In mid-December 2020, the biggest cyber intrusion known to date was discovered in the United States, the world’s leading cyber power. The global reach of the incident, and the nature and number of affected US government agencies – most notably the US Energy Department which controls the National Nuclear Security Administration – is unprecedented. A joint statement by the FBI, the National Security Agency (NSA) and others, concluded that Russia is ‘likely’ to be behind the hack. Although it is tempting to focus on options for a potential response, such as ‘cost imposition’ or the use of offensive cyber capabilities - and even on the purported failure of the US strategy to ‘defend forward’ – there is also value in paying attention to what this wasn’t, to ensure that future preventative action is appropriately focused.
The conduit for the cyber intrusion was a software update provided by a private company called SolarWinds. SolarWinds and Microsoft have called it a very ‘sophisticated’ operation. The intrusion was able to insert ‘back doors’ into the networks of dozens of companies, government agencies, and think-tanks across the US and beyond, thus gaining persistent access – and it was nearly a year before it was detected. Such elaborate methods require cybersecurity measures which must be constantly revised, tried and tested. This level of preparedness and monitoring is a challenge and engenders discussion about the need for national strategies to proactively counter and deter such cyber operations, rather than focus on the use of offensive cyber capabilities or ‘cost imposition’.
It is therefore important to maintain perspective and focus on the original cause of the incident; a supply chain weakness which, in 2020, arguably should never have happened. Some have therefore called this an ‘unacceptable… big failure’ of cybersecurity. So rather than reverting to the kind of sabre-rattling rhetoric which may only serve to further destabilize cyberspace, the SolarWinds intrusion could prove to be a simple, albeit critical, lesson for everyone involved.
A related point hinges on the fact that the breach was discovered by a private cybersecurity firm called FireEye, which reported it to the US government. Fire Eye was not legally required to report it but did so voluntarily, and we will never know what could have happened had it chosen not to do so. This is a valuable lesson which should inform the debate on the role of the state in private sector cybersecurity and the importance of sharing cybersecurity threat intelligence between the public and private sectors, as highlighted by Microsoft President Brad Smith, as well as the role of non-state actors in technical attribution.
The incident is also mischaracterized in that it has frequently been referred to as an attack. Senior US politicians have described the incident as a ‘virtual invasion’ and akin to ‘the level of an attack that qualifies as war’. This language is misleading as a matter of international law and therefore in terms of possible responses. It may of course be too early to tell, but for now the NSA and the FBI have classified it as an ‘intelligence gathering’ effort. In other words, straightforward espionage. Espionage per se is not prohibited by international law and is a largely accepted state practice based on the concept of ‘tu quoque’, Latin for ‘you also’. The US itself is said to ‘hack foreign government networks on a huge scale every day’.
There is nothing to suggest at present that any data has been altered or deleted, or that the intrusion has resulted in physical damage or destruction to any degree. If this remains the case, it would mean that – assuming a state is responsible, either directly or by directing a non-state actor to act on its behalf – the perpetrators have not necessarily violated international law. While international law in this area remains unsettled and is the subject of debate between states, those that call for the US to ‘impose cost’ in response should therefore exercise caution as response options are limited. If the intrusion proves to have been nothing more than espionage, then based on the US Department of Defense’s own views, it would not be considered a violation of international law, thus discounting the use of countermeasures against those responsible. The US certainly has no grounds to use force in response, even by its own more permissive interpretation of international law in this area. Should the US discover any kind of damage or other harm in due course, it will be interesting to see what action it takes, if any, and on what basis.
The search for a motive
Calling it an attack may also muddy the waters when it comes to interpreting the motives of those responsible. Perhaps the most concerning aspect of the SolarWinds intrusion is that it was undetected for many months. Despite the unprecedented levels of access to a huge section of US government networks, there is no sign of any physical damage, as opposed to previous incidents of a similar nature. The standard assumption with cyber breaches is that the intent is to cause or threaten tangible harm, normally either for financial or political gain. The intent behind SolarWinds is as yet unclear, but it is worth considering whether, other than as a means of espionage, there was another motive, one which would fit well within the tactics of those who operate in the ‘grey zone’, or below the threshold of armed conflict.
The shockwaves created across the US are evident. Importantly, the psychological impact on those affected in terms of reducing trust and confidence in their own IT systems may well prove nigh on impossible to restore. If this was one of the objectives of the hackers, it could well prove a highly effective one. This intangible effect would contribute to destabilization by creating chaos and mistrust, while also reducing the likelihood of any retaliatory action by the world’s leading cyber power. As sowing chaos and mistrust is as a key tactic below the threshold of war, it may not be too far-fetched to consider this as a possible motive. The far-reaching nature of this kind of impact also shows just how important it is for government agencies to work in partnership with the private sector to achieve more effective cybersecurity.
No more excuses
SolarWinds is a valuable lesson for everyone involved. While it will not be the last of its kind, focusing on what SolarWinds was not can help ensure effective preventative measures are implemented. Given the limited number of response options available, the importance of cybersecurity as the first line of defence cannot be underestimated. The integrity and security of supply chains and greater public-private cooperation in identifying and sharing information on cyber threats is critical. The focus on this is long overdue and after SolarWinds there can be no more excuses.