from.

Mr. Leshner and others who helped set up Compound own a large share of its self-issued cryptocurrency token — known as COMP — which has surged in value, making him worth, at least on paper, tens of millions of dollars.

Mr. Leshner has been startled by the rapid growth. “At every juncture, the speed at which decentralized finance has just, like, started to work, has caught myself and everybody off guard,” he said.

Industry executives say concerns about the safety and stability of digital assets are overblown, but federal financial regulators are still working to get a handle on the latest developments.

DeFi protocols largely rely upon stablecoins, cryptocurrencies that are ostensibly pegged to the United States dollar for a steady value but without guarantees that their value is adequately backed.

The overall market of stablecoins has ballooned to $117 billion as of early September from $3.3 billion in January 2019. That has regulators worried.

“These things are effectively treated by users as bank deposits,” said Lee Reiners, a former supervisor at the Federal Reserve Bank of New York. “But unlike actual deposits, they are not insured by F.D.I.C., and if account holders begin to have concerns that they cannot get money out, they might try and trigger a bank run.”

One option worth considering, Ms. Warren said, is to ban banks in the United States from holding cash deposits backing up stablecoins, which could effectively end the surging market. Another possibility that some say could undermine the entire crypto ecosystem is the creation of a government-issued digital dollar.

“You wouldn’t need stablecoins, you wouldn’t need cryptocurrencies if you had a digital U.S. currency,” Mr. Powell, the Fed chairman, said in July. “I think that’s one of the stronger arguments in its favor.”

Categories
Health

Fauci Sounds Alarm Over Low Covid Vaccination Charges

Fauci Sounds Alarm Over Low Covid Vaccination Rates

Dr. Anthony S. Fauci warned on Sunday that the coronavirus pandemic in the US is now “going in the wrong direction” because too many Americans are still choosing not to vaccinate.

When asked by CNN’s State of the Union program about forecasts in recent statistical models that Covid-19 cases and deaths could increase in the coming months if vaccination rates do not increase, Dr. Fauci, “it won’t be good”.

With around half of Americans not yet vaccinated and the rapidly spreading delta variant in circulation, Dr. Fauci and a number of current and former health officials on Sunday expressed their anger at the situation, strongly pressing that vaccination is the best and most effective way to contain the tide of Covid cases.

“It really is a pandemic among the unvaccinated,” said Dr. Fauci, adding, “It’s like you have two kinds of America. You have the very vulnerable unvaccinated part and you have the really relatively protected vaccinated part. If you are vaccinated, you belong to a completely different category than someone who is not vaccinated. “

The situation is so dire that in the past few days even some Republican governors in states with low vaccination have demonstratively admonished people to get a Covid vaccine.

On Sunday on CNN, Arkansas Governor Asa Hutchinson said that with the new school year approaching, “is a pivotal moment in our race against the Covid virus,” adding that “what is holding us back is low vaccination rates.” . “

Governor Hutchinson, a Republican, said he recently held town halls which he attributed a 40 percent increase in vaccinations. Still, he added that some people’s resistance “has certainly hardened”. “It’s just wrong information,” he said. “They are myths.”

In CBS’s “Face the Nation,” Dr. Jerome Adams, who was a surgeon general in the Trump administration, also asked for the vaccination and expressed the decision in patriotic terms. “Get vaccinated because it will help every single American enjoy the freedoms we want to return to,” he said.

Dr. Adams said some people still have legitimate questions about vaccination, including workers who fear post-vaccination side effects could mean they miss a work day or a paycheck. He predicted that once the vaccines – currently available under emergency approval from the Food and Drug Administration – are fully approved, vaccination rates would rise. That will likely prompt the military and some companies to mandate vaccinations for service members and employees, he said.

In the meantime, Dr. Adams, the message should be, “It is your choice, but choices have consequences for you and other people,” including children who are not old enough to be vaccinated and people who are medically vulnerable.

Understand the state of vaccine mandates in the United States

Several current and former officials discussed whether recommendations or mandates on wearing masks should be reintroduced.

Dr. Fauci said the Biden government is considering revising stricter guidelines on how to wear masks. In May, the Centers for Disease Control and Prevention loosened their guidelines, saying that fully vaccinated people are not required to wear a mask in most indoor spaces.

