Almost a month after the most recent — and most devastating — Russian cyberattack, we know a bit more about what we know, but still alarmingly little about what we do not know. Having observed and analyzed both hacking intrusions and destructive espionage attacks for the past decade — Sony Pictures, the Office of Personnel Management (OPM), National Security Agency intrusions, and now the SolarWinds attack as notable examples — it is not flippant to say that the most recent incident and US response thus far causes a sense of déjà vu. Across several administrations, the fumbles and ultimately failed deterrent responses have established a jagged pattern — one that may well be repeated in the current circumstance.
Thus far, we know that Russia-linked hackers breached thousands of networks using compromised SolarWinds software. Beginning at least a year ago, Russian intelligence gained access to the unclassified (but still revealing) digital traffic of a number of federal government departments and agencies (Commerce, State, Energy, Treasury, Justice, and parts of the Pentagon, among others). Estimates keep growing, but the attackers gained access to at least 18,000 networks, including 250 private companies. (These numbers will undoubtedly change as investigations progress.) Microsoft has said the hackers viewed some of its source code as well. And US intelligence officials are still uncertain if the hackers have “back doors” into strategic networks, estimating that it may take years to root out intrusions or malware left behind.
Possibly due to White House reluctance, US intelligence to date has only stated that the Russians are “likely” behind the ongoing cyberattacks. Thus, after a whole month, the US has made no definitive charges backed by evidence.
Meanwhile, there are persistent calls for an offensive response or even a disproportionate reaction. Specific options being advocated for include cutting off Russia from the Society for Worldwide Interbank Financial Telecommunications international banking and messaging system as well as covertly crippling Moscow’s technological infrastructure. Sen. Richard Durbin (D-IL) has called the Russian cyber operation “virtually a declaration of war.”
Crucially, President-elect Joe Biden has signaled that the US needs an offensive strategy, arguing that “we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place.” That may not be easy.
Here are cautionary realities that I and others (notably Harvard’s Jack Goldsmith) have advanced in the past. First, regarding Gulliver, while the US has the most advanced and sophisticated intelligence and offensive cyber capabilities in the world, it is also the most vulnerable target given its extreme dependence on digital communications. Further, at this particular point in time, America is acutely defenseless against potential Russian retaliation in light of the great unknowns regarding the reach and depth of Russia’s cyber penetrations. We will not know for some time what back doors or malware may be lurking in our civilian and defense infrastructures.
Second, offense in cyberspace still trumps defense — even after the expenditure of billions of dollars. The Donald Trump administration’s much-hyped “Defend Forward” strategy clearly failed to detect and counter a Russian attack that went on for over a year. It was FireEye, a private security company, that uncovered the dastardly clever spy system.
Third, shocked reactions and labeling the most recent Russian action an “act of war” are inaccurate and hypocritical. Despite the failure of the “Defend Forward” approach, we still expect US intelligence agencies to penetrate and stay inside the networks of adversaries (and sometimes friends). We cannot expect Russia, China, or Iran to desist when the US spends huge resources to achieve the same result. Former Director of National Intelligence James Clapper’s oft-quoted point at the time of the OPM hack was that “you have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
All of this leads back to Goldsmith’s continuing argument (more on this here) that the US should at least consider negotiating an agreement of “mutual restraint” whereby it would curb certain activities in exchange for forbearance by our adversaries in our networks (Russia proposed something similar in 2017). Goldsmith admits there are many potential objections and uncertainties to this course, but he holds that given our failure to thwart our cyber foes, President Biden and his team should at least consider this alternative as they plot a way forward on cybersecurity.
Like Gulliver, the US has the means to break out of its cyber binds, but we should weigh carefully the implacable trade-offs of future offensive actions.
This article first appeared at the American Enterprise Institute.