Punitive Response to SolarWinds Would Be Misplaced, But Cyber Deterrence Still Matters
(Russia Matters – russiamatters.org – Erica D. Borghard – March 31, 2021)
Erica D. Borghard is a senior fellow with the New American Engagement Initiative at the Scowcroft Center for Strategy and Security at the Atlantic Council. She also serves as a senior director on the U.S. Cyberspace Solarium Commission.
This op-ed is part of a new debate from Russia Matters and is written in response to “US Response to SolarWinds Cyber Penetrations: A Good Defense Is the Best Offense” by Paul Kolbe.
Kolbe is right that, when it comes to SolarWinds, it is unlikely that retaliatory measures aiming to impose costs against Russia (inside or outside of cyberspace) will work to shift the Russian government’s risk-benefit assessment—but he’s right for the wrong reasons. It is also important to note that Russia continues to deny responsibility for the SolarWinds incident. Regardless, a punitive response to SolarWinds is unwise because the available evidence indicates that the objective of the operation was national security espionage. However, this does not mean that the pursuit of deterrence strategies to address other types of malicious behavior in cyberspace, beyond espionage, is a fool’s errand. Deterrence is not a one-size-fits-all concept in cyberspace—or in any other domain.
Why does any of this matter? Quite simply, states do not—and should not—attempt to deter espionage because spying is a routine aspect of strategic interaction in the international system. Deterrence entails a credible threat to inflict punishment on an adversary for, or deny their ability to engage in, some as yet untaken action. In other words, deterrence strategies aim to prevent something from taking place through manipulating the target’s perception of the overall balance of the costs, benefits and risks of doing so. However, when it comes to espionage, because all states routinely spy on one another, threatening some retaliatory response to an uncovered espionage operation makes little sense. Rather, deterrence is meant to apply to behavior that is beyond the bounds of routine aspects of statecraft—like attacking another state. However, this does not mean that states should refrain from taking steps to make espionage more difficult, or to better protect national security information from falling into the wrong hands.
While the United States is still ascertaining the full scope of the breach and assessing the extent of the damage, the available evidence indicates that the SolarWinds operation is an example of cyber espionage conducted for national security purposes. It appears that, while the Russian-affiliated threat actors compromised a significant number of federal and private sector networks, data was exfiltrated from a limited number of targets and appears to have been motivated by national security objectives. Hence, while this compromise represents a momentous intelligence failure—one with significant strategic implications—at this point it does not constitute a cyberattack. Cyberattacks are distinct from intelligence operations because they generate effects against a targeted network or system, such as those that disrupt, deny or degrade. Therefore, in this case, a deterrence approach grounded in retaliation is mismatched to the nature of the strategic challenge. In this sense, Kolbe is correct that investing in improving defenses and intelligence sharing should be the primary focus of the government’s effort—as well as improving counterintelligence and strategic warning capabilities.
That said, sometimes states do respond to an adversary’s espionage operation with more significant retaliatory measures. When this occurs, it is typically because the state is signaling that the particular form of espionage that took place goes beyond what it finds to be acceptable. Norms of acceptable espionage behavior are not written down or clearly defined in any public agreements or treaties. Instead, the accumulation of state practice helps shape the implicit, informal norms about what forms of espionage will be tolerated.
This raises the question of whether the United States wants to define future cyber operations that are similar to SolarWinds as forms of acceptable espionage or not. Some policymakers argue that the scope and scale of the SolarWinds compromise places it in a different category and that, while cyber espionage is to be expected, large-scale compromises of the information and communications technology supply chain are unacceptable. In this case, retaliatory measures that go beyond typical responses could help communicate how the United States defines different types of cyber espionage. However, if the United States seeks to promote a norm against supply-chain compromises, for the norm to be meaningful Washington must also be willing to hold itself to the same standard.
Furthermore, while a deterrence framework may be inappropriate for cyber espionage, there are other types of cyber behavior where deterrence—which rests on the threat of retaliation—remains relevant. These include cyberattacks that have disruptive or destructive effects. In fact, in the United States, cyber deterrence largely appears to be working. Despite policymakers repeatedly sounding the alarm about the risks of a “Cyber Pearl Harbor” or a “Cyber 9/11,” the reality is that the United States has not yet suffered a major cyberattack. This is arguably because the United States retains credible, full-spectrum response options for cyberattacks that it sees as falling above a use-of-force threshold.
Instead, the trickier deterrence challenge rests not at the level of cyber espionage (where deterrence does not apply) or strategic cyberattacks (where deterrence seems to have been successful), but rather in the middle band of that spectrum. Examples of these types of cyberattacks include Iran’s sustained distributed denial of service attacks against the U.S. financial sector, known as Operation Ababil, in 2012-2013, or Russia’s “active measures” campaign to interfere in the 2016 U.S. presidential election. The United States is still struggling with how to reduce the magnitude and frequency of cyberattacks that have national security and economic consequences, but do not rise to a level of violence or significance where more robust retaliatory options would be relevant. Rather than prioritizing either offense or defense in the cyber domain, the United States needs to first do a better job of clarifying different categories of behavior in cyberspace and figuring out the optimal mix of offensive and defensive investments to address these at different thresholds.
Article also appeared at russiamatters.org/analysis/punitive-response-solarwinds-would-be-misplaced-cyber-deterrence-still-matters, with different images, bearing the notice: “© Russia Matters 2018 … This project has been made possible with support from Carnegie Corporation of New York,” with a footer heading entitled “Republication Guidelines” linking to: russiamatters.org/node/7406, which bears the notice, in part:
“If you would like to reprint one of these articles, a blog post written by RM staff, one of our infographics or a fact-check, we ask that you follow these guidelines:
- Include a prominent attribution to Russia Matters as the source and link back to the original at RussiaMatters.org.
- Retain the hyperlinks used in the original content.
- Do not change the meaning of the article in any way.
- Get an ok from us for non-substantive changes like partial reprints or headline rewrites and inform readers of any such modifications (e.g., This article first appeared on the Russia Matters website with the headline “Russian Election Interference in Trump’s Own Words”).
- Let us know about the reprint and send a link!
Please note that Russia Matters cannot grant permissions for third-party content, including articles, photographs and other materials not produced by our team.
Questions? Email us at RussiaMatters@hks.harvard.edu.”