Dr. Adams said, “Those guidelines have frankly confused citizens, it is frustrated corporations and public health officials that I still hear about, and it has been a failure in every way.”

He said the CDC should clearly state that even vaccinated people should wear masks when in public, around people whose vaccination status is unclear, or in a community where Covid cases are on the rise.

“The CDC needs to give these companies, these health authorities, a little coverage by clarifying the guidelines that they have out there,” said Dr. Adams.

Categories
World News

Alarm in U.Okay. Over Virus Variant Bolsters Case for Lockdown

Alarm in U.K. Over Virus Variant Bolsters Case for Lockdown

LONDON – The UK’s disclosure on Friday that a new variant of the virus could be more deadly than the original caused a stir over why such alarming information was released when the evidence was so inconclusive. However, its effects are little discussed: it has silenced those who have called for life to return to normal soon.

The UK government is expected to announce in the coming days that it will extend and tighten the nationwide lockdown imposed by Prime Minister Boris Johnson this month. Schools can remain closed until Easter, while overseas travelers may need to be quarantined in hotels for 10 days.

For Mr Johnson, who has faced relentless pressure from members of his own Conservative Party to relax restrictions, the warning of the variant made a strong case that Britain may be in the middle of a serious new phase of the pandemic – and that it does relaxed constraints now could be disastrous.

While scientists agree that the evidence of the variant’s greater lethality is tentative, inconclusive, and based on limited data, they said it was nonetheless served the government’s purposes in the lockdown debate that Mr Johnson, who spoke between Science and politics have often been drawn to have shown an aversion to tough steps.

“It is strange to make such an announcement, which has dire consequences and clearly affects the general public, without a full dataset and more thorough analysis,” said Lawrence Young, a virologist at Warwick Medical School. “I wonder if it was about reiterating the harsh message that the lockdown must be adhered to and increased border controls justified.”

Devi Sridhar, director of the global public health program at the University of Edinburgh, said, “These preliminary data show why waiver restrictions should be applied carefully and measuredly.”

The interests of scientists and government officials have not always been balanced in Britain’s fight against the pandemic. Tensions have increased when Mr Johnson reopened the economy as scientists warned of new infections.

During his briefing on Downing Street on Friday, Mr Johnson, as some noted, had no choice but to confirm concerns that the new variant beating Britain could not only be more contagious but also more deadly. Hours earlier, a well-known epidemiologist, Neil Ferguson of Imperial College London, told a television journalist Robert Peston that a government scientific committee had concluded that there was a “realistic possibility” that the variant could be 30 percent more deadly than it is the original version of the coronavirus.

The Prime Minister’s initial announcement that the variant could be linked to higher death rates contained few details and did not make it clear how uncertain many experts were about the data. While government scientists later published a summary of studies setting out the possible effects of the variant, the number of deaths they analyzed was small and uncertainties about the data resulted in a wide range of estimates.

“We haven’t seen the evidence, which in itself is worrying,” said David King, a former chief scientific advisor to the government who was critical of Mr Johnson’s handling of the pandemic. “I would have simply welcomed the science with a preprint report.”

Dr. Ferguson himself has become something of a lightning rod during the pandemic. In March last year, his models predicted that the uncontrolled spread of the virus in the UK could cause up to 510,000 deaths. These numbers stunned Mr. Johnson and prompted him to impose the country’s first lockdown despite waiting a week to act.

At the time, some scientists criticized Dr. Ferguson on the grounds that he was too public and that his projections were exaggerated. They accused him of publishing inflated projections of death during previous epidemics. After pressing for repression, he was referred to by the British tabloids as “Professor Lockdown”.

Updated

Jan. 26, 2021, 4:31 p.m. ET

Dr. Ferguson later resigned from the government’s Emergency Scientific Advisory Group (SAGE) after admitting he breached lockdown rules by inviting a woman to his home.

As a member of a key SAGE committee, the Advisory Group on New and Emerging Respiratory Virus Threats, which released a report on the lethality of the variant on Friday evening, Dr. Ferguson played a leading role in alerting the new variant. And with the UK death toll nearing 100,000, its projections don’t look all that fantastic even after multiple lockdowns.

