The United States has just sanctioned various Russian entities in express response to the SolarWinds Orion exploit campaign. But what normative line, if any, is the U.S. saying the Russians crossed?
1. Before getting into that: What exactly happened this morning?
This morning, April 15, President Biden invoked his statutory authority under the International Emergency Economic Powers Act (IEEPA) to issue a new executive order establishing an expanded sanctions framework responding to a wide range of malicious activities Russia has conducted against the United States, other countries and Russian citizens.
In practical terms, this means that the Treasury Department is now empowered to name specific foreign entities and individuals who will be subject to financial sanctions due to their involvement in conducting or supporting those various activities. Similarly, the State Department will take actions preventing such persons from entering the United States. Sometimes when such sanctions regimes are set up under the IEEPA, it’s unclear whether (if at all) the Treasury Department will actually name specific persons and entities to be sanctioned. At other times, though, advance coordination among government agencies enables the department to act immediately. The latter is what happened today: The Treasury Department simultaneously exercised its authority by sanctioning a large number of Russian persons and entities.
2. Is it clear that the sanctions relate to Russian cyber activities?
Yes. The order specifies seven categories of malicious activity justifying sanctions. They range, as you would expect, from election interference to assassinations. But it’s the first item on the list that matters most for purposes of this post: “malicious cyber-enabled activities.”
3. Who, specifically, has been sanctioned today in relation to those cyber activities?
As described in the Treasury Department explanatory statement issued this morning, the department has designated six Russian companies that provide various forms of direct support to the cyber activities of Russian intelligence services. According to the department, “These companies provide a range of services to the FSB, GRU, and SVR, ranging from providing expertise, to developing tools and infrastructure, to facilitating malicious cyber activities.”
The Treasury Department also has issued a separate directive prohibiting U.S. financial institutions from dealing in Russian sovereign debt, under the color of today’s executive order, but that particular sanction does not appear to be premised specifically on Russia’s malicious cyber activities.
4. Is it clear that the SolarWinds Orion campaign is part of the justification for these sanctions?
Yes. As explained in this “fact sheet” from the White House, one example of the malicious cyber activities justifying these sanctions is “the SolarWinds incident.” The statement goes on to formally attribute that attack to Russia and, more specifically, to Russia’s Foreign Intelligence Service (the SVR):
Today the United States is formally naming the Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures. The U.S. intelligence community has high confidence in its assessment of attribution to the SVR.
The SVR’s SolarWinds Orion campaign also figures prominently in the Treasury Department explanatory statement.
5. Is the SolarWinds Orion campaign the only Russian cyber activity mentioned as a basis for today’s sanctions?
No. The Treasury Department statement has the most details—and, not surprisingly, it recites a litany of problematic cyber activities conducted by Russian government entities, including not just the SVR, but also Russia’s Federal Security Service (FSB) and the Russian military’s Main Intelligence Directorate (GRU). Referring to these three entities collectively as the “Russian Intelligence Services,” the Treasury Department asserts that they “have executed some of the most dangerous and disruptive cyber attacks in recent history, including the SolarWinds attack.” Most of the examples the department provides are specific to the GRU: NotPetya, Olympic Destroyer, and election interference in the U.S. and in France. The FSB is cited, too, for targeting Russian journalists and dissidents, as well as “U.S. government personnel and millions of private citizens around the world.”
6. Is the U.S. government claiming that all cyber-enabled espionage is wrong? If not, what redline did the SolarWinds Orion campaign cross?
The United States obviously does not take the position that espionage in general is wrongful, nor does it take the position that espionage conducted via cyber means in general is wrongful—after all, it conducts plenty of espionage via cyber means itself. What, then, is the basis for treating the SolarWinds Orion campaign as wrongful, giving it pride-of-place in the explanation of today’s sanctions?
For the moment, the best answer is found in the Treasury Department statement:
The scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyber operations makes it a national security concern. The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds’ customers. Victims of the compromise include the financial sector, critical infrastructure, government networks, and many others. Further, this incident will cost businesses and consumers in the United States and worldwide millions of dollars to fully address.
Notice that there are several variables cited in that passage (and some of them are mentioned also in the White House “fact sheet” mentioned above). So far, the U.S. government has yet to issue a statement explaining which of these, if any, are the necessary or sufficient conditions for treating a particular cyber-enabled espionage campaign as wrongful in a normative sense. The implication, however, is that at least this particular combination will do the trick. So let’s separately identify those variables in order to understand as best possible the redline that implicitly has been drawn today:
First, there is the scale of infections. The campaign ultimately lodged the Sunburst malware on “tens of thousands” of computers, though the SVR actively exploited its resulting accesses only in a small percentage of those cases. Of course, the SolarWinds Orion campaign is hardly unique in its scale. This variable, standing alone, surely would not suffice to justify normative criticism of the operation.
