The list of US government agencies compromised in the SolarWinds hack continues to expand, with reports of infiltrations at Treasury, Commerce, Homeland Security, and potentially State, Defense, and the CDC. This is a big deal for national security: It is the largest known data breach of US government information since the Office of Personnel Management hack in 2014, and could give hackers a trove of inside information.
Though the scope of this hack is still being determined, such an extraordinary breach begs a fairly obvious question: Is US cyber strategy working? The US has historically relied on, first, a deterrence strategy and, more recently, the idea of “defend forward” to prevent and respond to malicious behavior in cyberspace. Is a failure of these strategies to blame? The answer (like all things political) is complicated.
First off, it’s important to establish what this hack was. The fact that a purportedly nation-state actor (likely Russia) was able to compromise a third party (SolarWinds) to gain access to an as-yet-unknown number of US government networks and exfiltrate data is a significant espionage achievement. And it illustrates how third-party vendors can provide an avenue for threat actors to conduct espionage campaigns at a scope and scale typically not seen outside of cyberspace.
But to call this incident a cyber attack would be off the mark. At this point, the operation appears to have been espionage to steal national security information, rather than to disrupt, deny, or degrade US government data or networks. While it may seem like splitting hairs, terminology is important because it has policy, and often legal, consequences. Espionage is an accepted part of international statecraft, one that states often respond to with arrests, diplomacy, or counterintelligence. In contrast, an attack (even a cyber attack) has international and domestic legal ramifications that could allow states to respond with force. So far at least, this hack is not that.
The question of what this incident means for cyber deterrence, on the other hand, is less straightforward. To understand why this is a complicated question, it’s helpful to understand how this strategy works (and doesn’t). Deterrence is about convincing an adversary not to do something by threatening punishment or making it seem unlikely the operation will succeed. This is a hard thing to do for a few reasons. First, states need to threaten a response that is both scary and believable. A threat may not be credible because the state lacks the capabilities to carry it out. Or, as is more often the case with the United States, threats may lack credibility because adversaries don’t believe there will be follow-through. For instance, the US might threaten to use nuclear weapons in response to cyber espionage, but no state would believe the US would actually launch a nuclear attack in response to a data breach. It’s just not a credible threat.
To make matters even more complicated, it’s also hard to tell when deterrence has actually worked because, if it does, nothing happens. So even if a state was deterred by a good defense, it’s almost impossible to know whether the state didn’t follow through with the attack simply because it wasn’t interested in taking the action in the first place.
There are few if any, deterrence mechanisms that work to prevent cyber espionage. Because states routinely spy on one another—friends and foes alike—there are a very limited number of credible punishments states can use to threaten others into not spying. The US has tried using a handful of options for cyber deterrence, such as issuing warrants for state-sponsored hackers or threatening sanctions for cyber intelligence. But these have had limited success. This does not mean, however, we should throw out the deterrence baby with the bathwater. As Jon Lindsay, a professor at University of Toronto, points out, the success of deterrence outside of cyberspace can incentivize and shape state behavior within cyberspace. And, there is compelling evidence that deterrence can work in cyberspace. No adversary has ever conducted a cyber attack against the United States that created violence or sustained, significant effects on infrastructure or military capabilities. Arguably, this is because the US’s large and lethal conventional military force is a credible deterrent at higher cyber thresholds. The more vexing strategic challenge for the US is in the space between national security espionage (where deterrence doesn’t quite apply) and major cyber attacks (where deterrence seems to hold).