Debate: How Should the US Respond to the SolarWinds Breach?
In December 2020, Reuters first reported that hackers suspected to be working for Russia had been monitoring emails at U.S. federal agencies. While there are still few details as to the scope, scale and impact of the hack, what is known is that multiple U.S. federal agencies and dozens of private-sector companies were compromised through malware attached to a software update received by nearly 18,000 customers of Texas-based company SolarWinds. The massive, months-long cyber operation has garnered widespread calls for retribution, with some U.S. politicians going so far as to call it an act of war. As of publication of this debate, Russia continues to deny responsibility for the breach. So how should the U.S. respond to this extensive hack? We've asked three experts to weigh in on the issue.
In the opening entry, the Belfer Center's Paul Kolbe writes that while a natural inclination is to strike back at Russia, such responses have been tried in the past with little to show for it. A carefully calibrated shot across the bow is appropriate in response to SolarWinds, according to Kolbe, but such responses will not stop cyber espionage or assaults. Russia is but one wolf in a growing pack of cyber predators, he writes, and the U.S. is simply too fat and easy a target.
Erica D. Borghard, a senior fellow with the New American Engagement Initiative at the Scowcroft Center for Strategy and Security at the Atlantic Council and a senior director on the U.S. Cyberspace Solarium Commission, argues that while Kolbe is right in saying that retaliatory measures aiming to impose costs against Russia are unlikely to shift the Russian government’s risk-benefit assessment, he’s right for the wrong reasons. The pursuit of deterrence strategies to address other types of malicious behavior in cyberspace, beyond espionage, is not a fool’s errand, Borghard writes, and deterrence is not a one-size-fits-all concept in cyberspace—or in any other domain.
Finally, Anatol Lieven, a professor at Georgetown University in Qatar and a senior fellow of the Quincy Institute for Responsible Statecraft in Washington D.C., writes that Kolbe and Borghard are both correct in warning of the need for distinguishing between cyber espionage and cyber sabotage or terrorism. Lieven adds, however, that to be effective in constraining behavior, limiting disputes and maintaining peace, shared international conventions are necessary. Few things have been more damaging to U.S. and European hopes of a “rules-based global order,” according to Lieven, than the perception that the U.S. both makes the rules and breaks them whenever it sees fit, including in cyberspace.
Photo by Christiaan Colen shared under a Creative Commons license.
According to U.S. officials, Russia is the likely perpetrator of the SolarWinds cyber compromise of federal agencies, private sector firms, NGOs and academic institutions. The scale and impact brought accusations of a reckless and indiscriminate operation. Some politicians labeled this an act of war, while other commentators dismissed the SolarWinds compromise as espionage. Calls for retribution were widespread.
We know few details about the breadth, depth and impact of the SolarWinds cyber operation, though the scale was clearly massive with over 18,000 SolarWinds customers uploading malware-laden tools. But we do not know which companies and agencies have been affected, what information was compromised or whether damage occurred to any information systems. This lack of public disclosure likely represents caution in revealing what is known and not known, but also signals the difficulty of assessing just how bad we’ve been had.
So how should the U.S. respond?
A natural inclination will be to strike back in order to modify future Russian behavior and to introduce stronger cyber deterrence for other potential actors. Responses might include declaring Russian intelligence personnel persona non grata, indictment of perpetrators, targeted sanctions and execution of similar operations against select Russian systems. The aim would not just be punishment, but to change the risk-gain calculation for Russia, and others, when considering new cyber operations.
In a recent Russia Matters article, Paul Kolbe argues that the United States should respond to the SolarWinds breach by focusing on improving defenses, rather than on conducting a retaliatory response such as some government officials have been advocating. Kolbe claims that prior U.S. responses to Russian cyber behavior—which have involved imposing sanctions, issuing indictments or conducting cyber operations—have failed to deter Russian operations or meaningfully change Moscow’s calculus.
Kolbe is right that, when it comes to SolarWinds, it is unlikely that retaliatory measures aiming to impose costs against Russia (inside or outside of cyberspace) will work to shift the Russian government’s risk-benefit assessment—but he’s right for the wrong reasons. It is also important to note that Russia continues to deny responsibility for the SolarWinds incident. Regardless, a punitive response to SolarWinds is unwise because the available evidence indicates that the objective of the operation was national security espionage. However, this does not mean that the pursuit of deterrence strategies to address other types of malicious behavior in cyberspace, beyond espionage, is a fool’s errand. Deterrence is not a one-size-fits-all concept in cyberspace—or in any other domain.
Paul Kolbe is entirely correct in reminding us that there is a great deal we still do not know about the SolarWinds hack. Russian official responsibility does seem probable, but it is not absolutely proven. The strongest statement that the U.S. agencies concerned have come up with is that the hack was “likely Russian in origin.”
Kolbe’s article and Erica Borghard’s response are also very valuable for their warning of the need to distinguish between cyber espionage and cyber sabotage or terrorism, as this crucial distinction has been blurred by the loose and lazy term “cyber attack,” as well as by the hysterical response to the SolarWinds hack by some U.S. politicians, with their very dangerous talk of an “act of war” (on which I have written previously here and here).
I would however like to point out in response to Borghard that Russia’s denial of responsibility is absolutely normal in espionage operations, even when these have been unquestionably revealed. In 2006, the British government denied Russian allegations of a British spying operation in Moscow using a device hidden in a fake rock, though after a few years a former British official admitted that the story was entirely true. The difference in the case of cyber operations is that (with all due allowance for freelances and double agents) conventional espionage has been the monopoly of states. On the internet, there are vastly more opportunities for independent actors, seeking personal gain or mere amusement. Most teenage hackers in the U.S. are not working for the CIA.
US SolarWinds Response Unlikely to Change Russia’s Behavior, Highlights Need for Improved Cyber Defense
The United States has unveiled its overt response to Russia’s SolarWinds cyber operation—the expulsion of 10 Russian Embassy personnel from Washington, along with new sanctions on Russian sovereign debt and on Russian IT firms that support Moscow’s cyber intelligence operations. A “unseen” response promised by national security adviser Jake Sullivan, presumably cyber operations against Russian intelligence networks, has yet to publicly manifest. In response, Russia has denounced the “illegal” sanctions and predictably expelled 10 U.S. diplomats from Moscow.
Amid the flurry of accusation and counteraccusation, the question remains: Will the U.S. response to the SolarWinds compromise deter future Russian cyber activity? Based on what we’ve seen so far, I believe the costs on Russia imposed by the U.S. response will have little effect on future Russian cyber operations against U.S. government and private sector targets.
We do not know what the U.S. may undertake as part of the “unseen” response, but past experience would suggest cyber operations to signal displeasure are unlikely to change Russia’s behavior. A measured and proportional response will be shrugged off as the cost of business, and a cyber “shock and awe” campaign would risk escalation beyond U.S. intent.