By James Rundle

Recent hacks that affected thousands of companies should prompt the U.S. to rethink how it responds to cyberattacks, the head of the country's top digital spy agency said Thursday before a Senate committee.

The U.S. has attributed attacks on SolarWinds Corp. discovered late last year to Russia, and Microsoft Corp. blamed Chinese hackers for attacks on its Exchange Server software. Both countries have denied responsibility. The attacks have affected at least tens of thousands of customers, and were detected by private-sector companies, not government agencies.

"This is a scope, a scale, a level of sophistication that we hadn't seen previously," said Gen. Paul Nakasone, the director of the National Security Agency, who also serves as the head of U.S. Cyber Command. "This isn't simply email phishing attempts -- this is the use of supply chains, or this is the use of vulnerabilities we hadn't seen before," Gen. Nakasone said at a hearing held by the Senate Armed Services Committee.

The incidents highlighted the difficulty of combating hackers, who can operate across borders, and are sometimes able to evade detection by using U.S. laws that govern when and where the military can be deployed, he said. Lawmakers have previously expressed concerns that such laws create a blind spot for cyber defenses.

The NSA, for instance, is only authorized to operate outside U.S. borders, whereas the Federal Bureau of Investigation and other agencies are responsible for cybersecurity law enforcement domestically. Foreign attackers are aware of this and use U.S.-based servers to launch attacks from inside the country, effectively bypassing the NSA, Gen. Nakasone said.

"It's not the fact that we can't connect the dots. We can't see all of the dots," he said.

Gen. Nakasone stopped short of calling for the NSA to be given the authority to surveil domestic networks when questioned directly by Sen. Mike Rounds (R., S.D.). He said that there are a number of ways to tackle the issues revealed by such sweeping and complex attacks, including enhanced cooperation with the private sector. The issue of surveillance, he said, carries both policy and legal concerns and was closely linked to the Fourth Amendment, which protects against unreasonable searches and seizures.

However, hackers are often able to move faster than authorities, who have to gain warrants and go through other procedures before acting, he said, which the attacks on SolarWinds and Microsoft proved.

"I think it's the clarion call for us to look at this differently," he said. "How do we ensure we have, as a nation, both the resiliency and the ability to act against these types of adversaries?"

Write to James Rundle at james.rundle@wsj.com

(END) Dow Jones Newswires

03-26-21 0544ET