As the leaders of the Quad (Australia, India, Japan, and the United States) get ready for their first virtual summit on March 12, 2021, the agenda planners must look into the lessons from the SolarWinds hack that rattled America on December 13, 2020, in a sweeping breach involving dozens of government departments that administered the country’s critical infrastructure. The Quad’s intrinsic balancing nature coupled with its underlying cyber vulnerability presents a powerful challenge to the Quad’s cybersecurity and its ambition to develop an alternate supply chain. As the strategic environment deteriorates in the Indo-Pacific region, there is a greater likelihood of regional cyberspace getting weaponized and an increasing propensity of state actors to use cyber power to advance their strategic gains.
There are at least five ways in which the SolarWinds hack, also known as the Sunburst/Solorigate cyberattack, informs on the nature, scale, and scope of cybersecurity challenges the United States and other Quad countries are most likely to face in the coming years. First, future cyberattacks are going to get more sophisticated, stealthy, and precise. The U.S. failure in early threat detection and prevention underlines a very high threat-risk facing the Quad countries in the coming years. The U.S. cyber monitoring agencies remained clueless for nearly nine months while various public and private entities were undergoing cyberattacks. U.S. Senate Intelligence Committee Chairman, Sen. Mark Warner, termed the SolarWinds hack as “beyond any that we have confronted as a nation”; a risk consultancy agency called the attack a “silent cold war in the cyberspace domain.” To put it simply, if the advanced U.S. cyber systems can be trojanized in such a brutal way, what would happen to other Quad members’ cyberspace?
Additionally, the multi-level hacking operation highlights a distinct level of target-specificity achieved in the craft of cyberattack, making it possible for the hackers in the future to limit their operations to the Quad’s computers. Kevin Mandia, the chief of FireEye, the company that detected the cyberattack, equated the Sunburst attack with “a sniper round from somebody a mile away” instead of it being a random “drive-by shooting on the information highway.” The Sunburst attack involved a multi-stage operation with precision and anti-forensic techniques, allowing the malware to get past any potential flashpoints in the end users’ computers before their remote activation.
Second, the security breach reportedly carries the state actors’ footprint, underlining an overt weaponization of cyberspace emanating from geopolitical motives that abounds in the Indo-Pacific region. The geopolitical pressure on tech vulnerability gets amplified in the context of the Quad that has to deal with not only the U.S.-Russia dynamics but also the Sino-U.S., Sino-Indian, Sino-Japanese, and Sino-Australian tension. The more the Quad underpins global and regional balancing, the more challenged it is likely to be by potential state-sponsored cyberthreats from its rivals/competitors. A more direct example of the weaponization of cyberspace is when India experienced a Chinese cyberattack on its power grid in October 2020 when the two countries were locked in a dangerous cross-border standoff along the Himalayan ridges. Japan has expressed concerns over the cyber-compromise of its defense assets as early as 2011. In a similar vein, Australia’s prime minister and defense minister declared, without naming China, in June 2020 that its organizations were “currently being targeted by a sophisticated state-based cyber actor.”
The third challenge relates to the management of unprotected, unregulated, and unenforced Indo-Pacific cyberspace. Unlike the relatively integrated and protected national cyberspace of the United States, the Indo-Pacific region resembles a jungle raj where both state-sponsored and private cyber militias are ruling the roost by stealing data resources from government entities and private citizens. According to WatchGuard Technologies, the Asia-Pacific region encountered 549,392 network-related attacks and more than 15 million malware attacks in 2020 alone. It is noteworthy that the SolarWinds hack affected mostly the computers running Microsoft Windows, and nearly 85 percent of computers in Asia run on Windows-based operating systems.
Fourth, one of the most important takeaways from the Sunburst malware attack is the increasing vulnerability of the member states’ critical infrastructure. The main targets of the SolarWinds hack, as it turns out, were government entities and critical infrastructures in the United States, such as the Defense Department, State Department, Department of Energy, and National Nuclear Security Administration. Similarly, other Quad members have highlighted cyberattacks from both state-sponsored actors and private militias on their critical infrastructures, such as parliament and hospitals in Australia, a nuclear power plant in India, or defense assets in Japan.
Finally, the supply chain method of the SolarWinds hack has not only introduced new urgency in putting in place an alternate tech supply chain away from China but also raised the risk in developing a full-proof supply chain that the Quad countries are seeking to build with the support of their allies and partners in the Indo-Pacific region. While no country, including the United States, is in a position to create an alternate tech supply chain on its own, the SolarWinds hack has opened the possibilities of multi-point vulnerabilities in a multi-stop supply chain that both state actors and non-state actors would seek to capitalize on. The Chinese hack of Elemental Technologies in 2015 indicates that even hard devices, such as semiconductors, are susceptible to hacking. The Chinese hackers are reportedly hacking their way into the Taiwanese chip-making industry.
The SolarWinds cyberattack is a wake-up call for the Quad to begin deliberations over developing a shared understanding and, eventually, a strategy to mitigate cyber threats coming from both the state and non-state actors in the Indo-Pacific region. There exist considerable differences among the Quad members regarding their cyber capabilities and their worldviews on various issues, such as data privacy. The Quad provides a perfect platform to align multiple bilateral cybersecurity agreements among the member states into a comprehensive quadrilateral framework.
Vibhanshu Shekhar is an Adjunct Professor at American University. He tweets @vibshekhar.