In the wake of the major espionage operation in which people alleged to be Russian government agents infiltrated the digital networks of the U.S. Defense, Treasury and Homeland Security departments – as well as other government agencies and private companies – President Joe Biden is considering how to respond.
It’s not clear exactly what data the hackers actually stole in the time they had access, roughly from March through December 2020, but they exploited software made by the Texas-based firm SolarWinds to gain access to key research and security information, including research for future nuclear weapons.
Since taking office, Biden has ordered a thorough intelligence review of Russian aggression around the world, which includes hacking, election interference, poisoning political opponents and posting bounties for killing U.S. soldiers. And on Jan. 21, his first full day in office, Biden received a report from a congressional cybersecurity commission with 15 recommendations expected to prevent another major cyber breach. Those included boosting America’s cyber capabilities by increasing funding for U.S. Cyber Command and establishing a civilian reserve group that draws on cybersecurity talent in private industry and cybersecurity companies.
His administration faces pressure from members of Congress in both parties and former government officials to respond forcefully to the SolarWinds breach.
He is reportedly considering retaliatory cyberattacks against Russia and targeted financial sanctions against the individuals involved.
But the U.S. government may not be able to stop future intrusions into American computer systems. Scholarship describes how difficult it can be to effectively deter cyberattacks or punish those responsible. In fact, as a scholar of cyber conflict, my research strongly indicates that retaliation – in whatever form it might take – will almost certainly invite counterhacks from Russia, worsening tensions between the countries and potentially escalating into the offline world.
A sophisticated attack
The SolarWinds hack was more advanced than previous ones: The hackers actually compromised software updates that the network management company regularly provides to the businesses and government agencies that use its software. The hackers inserted malicious code into the official updates, which countless administrators trusted and installed on nearly 18,000 systems across the country.
Once installed, the malicious software connected to servers controlled by the hackers and gave them access to key data about government and corporate research and operations.
This isn’t the first major digital attack on the U.S. And its severity shows that past efforts to discourage cyberattacks have not been effective.
Under President Barack Obama, for instance, the U.S. leveled economic and diplomatic sanctions against the people and governments responsible for cyberespionage, including North Korea and Russia. The Trump administration likewise imposed sanctions against Iranian and North Korean hackers for a range of cyberattacks targeting U.S. companies, universities and government agencies.
[The Conversation’s Politics + Society editors pick need-to-know stories. Sign up for Politics Weekly.]
Several scholars, including my collaborators and me, have shown that though economic sanctions do hurt their targets, they also hurt the country imposing the restrictions – in this case, the United States – which misses out on business opportunities in the targeted countries. Newer rounds of sanctions also bar U.S. companies from doing business with third-country firms that operate in targeted countries.
Sanctions don’t actually deter future attacks.
Government actions haven’t been enough
Beyond punishing hacker countries with sanctions, the U.S. has undertaken operations to directly attack the digital capabilities of those nations. For instance, U.S. Cyber Command, the arm of the military charged with defending the U.S. in cyberspace, cut off a key Russian agency’s internet access during the 2018 congressional midterm election. The U.S. has also sent military cybersecurity experts overseas to learn more about Russian, Chinese and Iranian capabilities. It’s also possible that Cyber Command has secretly undertaken other responses.
None of this has dissuaded hackers from repeatedly targeting American firms and government agencies. Indeed, prior research confirms that the threat of formal sanctions has very little effect on deterring cyberattacks in lab settings.
If deterrence won’t work …
Ignoring cyberattacks, of course, is not a solution either. But I believe the challenge is to determine how to make clear to the perpetrators that large-scale cyber intrusions will not be tolerated – and to do so without escalating the online conflict. I believe there is only one way to prepare – and it’s to accept that hackers will keep trying to attack.
There are some ways to adjust to this new reality, just as there are with other complex and intractable problems. For instance, governments seek to mitigate harm from climate change by limiting greenhouse gas emissions and discouraging new construction in flood zones.
The cybersecurity equivalent could be building and programming computer systems that can withstand faults, failures and hacking while still performing essential functions and protecting data security. The ultimate objective would be not to prevent systems from being breached, but to limit the damage and speed the recovery when they are broken into. My research, and others’, indicates this could be an effective way to address the new reality of state-sponsored hacking while realizing there is no way to truly prevent future attacks.