During the weekend, software company SolarWinds released a statement that its security products — used by U.S. government agencies, among others — had been hacked and weaponized in a “highly-sophisticated, targeted … attack by a nation state.” The cyber-intrusion breached the IT systems of several U.S. government organizations, including the Departments of State, Defense, Homeland Security, Treasury, and Commerce, and the National Institutes of Health. Reporting suggests APT29, a hacker group linked to Russia’s foreign intelligence organization, inserted malicious code into SolarWinds software sometime in March 2020, creating a back door that allowed the actor to steal information through routine software updates. We keep learning more.
Here are three important lessons from this hack.
Lesson 1: Governments no longer control the announcement of who’s behind a cyberoperation
Rather than wait for the U.S. government to assign blame, media outlets immediately pointed to Russia. That’s significant. Cybersecurity scholars have argued that governments are cautious about attributing cyber-incidents to any source, having to balance domestic constituencies, alliances, and other foreign demands before announcing who or what they consider responsible. Some scholars have theorized governments time such announcements to signal restraint or willingness to escalate, using their ability to name a source as a foreign policy tool.
However, in this case, SolarWinds itself suggested a government was behind the hack, and media outlets are pinning it on Russia, all before the Trump administration has released any official statements. Having private companies name names is likely to continue as organizations like Microsoft, the cybersecurity firm FireEye, or the nonprofit Cyber Peace Institute proliferate — making attribution one more thing that governments cannot control.
Foreign hackers have made it harder for the U.S. to prosecute them
Lesson 2: Cyberoperations are still mainly spy vs. spy
Second, while this appears to be a huge intelligence loss for the United States, so far no one has reported that the hacker manipulated, destroyed or disrupted data. Of course, we don’t know whether this was restraint, lack of opportunity, or a combination of both. However, research by political scientists Jon Lindsay and Josh Rovner suggests cyberoperations to date are better thought of as intelligence contests than cyberwars. If cyberoperations’ benefits come from the information they unearth and not the damage they might leave, then a government would have good reason not to turn its cyberspying tools into cyberweapons.
The SolarWinds hack seems to fit this model, suggesting rivals’ strategic interactions in cyberspace are unlikely to result in dangerous and violent escalations. If the reporting to date is accurate, Russian hackers gained access to U.S. government networks and, instead of launching a disruptive or destructive cyberattack, chose to maintain a persistent and stealthy presence over many months to exfiltrate national security information. That can be highly rewarding for the government involved.
How foreign influence efforts are targeting journalists
Lesson 3: Deterrence is complicated
That restraint is consistent with what academics have found in researching deterrence in cyberspace. Of course, it makes little sense to think about deterrence against cyber-enabled national security espionage. Most governments tacitly accept that other states will spy on them — whether in cyberspace or via other means.
Rather than attempting to prevent spying through deterrence, which is effectively a fact of international life, governments might benefit instead from improving their networks and systems’ defense and resilience; preparing for such infiltrations with counterintelligence operations; and when appropriate, launching retaliatory cyber-campaigns to degrade their adversaries’ capabilities and tools that could be used for spying.
But the SolarWinds hack suggests deterrence might still be useful, but only by focusing on something slightly different. Where deterrence may be more successful is in deterring cyberoperations that translate information into physical attacks — especially those that might harm U.S. civilians.
What does this mean for the United States?
Some suggest the SolarWinds hack shows the Department of Defense’s “defend forward” effort has failed. “Defend forward” is an approach the Defense Department introduced in its 2018 Cyber Strategy, calling for proactive efforts to “disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”
But no strategy is capable of disrupting or halting all malicious cyberactivity. Russian success against SolarWinds may instead suggest the Defense Department should be still more assertive in its “defend forward” cyberoperations.
What’s more, the U.S. might want to take the SolarWinds hack into consideration as it helps develop international cyber norms. As Harvard law professor and Hoover Institution senior fellow Jack Goldsmith argues, it would be counterproductive for the United States to advocate norms that the U.S. itself has no intention of following. After the U.S. Office of Personnel Management was hacked in 2014, then-Director of National Intelligence James R. Clapper Jr. remarked, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.” Surely if the U.S. had an opportunity to infiltrate Russian government networks for spying purposes, it would.
Research suggests obvious hypocrisy doesn’t convince others to conform to cybersecurity norms. The U.S. might therefore wish to push for reciprocal restraint with its adversaries, such as a no-first use policy for cyberattacks that cause civilian violence. That might more meaningfully shape the rules of the cyber-road than policies against cyber espionage.
Don’t miss any of TMC’s smart analysis! Sign up for our newsletter.
Erica Borghard (@eborghard) is a resident senior fellow with the New American Engagement Initiative in the Scowcroft Center for Strategy and Security at the Atlantic Council and an adjunct associate research scholar at the Saltzman Institute of War and Peace Studies at Columbia University.
Jacquelyn Schneider (@jackiegschneid) is a Hoover Fellow at Stanford University and a nonresident fellow at the Naval War College’s Cyber and Innovation Policy Institute, an affiliate of Stanford’s Center for International Security and Arms Control.