Government scientists defended the decision to publish the results in the interests of transparency. The disclosure reflected the rapidly changing thinking of infectious disease experts about the potential of mutations to change the path of the virus. Variants that were discovered earlier in the pandemic received little public attention.

Still, virologists said they were concerned about the lack of a strong theory about how or why the variant, first discovered in the UK, could lead to more people dying. Among other concerns about the new data – the small number of deaths on which the results were based, and the fact that harrowing conditions in hospitals themselves could lead to higher death rates – was the uncertainty about why this could be more dangerous waiting for more dates you said.

“You can see some mechanism by which the transmission rate would be a little higher,” said Ian Jones, professor of virology at the University of Reading. “But why that should lead to a higher death rate is not so easy to see.”

Mutations in the new variant make it easier to attach to human cells, which makes them even more contagious. Virologists said that the same trait could theoretically allow more cells to be infected than older variants, which could lead to wider infection, which in turn could produce a more aggressive and potentially dangerous immune response.

With no laboratory data to suggest this could happen, scientists said it was far too early to understand the models that point to higher death rates.

Even the most reputable methods of studying the effects of the variant yielded a wide range of additional risk estimates, ranging from having virtually no effect on mortality to increasing the risk of death by 65 percent.

Nonetheless, the fact that so many models evaluated by government scientists suggested higher mortality rates has alarmed scientists.

“For now, overall, I’d say it’s likely valid,” said Paul Hunter, professor of medicine at the University of East Anglia. “I can’t believe that all of these different groups would have drawn the same conclusions and made the same mistakes in controlling possible biases. But it’s not beyond the possibilities. “

Even so, scientists said the new variant would not only reinforce the government’s case for restrictions not yet relaxing, but would also require the same policy measures as previous versions of the virus.

“What more can we do just because we know this is more deadly?” Professor Hunter said. “The answer is probably nothing.”

Categories
Politics

As Understanding of Russian Hacking Grows, So Does Alarm

As Understanding of Russian Hacking Grows, So Does Alarm

On Election Day, General Paul M. Nakasone, the nation’s top cyberwarrior, reported that the battle against Russian interference in the presidential campaign had posted major successes and exposed the other side’s online weapons, tools and tradecraft.

“We’ve broadened our operations and feel very good where we’re at right now,” he told journalists.

Eight weeks later, General Nakasone and other American officials responsible for cybersecurity are now consumed by what they missed for at least nine months: a hacking, now believed to have affected upward of 250 federal agencies and businesses, that Russia aimed not at the election system but at the rest of the United States government and many large American corporations.

Three weeks after the intrusion came to light, American officials are still trying to understand whether what the Russians pulled off was simply an espionage operation inside the systems of the American bureaucracy or something more sinister, inserting “backdoor” access into government agencies, major corporations, the electric grid and laboratories developing and transporting new generations of nuclear weapons.

At a minimum it has set off alarms about the vulnerability of government and private sector networks in the United States to attack and raised questions about how and why the nation’s cyberdefenses failed so spectacularly.

Those questions have taken on particular urgency given that the breach was not detected by any of the government agencies that share responsibility for cyberdefense — the military’s Cyber Command and the National Security Agency, both of which are run by General Nakasone, and the Department of Homeland Security — but by a private cybersecurity company, FireEye.

“This is looking much, much worse than I first feared,” said Senator Mark Warner, Democrat of Virginia and the ranking member of the Senate Intelligence Committee. “The size of it keeps expanding. It’s clear the United States government missed it.”

“And if FireEye had not come forward,” he added, “I’m not sure we would be fully aware of it to this day.”

Interviews with key players investigating what intelligence agencies believe to be an operation by Russia’s S.V.R. intelligence service revealed these points:

  • The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.

  • The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security.

  • “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.

  • The government’s emphasis on election defense, while critical in 2020, may have diverted resources and attention from long-brewing problems like protecting the “supply chain” of software. In the private sector, too, companies that were focused on election security, like FireEye and Microsoft, are now revealing that they were breached as part of the larger supply chain attack.

  • SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target, according to current and former employees and government investigators. Its chief executive, Kevin B. Thompson, who is leaving his job after 11 years, has sidestepped the question of whether his company should have detected the intrusion.

  • Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.

The intentions behind the attack remain shrouded. But with a new administration taking office in three weeks, some analysts say the Russians may be trying to shake Washington’s confidence in the security of its communications and demonstrate their cyberarsenal to gain leverage against President-elect Joseph R. Biden Jr. before nuclear arms talks.

“We still don’t know what Russia’s strategic objectives were,” said Suzanne Spaulding, who was the senior cyberofficial at the Homeland Security Department during the Obama administration. “But we should be concerned that part of this may go beyond reconnaissance. Their goal may be to put themselves in a position to have leverage over the new administration, like holding a gun to our head to deter us from acting to counter Putin.”

The U.S. government was clearly the main focus of the attack, with the Treasury Department, the State Department, the Commerce Department, the Energy Department and parts of the Pentagon among the agencies confirmed to have been infiltrated. (The Defense Department insists the attacks on its systems were unsuccessful, though it has offered no evidence.)

But the hacking also breached large numbers of corporations, many of which have yet to step forward. SolarWinds is believed to be one of several supply chain vendors Russia used in the hacking. Microsoft, which had tallied 40 victims as of Dec. 17, initially said that it had not been breached, only to discover this week that it had been — and that resellers of its software had been, too. A previously unreported assessment by Amazon’s intelligence team found the number of victims may have been five times greater, though officials warn some of those may be double counted.

Publicly, officials have said they do not believe the hackers from Russia’s S.V.R. pierced classified systems containing sensitive communications and plans. But privately, officials say they still do not have a clear picture of what might have been stolen.

They said they worried about delicate but unclassified data the hackers might have taken from victims like the Federal Energy Regulatory Commission, including Black Start, the detailed technical blueprints for how the United States plans to restore power in the event of a cataclysmic blackout.

The plans would give Russia a hit list of systems to target to keep power from being restored in an attack like the one it pulled off in Ukraine in 2015, shutting off power for six hours in the dead of winter. Moscow long ago implanted malware in the American electric grid, and the United States has done the same to Russia as a deterrent.

One main focus of the investigation so far has been SolarWinds, the company based in Austin whose software updates the hackers compromised.

But the cybersecurity arm of the Department of Homeland Security concluded the hackers worked through other channels, too. And last week, CrowdStrike, another security company, revealed that it was also targeted, unsuccessfully, by the same hackers, but through a company that resells Microsoft software.

Because resellers are often entrusted to set up clients’ software, they — like SolarWinds — have broad access to Microsoft customers’ networks. As a result, they can be an ideal Trojan horse for Russia’s hackers. Intelligence officials have expressed anger that Microsoft did not detect the attack earlier; the company, which said Thursday that the hackers viewed its source code, has not disclosed which of its products were affected or for how long hackers were inside its network.

“They targeted the weakest points in the supply chain and through our most trusted relationships,” said Glenn Chisholm, a founder of Obsidian Security.

Interviews with current and former employees of SolarWinds suggest it was slow to make security a priority, even as its software was adopted by America’s premier cybersecurity company and federal agencies.

Employees say that under Mr. Thompson, an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense. His approach helped almost triple SolarWinds’ annual profit margins to more than $453 million in 2019 from $152 million in 2010.

But some of those measures may have put the company and its customers at greater risk for attack. SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.

The company has said only that the manipulation of its software was the work of human hackers rather than of a computer program. It has not publicly addressed the possibility of an insider being involved in the breach.

None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.

Even with its software installed throughout federal networks, employees said SolarWinds tacked on security only in 2017, under threat of penalty from a new European privacy law. Only then, employees say, did SolarWinds hire its first chief information officer and install a vice president of “security architecture.”

Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.” After his basic recommendations were ignored, Mr. Thornton-Trump left the company.

SolarWinds declined to address questions about the adequacy of its security. In a statement, it said it was a “victim of a highly-sophisticated, complex and targeted cyberattack” and was collaborating closely with law enforcement, intelligence agencies and security experts to investigate.

But security experts note that it took days after the Russian attack was discovered before SolarWinds’ websites stopped offering clients compromised code.

