The SolarWinds breach shows that Russia had more than top-tier offensive cyber tools at its disposal. Moscow’s hackers also leveraged an understanding of the U.S. strategic priorities and the norms of cyberspace.
On Election Day 2020, the head of U.S. Cyber Command General Paul Nakasone reported that the United States had successfully countered the online weapons Russia had directed at the election, telling journalists, “we weren’t surprised by their action.”
One month later, CNN ran the headline, “Why the U.S. government hack is literally keeping security experts awake at night.” With the United States simultaneously tearing itself apart and focusing extensive resources on defending its elections against foreign attacks, the Russians pivoted to a separate line of effort in the broader geopolitical contest over information and ideas.
Russia’s foreign intelligence service launched a months-long cyber espionage campaign that has at least impacted the departments of State, Treasury, Commerce and Justice, and Fortune 500 companies. Among other things, the exfiltrated data likely offered insight into U.S. policy debates, which would allow the Kremlin to better understand, anticipate, and undermine U.S. actions on the world stage.
The massive reach of the hack can be credited to Russian skill and U.S. failures. Moscow’s hackers took advantage of known vulnerabilities in the U.S. technology supply chain, covered their tracks, and communicated through IP addresses in the United States, exploiting legal restrictions that prevent domestic surveillance to avoid detection.
The tactics outsmarted Einstein, the U.S. government’s $6 billion detection system. It also evaded the U.S. Cyber Command operatives tasked with maintaining a constant presence in adversary networks to “confront our adversaries from where they launch cyberattacks.” In fact, while Russian hackers were moving through U.S. government servers, Cyber Command was focused on managing another serious threat while forces were deployed to Europe to counter Russian cyber operations targeting the American election.
As information on the hack came to light, prominent voices began calling for the United State to implement an aggressive response. Former Homeland Security Advisor Thomas Bossert argued that “all elements of national power must be on the table” to respond to the hack. Senator Richard Durbin called the breach “virtually a declaration of war by Russia on the United States.” President Joe Biden has assured he will impose “substantial costs” on Moscow, ordered a comprehensive investigation into the breach, and brought up the issue in his first call with Russian President Vladimir Putin.
This heated rhetoric obscures the fact that Russia’s far-reaching intrusion followed norms established by Washington. The United States is likely the most sophisticated and assertive nation in cyberspace. In 2019, the New York Times reported that Washington had spent “billions of dollars to assemble the world’s most potent arsenal of cyberweapons and plant them in networks around the world.” As Bobby Chesney has noted, pushing for international standards that the United States does not adhere to could weaken U.S. credibility when real redlines have been crossed.
That is not to apologize for Moscow’s aggression or say that the norms of cyberspace make for a safe or stable world. War, work, transportation, and medicine are increasingly automated and the same intrusion used to gather intelligence can enable attacks with major national security implications. Moreover, the blurring of espionage and assault makes it difficult to understand the intentions of adversaries and could lead to unnecessary escalation.
The SolarWinds hack underscores the need for the United State to rethink its practices and priorities in order to make cyberspace safer and U.S. interests more secure.
The breach was too damaging and too dangerous to be accepted as a standard occurrence. Rob Knake has pointed out that traditional espionage “is accepted in part because of the supposedly stabilizing effect.” The advent, importance, and vulnerability of cyberspace has undermined that dynamic. It is time for Washington, Moscow, Beijing and others to begin exploring ways to establish mutual restraint in cyberspace.
The scale of the hack should also motivate the Biden administration to prioritize cyber defense as much as past administrations have prioritized offense. After all, Moscow has countless online targets, sophisticated cyber weapons, and operatives constantly pressing for innovative ways to weaken and constrain the United States.
It is a daunting challenge that will require the United States to increase funding for cyber defense, advance public-private partnerships, and coordinate more closely with allies and partners around the world.
These steps are necessary to make Moscow’s offensive cyber campaigns less effective and less accepted.
Joseph Bodnar is a graduate student at American University’s School of International Service. Image: Reuters.