Cybersecurity and Deterrence

The SolarWinds Breach Is a Failure of U.S. Cyber Strategy

By Robert Morgus
Friday, December 18, 2020, 8:01 AM

On Dec. 13, news broke that Russian intelligence operatives had successfully breached networks of the U.S. government and private entities by leveraging a vulnerability in the SolarWinds network management system. The campaign, which had been active for months before discovery, is a blow to U.S. Cyber Command’s strategy of “defend forward”—the notion that the U.S. should work to identify adversary cyber campaigns early and disrupt them closer to their source by disabling attacker infrastructure or other disruptive activities.

It is indisputable that defend forward failed to prevent the campaign As Nicholas Weaver notes in Lawfare, “This attack started in March with the first exploitation starting in April. Either [the U.S. intelligence community] didn’t know about it—a failure in the ‘defend forward’ philosophy—or they did know about it, in which case they also failed to defend forward.” But does this mean that defend forward is a failure?

Not necessarily. But the SolarWinds breach does reveal an important gap in the strategy that the U.S. must understand and address. For defend forward to be fully effective, the agent conducting defend forward must have perfect intelligence; to disrupt an adversary campaign, the U.S. must know about the adversary campaign in the first place. But perfect intelligence is not realistic: Intelligence is a process of painting as comprehensive a picture as possible with limited information. So the United States must expect some adversary campaigns to slip through the cracks. And as the conventional wisdom goes, “in cyberspace, the offense has the upper hand.” The attacker needs to succeed only once, while a defender must prevent all attacks in order to be successful.

But this does not mean that defend forward is doomed to fail. Rather, it underscores the importance of integrating defend forward into a broader national cybersecurity strategy—something that the 2018 National Cyber Strategy failed to do. The Cyberspace Solarium Commission, on which I served, recommended that the U.S. integrate elements of defend forward and persistent engagement into a broader strategy of layered cyber deterrence, emphasizing the importance of bolstering defenses to deny adversaries opportunities and shaping behavior through norms and international engagement. In the wake of the SolarWinds breach, it’s worth returning to these recommendations to chart a way forward.

Funding intelligence gathering and cyber operations should be a priority, but it cannot be the only priority. Resources for cybersecurity are finite, and the closer the U.S. aims to get to perfect intelligence, the more expensive this progress becomes. The U.S. should invest in resourcing Cyber Command and closing intelligence gaps, pushing intelligence capability as close to complete as possible. Defend forward can and should remain an important pillar of the United States’s approach to national cybersecurity, but it cannot stand alone. The U.S. government must give equal attention to building better cyber defenses.

For decades, the U.S. has underinvested in cyber defense—the protections that will prevent, or at the very least mitigate the consequences of, adversary cyber campaigns that slip through the cracks in U.S. intelligence. Vulnerability—manifested through not only insecure technology but also the humans and organizational processes that plug into that technology—is at the heart of the problem, a fact that is often ignored when public policies are drafted and funded. As a colleague once put it to me, it’s as if the U.S. is constructing buildings with rotten wood and not recognizing that the wood may be at fault when the buildings collapse. Reinforcements might help the buildings stay up, but the reality is that the builders need to stop using rotten wood.

The Cyberspace Solarium Commission recognized this fact in its report, noting that the U.S. must reshape its cyber ecosystem toward greater security by driving down national vulnerability at scale and making the best use of every dollar spent. To do so, the government must align incentives that shift the burden of cybersecurity away from the end user and onto the entities that are best placed to influence the ecosystem—building it on stronger foundations and with healthier wood.

The U.S. government can jump-start this realignment of incentives by working with industry and researchers to delineate clearer expectations for what constitutes secure technology development. Likewise, the government should incentivize suppliers to adhere to those expectations and to present security information about their products to consumers in an accessible form, helping consumers make informed decisions. The Cyberspace Solarium Commission recommended the creation of a National Cybersecurity Certification and Labeling Authority to help fill this gap. The government can also explore legal liability—the notion that if a vulnerability in a product causes damage, the supplier of that product is liable for a portion of the damage—to further incentivize better behavior from firms.

But technology is not the only source of vulnerability. Human behavior and organizational processes present cracks for adversaries to exploit as well. To begin making progress on addressing behavioral vulnerabilities, though, policymakers and private decision-makers must understand the scope of the problems and the best ways to remediate them. To make this happen, the U.S. government needs capacity to develop, test and understand the effectiveness of measures that most effectively prevent cyberattacks and mitigate cyber risk. The Cyberspace Solarium Commission recommended the creation of the Bureau of Cyber Statistics to achieve this end. Armed with a greater understanding of both the challenge and the remedies, the U.S. government can then shape market forces (including the insurance market), craft regulations, and change federal procurement practices in an effort to nudge people and firms toward better cyber behavior.

The commission proposed the adoption of layered cyber deterrence, a strategic approach emphasizing the need to shape adversary behavior by both imposing costs on adversaries and denying them benefits. Spies will continue to spy. States will conduct espionage. Criminals will continue to commit crimes, and terrorists will continue to spread terror. The U.S. must continue to do everything in its power to disrupt these activities at the source through defend forward and persistent engagement. But the U.S. must also recognize that some of these efforts will not succeed. Unless the government invests more seriously in building defenses and resilience, the U.S. will continue to fail.