In a recent Russia Matters article, Paul Kolbe argues that the United States should respond to the SolarWinds breach by focusing on improving defenses, rather than on conducting a retaliatory response such as some government officials have been advocating. Kolbe claims that prior U.S. responses to Russian cyber behavior—which have involved imposing sanctions, issuing indictments or conducting cyber operations—have failed to deter Russian operations or meaningfully change Moscow’s calculus.

Kolbe is right that, when it comes to SolarWinds, it is unlikely that retaliatory measures aiming to impose costs against Russia (inside or outside of cyberspace) will work to shift the Russian government’s risk-benefit assessment—but he’s right for the wrong reasons. It is also important to note that Russia continues to deny responsibility for the SolarWinds incident. Regardless, a punitive response to SolarWinds is unwise because the available evidence indicates that the objective of the operation was national security espionage. However, this does not mean that the pursuit of deterrence strategies to address other types of malicious behavior in cyberspace, beyond espionage, is a fool’s errand. Deterrence is not a one-size-fits-all concept in cyberspace—or in any other domain.

Espionage, whether it is conducted using cyber means or other forms of intelligence collection, is a tacitly accepted practice between states. That said, the United States has attempted to draw a distinction between cyber espionage conducted for national security purposes (such as obtaining private information about policymaking or U.S. strategy) versus for economic advantage (such as cyber-enabled intellectual property theft). Specifically, it largely defines the former as being regrettable but part of the unwritten rules of the game, while it deems the latter to be unacceptable. This distinction has been particularly important for how the United States has sought to address Chinese behavior in cyberspace, which has included a combination of diplomatic outreach and attempts to establish norms against economic espionage, such as the 2015 agreement struck between presidents Obama and Xi, as well as retaliatory measures pursued during the Trump administration, such as tariffs, export controls and economic sanctions.

Why does any of this matter? Quite simply, states do not—and should not—attempt to deter espionage because spying is a routine aspect of strategic interaction in the international system. Deterrence entails a credible threat to inflict punishment on an adversary for, or deny their ability to engage in, some as yet untaken action. In other words, deterrence strategies aim to prevent something from taking place through manipulating the target’s perception of the overall balance of the costs, benefits and risks of doing so. However, when it comes to espionage, because all states routinely spy on one another, threatening some retaliatory response to an uncovered espionage operation makes little sense. Rather, deterrence is meant to apply to behavior that is beyond the bounds of routine aspects of statecraft—like attacking another state. However, this does not mean that states should refrain from taking steps to make espionage more difficult, or to better protect national security information from falling into the wrong hands.

While the United States is still ascertaining the full scope of the breach and assessing the extent of the damage, the available evidence indicates that the SolarWinds operation is an example of cyber espionage conducted for national security purposes. It appears that, while the Russian-affiliated threat actors compromised a significant number of federal and private sector networks, data was exfiltrated from a limited number of targets and appears to have been motivated by national security objectives. Hence, while this compromise represents a momentous intelligence failure—one with significant strategic implications—at this point it does not constitute a cyberattack. Cyberattacks are distinct from intelligence operations because they generate effects against a targeted network or system, such as those that disrupt, deny or degrade. Therefore, in this case, a deterrence approach grounded in retaliation is mismatched to the nature of the strategic challenge. In this sense, Kolbe is correct that investing in improving defenses and intelligence sharing should be the primary focus of the government’s effort—as well as improving counterintelligence and strategic warning capabilities.

That said, sometimes states do respond to an adversary’s espionage operation with more significant retaliatory measures. When this occurs, it is typically because the state is signaling that the particular form of espionage that took place goes beyond what it finds to be acceptable. Norms of acceptable espionage behavior are not written down or clearly defined in any public agreements or treaties. Instead, the accumulation of state practice helps shape the implicit, informal norms about what forms of espionage will be tolerated.   

This raises the question of whether the United States wants to define future cyber operations that are similar to SolarWinds as forms of acceptable espionage or not. Some policymakers argue that the scope and scale of the SolarWinds compromise places it in a different category and that, while cyber espionage is to be expected, large-scale compromises of the information and communications technology supply chain are unacceptable. In this case, retaliatory measures that go beyond typical responses could help communicate how the United States defines different types of cyber espionage. However, if the United States seeks to promote a norm against supply-chain compromises, for the norm to be meaningful Washington must also be willing to hold itself to the same standard.

Furthermore, while a deterrence framework may be inappropriate for cyber espionage, there are other types of cyber behavior where deterrence—which rests on the threat of retaliation—remains relevant. These include cyberattacks that have disruptive or destructive effects. In fact, in the United States, cyber deterrence largely appears to be working. Despite policymakers repeatedly sounding the alarm about the risks of a “Cyber Pearl Harbor” or a “Cyber 9/11,” the reality is that the United States has not yet suffered a major cyberattack. This is arguably because the United States retains credible, full-spectrum response options for cyberattacks that it sees as falling above a use-of-force threshold.

Instead, the trickier deterrence challenge rests not at the level of cyber espionage (where deterrence does not apply) or strategic cyberattacks (where deterrence seems to have been successful), but rather in the middle band of that spectrum. Examples of these types of cyberattacks include Iran’s sustained distributed denial of service attacks against the U.S. financial sector, known as Operation Ababil, in 2012-2013, or Russia’s “active measures” campaign to interfere in the 2016 U.S. presidential election. The United States is still struggling with how to reduce the magnitude and frequency of cyberattacks that have national security and economic consequences, but do not rise to a level of violence or significance where more robust retaliatory options would be relevant. Rather than prioritizing either offense or defense in the cyber domain, the United States needs to first do a better job of clarifying different categories of behavior in cyberspace and figuring out the optimal mix of offensive and defensive investments to address these at different thresholds.

Photo by Christiaan Colen shared under a Creative Commons license. The opinions expressed herein are solely those of the author.