U.S. Response to SolarWinds Cyber Penetrations: A Good Defense Is the Best Offense
(Russia Matters – russiamatters.org – Paul Kolbe – March 25, 2021)
Paul Kolbe is the director of the Intelligence Project at Harvard’s Belfer Center and formerly served in the CIA’s Directorate of Operations in a variety of foreign and domestic roles, including as chief of station, chief/Central Eurasia division and Balkans group chief.
According to U.S. officials, Russia is the likely perpetrator of the SolarWinds cyber compromise of federal agencies, private sector firms, NGOs and academic institutions. The scale and impact brought accusations of a reckless and indiscriminate operation. Some politicians labeled this an act of war, while other commentators dismissed the SolarWinds compromise as espionage. Calls for retribution were widespread.
We know few details about the breadth, depth and impact of the SolarWinds cyber operation, though the scale was clearly massive with over 18,000 SolarWinds customers uploading malware-laden tools. But we do not know which companies and agencies have been affected, what information was compromised or whether damage occurred to any information systems. This lack of public disclosure likely represents caution in revealing what is known and not known, but also signals the difficulty of assessing just how bad we’ve been had.
So how should the U.S. respond?
A natural inclination will be to strike back in order to modify future Russian behavior and to introduce stronger cyber deterrence for other potential actors. Responses might include declaring Russian intelligence personnel persona non grata, indictment of perpetrators, targeted sanctions and execution of similar operations against select Russian systems. The aim would not just be punishment, but to change the risk-gain calculation for Russia, and others, when considering new cyber operations.
But frankly, all of these actions have been tried in the past and have not slowed the cyber onslaught. Russia does appreciate and adhere to reciprocity, and a specific and carefully calibrated shot across the bow is appropriate in response to SolarWinds. But we should not kid ourselves and think that such responses will stop cyber espionage or assaults. We are simply too fat and easy a target.
For this reason, retaliation is neither the most urgent nor the most important task at hand. Our most critical mission is to relentlessly and comprehensively improve our cyber defense.
SolarWinds dramatically exposed what many cyber experts have known and warned of: that the United States is pervasively, systemically vulnerable. Our attack surface—the systems, networks and devices that can be targeted and compromised—is stupendously large. The skill and number of U.S. adversaries—the states, criminal organizations and individuals who would exploit those vulnerabilities—is proliferating. Russia is but one wolf in an evolving and growing pack of cyber predators.
Meanwhile, our networks are intricately interconnected, but we organize our defense into silo after silo. Government defenses are scattered across different agencies, companies are reluctant to share news of breaches and our intelligence agencies are pointed outwards. No one has a full view of the battlefield. Companies view cyber defense as a burdensome cost. Government budgets favor offense, and even when new funds are allocated to cyber defense, the focus is on securing government systems, not improving the fundamental security of larger and more vulnerable private sector infrastructure.
How might we better address our systemic national cyber vulnerability?
First, government efforts to bolster defense should focus on the private sector, which builds, owns, runs and is responsible for most of our cyber infrastructure. Better incentives are needed to improve security practices and culture. Also needed are disincentives that extract a cost for putting others at risk. Some elements in this regard might include:
- Federal security standards: Apply minimum federal security standards for software and devices, much like with consumer safety products. Manufacturers will complain, as did auto companies with safety regulations, but progress is unlikely without efforts to build more secure components of our cyber infrastructure.
- Tort law: Companies that negligently engineer insecure systems and devices should be held liable. In too many cases, cost-cutting and dismissal of basic security elements put everyone at risk. Producers of hardware and software have a particular responsibility in this regard and should not be able to blithely pass on cyber risk to millions with no fear of consequence.
- Intelligence sharing: Threat information needs to flow seamlessly and instantly across private and public networks but is instead splintered by classification, commercial interest, legal restrictions and cultural inclinations to hide instead of share. There should be a federal requirement to report cyber security breaches. Rarely is only one company a victim of any given attack, and robust reporting requirements could aid early detection and mitigation. Breach transparency would also incentivize good security practice and provide a competitive advantage to companies that protect their customers and the cyber commons.
We are in a new “Long War,” an ambient cyber conflict that will play out over decades against multiple adversaries. This is a conflict where the best offense may be a good defense. Limiting the potential harm adversaries can impose on us, while retaining the ability to inflict asymmetric damage, offers the best hope of bolstering U.S. national security and creating a world of cyber deterrence and restraint. Hopefully, SolarWinds marks the inflection point of a pivot to a more effective defense-based national cyber strategy.
Article also appeared, at russiamatters.org/analysis/us-response-solarwinds-cyber-penetrations-good-defense-best-offense, with different images, bearing the notice: “© Russia Matters 2018 … This project has been made possible with support from Carnegie Corporation of New York,” with a footer heading entitled “Republication Guidelines” linking to: russiamatters.org/node/7406, which bears the notice, in part:
“If you would like to reprint one of these articles, a blog post written by RM staff, one of our infographics or a fact-check, we ask that you follow these guidelines:
- Include a prominent attribution to Russia Matters as the source and link back to the original at RussiaMatters.org.
- Retain the hyperlinks used in the original content.
- Do not change the meaning of the article in any way.
- Get an ok from us for non-substantive changes like partial reprints or headline rewrites and inform readers of any such modifications (e.g., This article first appeared on the Russia Matters website with the headline “Russian Election Interference in Trump’s Own Words”).
- Let us know about the reprint and send a link!
Please note that Russia Matters cannot grant permissions for third-party content, including articles, photographs and other materials not produced by our team.
Questions? Email us at RussiaMatters@hks.harvard.edu.”