Second, there is the attacker’s track record. So long as this considers the activities of the Russian government as a whole, rather than those of the SVR in particular, “reckless” if anything is too generous as a description of the Russian government’s willingness to use cyber means to cause concrete harm rather than just for information collection. The GRU in particular has demonstrated again and again its willingness to cause such harm, including in blunderbuss ways that spill far beyond its immediate targets.
Of course, the U.S. government’s position is that it was the SVR, not the GRU, that conducted the SolarWinds Orion campaign. The SVR hardly has clean hands, but then again it does not have the GRU’s specific track record for destructive cyber operations. Should that matter for the “track record” variable? Perhaps so. But it’s pretty clear that the U.S. government’s approach instead is to focus on the Russian government as a whole as the relevant unit of analysis—which makes the SVR/GRU distinction irrelevant. It’s a very interesting—and vexed—question whether that is the most sensible way to think about this. But the decision to treat agencies within the Russian government as the same for purposes of this analysis further muddies the determination of just what redline the U.S. government is attempting to draw today.
Third, there is the particular attack vector. Echoing the concerns of Microsoft’s Brad Smith, the U.S. government emphasizes that this particular campaign took advantage of a software supply chain. Is that categorically forbidden? That’s probably not the U.S. position, since this is by no means the first software supply chain attack and none of the previous such attacks prompted such pushback.
So might the idea instead be that some specific subsets of the general software supply chain category are different, warranting special protection? More specifically, might the U.S. position be that vendor update systems (like the Orion update system that the SVR exploited in this instance) somehow should be wholly off-limits for espionage? That is not an unreasonable implication to draw from the Treasury Department statement. If that is part of the intent here, however, it raises serious definitional questions. Would all software update arrangements be shielded in this way? Only those relating to certain categories of software, such as the network-monitoring tools at issue in the case of Orion?
Fourth, there is the nature of the ultimate targets. The statement emphasizes that compromised systems included government actors, critical infrastructure entities, financial sector entities (which are, of course, part of critical infrastructure), and others. Are some or all of these systems off-limits? I’m doubtful the U.S. government means to take that position. It certainly is not the U.S. position as to government networks as targets, for example. Of course, many have argued for identifying various critical infrastructure sectors as off-limits for cyberattacks, including especially financial sector entities. I don’t think the U.S. government is prepared to advance that line, however, as a general limitation on cyber-enabled espionage—financial intelligence being as critical as it is for the United States.
Fifth and finally, there is the ultimate financial cost of remediation. Might there be a point beyond which the sheer financial impact of remediation renders an otherwise-permissible cyber espionage campaign problematic? Perhaps so in theory, but it is hard to see how one could possibly operationalize such a rule in practice.
I’ll mention another possible factor, one that understandably is not mentioned in the Treasury Department statement: domestic political salience. For better or worse, the SolarWinds story has been splashed across the headlines for many months now, at times dominating the news. It has been a bit of a phenomenon in the national dialogue, in other words, more so than most such scenarios. This has real and ongoing political implications, creating constant pressure to be seen as responding robustly.
Perhaps the most important vector for that robust response ought to be defensive measures such as funneling far greater resources to the Cybersecurity and Infrastructure Security Agency (CISA) so that it can better take the wheel in defending federal civilian executive branch systems. But it is understandable that the pressure all manifests in calls for action against the entity responsible for these headaches.
7. Is it clear that there is an answer to the question of what line SolarWinds crossed?
Not really. It is entirely possible that the Biden administration took today’s action without a consensus position on which redline, if any, the SolarWinds Orion campaign crossed. It is possible—probable even—that there are diverse views on that point from across the U.S. government, and that today’s action occurred notwithstanding inconsistencies among those views.
8. Must the U.S. government now do the same thing to China in response to the exploitation of Microsoft Exchange on-premises systems?
I suspect the answer is no, both because China does not have Russia’s collective track record for causing outright destruction rather than just collecting intelligence, and because the Microsoft Exchange story hasn’t had the larger national footprint that the SolarWinds story continues to have.
That said, it is worth noting that the White House in its “fact sheet” emphasizes that the United States also will be “bolstering its efforts to promote a framework of responsible state behavior in cyberspace,” including via U.S.-sponsored training programs for “foreign ministry lawyers and policymakers on the applicability of international law to state behavior in cyberspace and the non-binding peacetime norms that were negotiated in the United Nations and endorsed by the General Assembly.” That training will take place through the George C. Marshall Center in Garmisch, Germany. Will this provide a window, eventually, into the granular aspects of the U.S. government’s position on where the redlines are and how Russia crossed them in this instance? Time will tell.