The list of U.S. government agencies compromised in the SolarWinds hack continue to grow, with reports of infiltrations at Treasury, commerce, internal security, and potentially State, Defense and CDC. It’s a big deal for national security: This is the largest known data breach to the U.S. government since the Hacking the Office of Personnel Management in 2014, and could give hackers a wealth of inside information.
While the scope of this hack is still being determined, such an extraordinary breach raises a pretty obvious question: is America’s cyber strategy working? The United States has historically relied, first of all, on a deterrence strategy and, more recently, the idea of ”defend forward»To prevent and respond to malicious behavior in cyberspace. Is a failure of these strategies to blame? The answer (like anything political) is complicated.
First of all, it is important to establish what this hack was. The fact that a supposed nation-state actor (probably Russia) was able to compromise a third party (SolarWinds) to gain access to an as yet unknown number of US government networks and to exfiltrate data is a significant espionage achievement. And it illustrates how third-party vendors can offer threat actors a way to conduct spy campaigns on a scope and scale generally unknown outside of cyberspace.
But to call this incident a cyber attack would be irrelevant. At this point, the operation appears to have been espionage to steal national security information, rather than to disrupt, deny, or degrade U.S. government data or networks. While it may seem like a haircut, the terminology is important because it has political and often legal implications. Espionage is an integral part of international politics, an action to which states often respond with arrests, diplomacy or counterintelligence. In contrast, an attack (even a cyber attack) has legal ramifications this could allow states to react forcefully. So far at least, this hack is not that.
The question of what this incident means for cyber deterrence, on the other hand, is less straightforward. To understand why this is such a complicated question, it helps to understand how this strategy works (and doesn’t). Deterrence consists of convincing an adversary do not do something by threatening to punish or making it look like the operation will be successful. It is a difficult thing to do for several reasons. First, states must threaten a response that is both frightening and credible. A threat may not be credible because the state does not have the capacity to execute it. Or, as is more often the case with the United States, threats can lack credibility because adversaries don’t believe there will be a follow-up. For example, the United States could threaten to use nuclear weapons in response to cyber espionage, but no state would believe that the United States would actually launch a nuclear attack in response to a data breach. It is just not a credible threat.
To make matters even more complicated, it’s also difficult to say when deterrence actually worked because, if it does, nothing come. So even if a state was deterred by a good defense, it is almost impossible to know whether the state did not follow through on the attack simply because it was not interested in taking the action in the first place.
There are few or no deterrent mechanisms that can prevent cyber espionage. Since states regularly spy on each other – friends and foes alike – there are a very limited number of credible punishments that states can use to threaten others not to spy. The United States has tried to use a handful of options for cyber deterrence, such as issuing mandates for state sponsored or threatening hackers punishments for cyber intelligence. But these have had limited success. This does not mean, however, that we should throw the deterrence baby with bath water. As Jon Lindsay, professor at the University of Toronto, points out, successful deterrence outside cyberspace can instigate and shape the behavior of states in cyberspace. And there is compelling evidence that deterrence can work in cyberspace. No adversary has ever carried out a cyberattack on the United States that created violence or lasting and significant effects on military infrastructure or capabilities. Arguably, this is because the large and lethal conventional military force of the United States is a credible deterrent at higher cybernetic thresholds. The thorniest strategic challenge for the United States is in the space between national security espionage (where deterrence doesn’t quite apply) and major cyberattacks (where deterrence seems to hold).