The SolarWinds hacking campaign, suspected to have been carried out by Russia, has exemplified the need to fully integrate an effective cyber strategy into national security policy and reduce cyber escalation risks. The SolarWinds hacking campaign was exposed just months ago, and the United States is still discovering the extent of the attack as the new details come to light. Without a coherent and comprehensive U.S. cyber strategy that supplements national policy and outlines the necessity of identifying cyber intrusions, Russia and other countries will continue to leverage cyber attacks against the U.S.
Russian Cyber Operations Are Not a New Phenomenon
In 1996, Russia began organizing cyber attacks with the Moonlight Maze attack. Russia continued to expand its cyber attacks when it devastated Ukraine’s critical infrastructure in 2015. This attack left over 225,000 Ukrainians without power, and even sabotaged power distribution equipment, further hindering attempts to restore power. Russia continued to increase its cyber operations, most notably in 2016 with the hacking and release of emails from Democratic Party officials. Since 2016 Russia has only become more emboldened in its cyber attacks, secure in the knowledge that it will not yet face any devastating consequences in retaliation.
Issues in Cyber Escalation
Due to the nascent nature of cyber conflict, there are neither strict guidelines on what constitutes an attack nor a proper response. If a cyber attack is responded to in-kind, this could quickly escalate into a cyber war. Cyber attacks also face the issue of attribution, as it is often difficult to determine exactly who is behind the attack, especially as attacks carried out by non-state actors complicate response and retaliation issues. While all of these issues impede U.S. cyber strategy, especially in implementing consequences against cyber attackers, the U.S. still needs a comprehensive strategy to identify and impose punitive action against attackers.
The Current U.S. Response to SolarWinds
President Biden’s new national security advisor for cyber and emerging threats, Anne Neuberger, has stated that the White House is preparing a response to the SolarWinds attack. While SolarWinds is seen as an information collection operation, Neuberger is worried that it could have (and may have) progressed to a more threatening operation, potentially giving Russia the ability to alter or destroy data. Potential responses are expected to go beyond just sanctions to include revealing or freezing assets secretly held by Putin and improving government agencies’ cybersecurity. Many in the U.S. government also want to require mandatory disclosures by private companies to the U.S. government once they are aware that they may be the victim of a cyber intrusion. In an interview with Face the Nation on CBS, National Security Advisor Jake Sullivan announced that the U.S. plans to use “a mix of tools seen and unseen” against Russia. Beyond outlining responses to cyber attacks, U.S. cyber strategy should be defensive in nature, focusing on identifying threats, and recruiting and retaining talented cybersecurity personnel.
Improving U.S. Cyber Strategy
The Interim National Security Strategy does highlight the threat cyber attacks can pose, and states the need to make cybersecurity a top priority. Additionally, it notes the significance of working with allies and partners on cyber issues, especially in upholding and shaping new global norms in cyberspace.
Beyond this, the U.S. government should prioritize expanding its capabilities to identify when cyber intrusions have occurred, and increase information sharing between the private and public sector on intelligence gathered about cyber threats. The failure to detect cyber intrusions is a serious threat to U.S. cybersecurity. When attacks are not even detected, the U.S. is not able to respond, and it gives attackers more time to collect information and cause damage.
In order to deter would be attackers, the U.S. should consider the use of personal sanctions and utilizing the legal system, along with treating significant cyber attacks as acts of aggression. The U.S. should also consider other options, with the ultimate goal of deterring any person or state from conducting a cyber attack against the U.S., because the costs will be too great to bear.
In addition, the U.S. also needs to be able to attract and staff more cybersecurity professionals, which could require greater recruiting efforts, increased salaries, and coordination between the technical and policy sectors of cyber operations. The Biden administration should formally establish its cyber strategy, supported with enough financial resources and personnel to protect itself against cyber attacks.
The SolarWinds hack is just the latest attack to remind the U.S. of the need to establish a deterrent cyber strategy and create punitive actions against those who carry out cyber attacks against the United States. Cybersecurity is paramount to ensuring U.S. national security. Failure to fully address cybersecurity and cyber attacks will leave the U.S. vulnerable to continued attacks by Russia and by other states.