The pattern has become disturbingly regular. Every few years, evidence surfaces of a major cyber penetration of U.S. networks, and each instance prompts a wave of indignant American calls for tough retaliation.
Last week’s report of the “Solar Winds” operation, a massive new hack of multiple public and private U.S. organizations that has gone undetected for perhaps a year or even longer, is in many ways a repetition of the detection, attribution, and retaliation cycle that has been on endless replay since our discovery of Russia’s infamous “Moonlight Maze” intrusion in the 1990s kicked off a new era of cyber-espionage. Congressmen have called Solar Winds an enormous intelligence failure. President-elect Joe Biden has vowed that he will not stand by idly while our country is being attacked. This time, we say, the Russians (or whoever is behind the intrusion) will pay.
But preventing this kind of thing was exactly what we vowed to do after the last intrusion. In the wake of Russia’s cyber-targeting of American political campaigns and voting systems in 2016, which was followed by signs that Russians had also penetrated the control systems of some American power plants, U.S. strategists decided that merely playing cyber defense and imposing economic and legal penalties on foreign adversaries was not getting the job done. The gap between the capabilities of cyber attackers and cyber defenders was simply too wide for a strategy based on defense and after-the-fact punishment to be effective. Protecting American networks required a new approach, known as “defending forward” or “persistent engagement.”
This meant going on cyber offense to dismantle foreign botnets, to implant sensors and malware inside Russian networks, and force our digital adversaries to play defense against us. Seizing the initiative would, according to the strategists, render our opponents less able to attack us and more concerned that the costs of unbridled offensive operations might outweigh the benefits. In theory, persistent cyber competition between each side’s attackers would eventually produce a stable equilibrium, wherein we all would recognize where the redlines were drawn and respect those boundaries.
This defending forward strategy has been official U.S. policy since 2018, and Trump administration officials have claimed that it helped to limit interference in that fall’s midterm elections. The Solar Winds intrusion suggests that the United States needs to do more to manage and stabilize our cyber competition with Russia and other online opponents.
The fundamental problem is that we regard the cyber arena as essentially a deterrence matter, in which we can employ the concept of mutual vulnerability to dissuade our rivals from attacking us, much like we did during the Cold War. Then, as now, the offense had distinct advantages over the defense. Each side came to recognize that the other had an ability to annihilate its adversary no matter the defender’s efforts. This imbalance between offensive and defense created a mutual interest in avoiding a suicidal conflict, and Washington and Moscow found ways to preserve a reliable state of mutual vulnerability through arms control agreements that stabilized their competition.
But the cyber arena is much less amenable to forging a stable equilibrium. Unlike in the nuclear arena, cyber vulnerabilities change over time—software flaws pop in and out of existence as they are created, discovered, exploited, and patched. Malware often must be custom-made to take advantage of specific flaws, and its effectiveness ends when the flaws and exploits are detected. Unlike a nuclear-tipped missile that retains its capabilities for decades, whose presence and potential are clear to all concerned, cyber weapons are ephemeral and easily camouflaged phenomena. They require an unending process of finding and exploiting ever more vulnerabilities on the other side, in the expectation that each exploit will eventually be discovered and neutralized. Neither side in the competition can ever be confident that its offensive capabilities have produced a stable state of mutual cyber deterrence.
Moreover, cyber technology is blurring the lines that once separated espionage and warfare. In the bad old days, the United States and Soviet Union used human agents, satellite imagery, and signals interception to collect intelligence on the other side’s capabilities and intentions. These tools were easily distinguishable from missiles and tanks and other weapons of war. Today, much collection is done through cyber espionage, but it is a form of intelligence gathering that also can be used for non-kinetic military attacks. The Solar Winds intrusion may be aimed primarily at espionage, but we cannot be sure it is not also intended to alter or destroy data or even one day to sabotage critical American systems. And the easiest way to discern its intentions is to penetrate the perpetrator’s systems and gather cyber intelligence on what it is up to.
But this fuels exactly the same dynamic of detection and response on the part of our adversaries, for exactly the same reasons that we ourselves are incentivized to go on the offensive. Given the inherent vulnerabilities of all networks to such ambiguities and penetrations, this cycle of action and reaction is difficult to break.
It is also too dangerous to ignore. In a world where supply chains and commercial transactions and early warning systems and nuclear command and control are all digitally based, cyber sabotage could have enormously damaging—even existential—consequences. Awareness that these systems are vulnerable to cyber penetration, coupled with the difficulty of distinguishing cyber espionage against them from destructive sabotage, could make managing a regional crisis involving Russia or China far more precarious than it was in the Cold War era. The redlines in this escalating cyber competition might become apparent only after they are crossed.
What then should we do? Showing Moscow that we can hold Russian systems at risk is a necessary part of the solution, but it is only one part. Ironically, our new “persistent engagement” strategy has ruled out diplomatic engagement with Russia that might establish some rules of the cyber road and encourage mutual restraint. We have mistakenly regarded diplomacy as a reward for bad Russian behavior, when in fact it is an indispensable element of our own self-defense. We have deluded ourselves into believing that we can pressure the Russians into curtailing their intrusions without having to restrain our own operations.
We cannot rely on deterrence and mutual restraint pledges by themselves, however. We need to weaken the perilous link between cyber espionage and cyber sabotage by old-fashioned hardening of our critical infrastructure and reducing our dependency on digital networks. Putting in place manual back-ups for GPS and power generation systems, voting tabulators, early-warning satellites, weapons controls, and other critical functions would both reduce our adversaries’ incentives to target them and increase our confidence that we are not vulnerable to single points of failure if they are sabotaged. Building such resilience and redundancy will be expensive. The alternative, however, could be catastrophic.
George Beebe is the Vice President and Director of Studies at the Center for the National Interest, former head of Russia analysis at the Central Intelligence Agency, and author of The Russia Trap: How Our Shadow War with Russia Could Spiral into Nuclear Catastrophe.