Billions of dollars in cybersecurity budgets have flowed in recent years to offensive espionage and pre-emptive action programs, what General Nakasone calls the need to “defend forward” by hacking into adversaries’ networks to get an early look at their operations and to counteract them inside their own networks, before they can attack, if required.

But that approach, while hailed as a long-overdue strategy to pre-empt attacks, missed the Russian breach.

By staging their attacks from servers inside the United States, in some cases using computers in the same town or city as their victims, according to FireEye, the Russians took advantage of limits on the National Security Agency’s authority. Congress has not given the agency or homeland security any authority to enter or defend private sector networks. It was on these networks that S.V.R. operatives were less careful, leaving clues about their intrusions that FireEye was ultimately able to find.

By inserting themselves into the SolarWinds’ Orion update and using custom tools, they also avoided tripping the alarms of the “Einstein” detection system that homeland security deployed across government agencies to catch known malware, and the so-called C.D.M. program that was explicitly devised to alert agencies to suspicious activity.

Some intelligence officials are questioning whether the government was so focused on election interference that it created openings elsewhere.

Intelligence agencies concluded months ago that Russia had determined it could not infiltrate enough election systems to affect the outcome of elections, and instead shifted its attention to deflecting ransomware attacks that could disenfranchise voters, and influence operations aimed at sowing discord, stoking doubt about the system’s integrity and changing voters’ minds.

The SolarWinds hacking, which began as early as October 2019, and the intrusion into Microsoft’s resellers, gave Russia a chance to attack the most vulnerable, least defended networks across multiple federal agencies.

General Nakasone declined to be interviewed. But a spokesman for the National Security Agency, Charles K. Stadtlander, said: “We don’t consider this as an ‘either/or’ trade-off. The actions, insights and new frameworks constructed during election security efforts have broad positive impacts for the cybersecurity posture of the nation and the U.S. government.”

In fact, the United States appears to have succeeded in persuading Russia that an attack aimed at changing votes would prompt a costly retaliation. But as the scale of the intrusion comes into focus, it is clear the American government failed to convince Russia there would be a comparable consequence to executing a broad hacking on federal government and corporate networks.

Intelligence officials say it could be months, years even, before they have a full understanding of the hacking.

Since the extraction of a top Kremlin informant in 2017, the C.I.A.’s knowledge of Russian operations has been diminished. And the S.V.R. has remained one of the world’s most capable intelligence services by avoiding electronic communications that could expose its secrets to the National Security Agency, intelligence officials say.

The best assessments of the S.V.R. have come from the Dutch. In 2014, hackers working for the Dutch General Intelligence and Security Service pierced the computers used by the group, watching them for at least a year, and at one point catching them on camera.

It was the Dutch who helped alert the White House and State Department to an S.V.R. hacking of their systems in 2014 and 2015, and last month, they caught and expelled from the Netherlands two S.V.R. operatives accused of infiltrating technology companies there. While the group is not known to be destructive, it is notoriously difficult to evict from computer systems it has infiltrated.

When the S.V.R. broke into the unclassified systems at the State Department and White House, Richard Ledgett, then the deputy director of the National Security Agency, said the agency engaged in the digital equivalent of “hand-to-hand combat.” At one point, the S.V.R. gained access to the NetWitness Investigator tool that investigators use to uproot Russian back doors, manipulating it in such a way that the hackers continued to evade detection.

Investigators said they would assume they had kicked out the S.V.R., only to discover the group had crawled in through another door.

Some security experts said that ridding so many sprawling federal agencies of the S.V.R. may be futile and that the only way forward may be to shut systems down and start anew. Others said doing so in the middle of a pandemic would be prohibitively expensive and time-consuming, and the new administration would have to work to identify and contain every compromised system before it could calibrate a response.

“The S.V.R. is deliberate, they are sophisticated, and they don’t have the same legal restraints as we do here in the West,” said Adam Darrah, a former government intelligence analyst who is now director of intelligence at Vigilante, a security firm.

Sanctions, indictments and other measures, he added, have failed to deter the S.V.R., which has shown it can adapt quickly.

“They are watching us very closely right now,” Mr. Darrah said. “And they will pivot accordingly.”