As our understanding of the damage incurred by the SolarWinds hack grows, the question remains: How will the United States respond? In reaction to the recent, widespread hack engineered by Russian intelligence, President Donald Trump and President-Elect Joe Biden have taken drastically opposing stances. On December 17, Biden condemned the hack, in which Russian operatives leveraged vulnerabilities in SolarWinds and FireEye technologies to steal information from Fortune 500 companies, the Pentagon, the Treasury, intelligence agencies, nuclear labs, and more. Biden has pledged his commitment to cybersecurity and stated his administration would “not stand idly by in the face of cyber assaults on our nation.” The United States, he said, would be “imposing substantial costs on those responsible for such malicious attacks.” Although Trump administration officials such as Secretary of State Mike Pompeo have identified Russia as the source of the hack and emphasized its gravity, Trump himself has been largely dismissive, claiming on Twitter that the events have been exaggerated in the media and declaring everything “under control.”
Whether—and how—the United States responds to the recent hack will depend on a number of factors, including assessments of the hack’s magnitude and implications, the policy positions of Biden and Trump, and public attitudes about the events. Despite bipartisan calls for retaliation to the SolarWinds hack, our new survey evidence suggests that the U.S. public remains highly skeptical. This stands in sharp contrast to the public response to even hypothetical physical attacks on the United States or its interests abroad—where survey experiments repeatedly show that the U.S. public is quick to support retaliation. Significant scholarship has been devoted to the so-called “rally around the flag effect,” with the concern that it could enable popular, diversionary wars. Little is understood, however, about how the public might respond to cyber operations.
Generally, scholars seem to agree that hacks akin to SolarWinds are merely intelligence gathering operations. As such, these hacks are acceptable forms of statecraft that fall short of the threshold of an “attack.” From an international law point of view, if cyber operations do not rise to the threshold of a “use of force,” then the impacted state is not granted a subsequent right to self-defense. However, not all agree SolarWinds was merely espionage. President-elect Biden recently used the language “cyberattack” to describe SolarWinds, suggesting the United States cannot stand idly by in response to such large-scale harm, while Senator Mitt Romney (R-Utah) referred to the hack as an “invasion.” Regardless of whether they consider the hack an attack or espionage, political elites from both sides of the aisle have called for retaliation. And the U.S. National Cyber Strategy does not distinguish cyber espionage as a distinct instrument from a cyber-attack, saying that any hacks “contrary to responsible behavior” can be “deterred through the imposition of costs through cyber and non-cyber means.” Such retaliation could play a crucial role in deterring future hacking. The decision of if and how to respond to the SolarWinds hack will have important implications for establishing a precedent about retaliation in the cyber realm.
As the Biden team argues for a firm response to SolarWinds, it is worth asking what the political cost of such a response would be: Would the public support offensive retaliation against the SolarWinds hack, as the Biden team has advocated? New survey data suggests the public largely does not support retaliation against SolarWinds or comparable hacks.
Over the last week, we have polled a 2500-person sample of the American public, asking how they would “most prefer” the United States respond to SolarWinds. What we find is stark: A minority of Americans prefer an offensive response, while over 57 percent prefer a non-offensive response. This includes 42 percent in support of sanctions, 9 percent who support a public denunciation of Russia, and 6 percent who oppose any response. Overall, just 42 percent prefer offensive retaliation against the hack either using cyber or physical operations. That increases to 46 percent among Democrats and 43 percent among Republicans (Figure 1). Independents exhibit even lower support for offensive retaliation as well as higher support for sanctions or for no retaliatory action. In comparison, when asked about a hypothetical scenario in which a Russian-sponsored “physical, in-person attack” on the United States resulted “in the theft of large amounts of personally identifiable information,” more than two thirds of Americans preferred offensive retaliation.
Figure 1: This figure shows respondents’ preferred responses to the SolarWinds attack by party. The “no retaliatory action” category includes support for a verbal condemnation of Russia.
Interestingly, women and men hold distinct preferences for how the government should respond to the hack. While men are consistently supportive of an offensive response to SolarWinds—25 percent of men support a physical attack on Russia and 34 percent support a cyber-based response, compared to 32 percent supporting sanctions and just 8 percent opposing any retaliatory action—women’s attitudes vary much more. Only 13 percent of women support a physical response, while 27 percent support a cyber-attack. Half of women support sanctions, and 12 percent oppose any retaliatory action. These results align with the findings of other survey experiments, which suggest that women are less likely to support offensive action than men. Other factors such as age and education also affect support for retaliation (Figure 2). The overall reticence to escalate the situation may be related to the fact that just 48 percent of Americans indicated they had seen “some” or “a lot” of news about the hack. Among these respondents, 39 percent support a cyber-based response to the hack, compared to 27 percent among low-information respondents. This may suggest cyber hacks face unique problem: Low public support for offensive retaliation may be adding to the already considerable barriers to establishing effective cyber-deterrence.
Figure 2: Statistically significant coefficients, shown with 95% error bars, are in blue, while insignificant coefficients are in red.
These dynamics complicate the decision-making of the incoming administration and the fraught politics of deterrence in the cyber realm. Policymakers and academics alike have struggled with the difficulty associated with establishing deterrence in the cyber realm. The damage dealt by cyber weapons is often smaller, and attribution is harder. This makes it difficult to credibly threaten a response to hacks and thus to deter them. There are also questions about when hacks qualify as a use of force—and therefore trigger a legal right to self-defense.
There are a few aspects of the cyber domain which make deterrence particularly difficult. Most notably, the identity of the perpetrator is not always immediately clear. For example, while most U.S. experts agree it was very likely that Russia was responsible for the SolarWinds hack, the Russian state’s denial of its involvement and its judicious use of sub-state proxies to carry out cyber operations make attributing a single hack to a particular actor difficult—or at least, time-consuming. Indeed, attribution and discovery in the cyber domain can both take time. FireEye’s incident report reveals the exploit had been active since March 2020, however, it was not until December that the hack was discovered and made public. This makes responding to adverse events in the cyber realm especially difficult, as delayed responses in particular may risk escalation more than they enable deterrence. Along with these difficulties, cyber operations often don’t present the same visual and physical destruction as a physical attack. That means they may often not reach a threshold where retaliation is warranted—or supported.
All of these features are difficult enough for policymakers to grasp, but they become even more knotted in the hands of the general public. As a result, social science research suggests that the public may be reticent to support retaliation to cyber operations, adding yet another hurdle to establishing deterrence in this realm. Our finding that the public is largely unsupportive of retaliation against the SolarWinds hack—even though it is the most widespread, and likely the most significant, hack on the United States to date—fits with these previous experimental findings, and it raises questions about next steps in the SolarWinds saga.
Policymakers are now deciding whether and how to retaliate to SolarWinds, and in doing so, they will have to consider how the public will respond to their actions. While not retaliating against the hack could create a permissive precedent for large-scale cyber espionage, if the United States does move forward with retaliation, public reluctance towards the policy could undermine the effectiveness of the U.S. response or even raise questions about the ability to deter future cyber operations. A retaliatory response, moveover, risks a possible further escalation of the crisis, and at a time when U.S. policy is largely focused inwards. As the United States moves towards developing a more comprehensive doctrine that could delineate when cyber operations do or do not justify a retaliatory response, public attitudes about these questions should remain a point of consideration.
Leah Matchett is a Ph.D. candidate in the Department of Political Science at Stanford University. Her previous publications include articles at Chatham House, Inkstick, and the Bulletin of the Atomic Scientists.