In the Wake of SolarWinds, the U.S. Must Grapple With the Future and Not Just the Past
To date, there have been no indicators of disruptive or destructive goals from the sweeping Russian compromise of U.S. government and corporate networks (dubbed SolarWinds, SolarStorm, Sunburst, or even the Holiday Bear campaign, depending on whom you ask). However, in diagnosing this latest crisis, analysts, academics, and the policy community should not lose sight of what this operation may yet enable or how future cyber operations may differ. The SolarWinds campaign was quiet and persistent, and it appears to have been focused on espionage. This, in and of itself, is deeply concerning. Yet, that does not mean that future cyber operations will follow suit—accessing and exfiltrating data rather than disrupting, degrading, or destroying systems. After all, the dynamics of cyber conflict are informed as much by geopolitics and adversary preferences as they are by the technical and operational realities of cyberspace.
If the U.S. is to draw the right policy lessons in the wake of this hack, policymakers, scholars, and industry leaders alike must take seriously the advantages of intelligence-gathering efforts of the scale and scope only a cyber operation can allow and the decisions and dynamics lurking behind the design, and objectives, of cyber operations. If left unexamined, both of these concerns risk creating critical blind spots in U.S. national security policy going forward.
Worryingly, the full consequences of this campaign have yet to be felt. While SolarWinds was not, at least at the time of its discovery, a cyberattack (or as some publicly declared it, an act of war), this distinction does not diminish its national security significance.
Cyber espionage operations have the added advantages of increased scale and scope of data collection over their historical predecessors. Why? They benefit heavily from the character of cyberspace itself, with billions of networked devices and their users around the world. For example, SolarWinds, whose Orion platform was leveraged to gain access to U.S. government and corporate networks, is widely used to manage information technology (IT) systems. Though hardly a household name, SolarWinds had approximately 33,000 Orion customers globally. This broad usage allowed hackers to gain footholds across a wide range of organizations (approximately 18,000), though they elected only to maintain access to and actively exploit closer to a hundred organizations’ networks. That number of organizations simultaneously exploited—while smaller than the initial footholds would have allowed—is still quite high in comparison to the scale and scope achievable through non-cyber-enabled intelligence collection. The SolarWinds hack is not unique in this regard. The recent Microsoft Exchange Server hack also similarly demonstrated the scale and scope of access afforded to cyber espionage operations: Somewhere between 30,000 and 60,000 organizations were compromised.
Yet the grave damage that can be wrought from cyber espionage operations is found not just in what was accessed but also in how that information will be leveraged. Intelligence collection, cyber enabled or not, can have strategic consequences but, importantly, is rarely an end in and of itself. Data collection of this type can serve several strategic, operational, and tactical purposes, often at the same time. Five such benefits are outlined below.
First, intelligence can help decision-makers formulate national and international policies. For example, gathering information on the negotiating strategies and voting preferences of other U.N. Security Council members before an important vote can help inform a state’s approach to negotiations. Similarly, in the case of SolarWinds, accessing the State Department’s Bureau of European and Eurasian Affairs emails can help inform Russian strategy by elucidating U.S. views of and efforts in the region.
Second, espionage can assist states in responding to the needs of other ongoing or future operations, cyber or otherwise. This includes actionable intelligence such as reconnaissance on a subsequent target or insight into another state’s defensive cybersecurity capabilities. The utility of SolarWinds for future operations will also be less direct than providing actionable intelligence. Tradecraft is not static. It evolves as operators learn from themselves and others. In short, the SolarWinds hack also provided an invaluable, real-world learning opportunity, experience that can be capitalized on in subsequent cyber operations.
Third, data collection can be a powerful means of offensive capabilities or weapons proliferation, especially with the theft of a country’s or company’s red team tools or intellectual property. If these capabilities and/or tradecraft are then leaked publicly, as was the case with both the Shadow Brokers and Vault 7 hack-and-leak operations that targeted the National Security Agency (NSA) and the CIA, respectively, proliferation can be coupled with the bonus of degrading the targeted organization’s capabilities. While several employees at FireEye have acknowledged that their red team tools would not be as damaging in the wild as NSA and CIA red team tools, gaining access to these tools was one observable objective of the SolarWinds hack. In addition to broader proliferation and capability degradation concerns, these particular tools were developed to help FireEye’s customers cultivate more robust defenses. In other words, accessing these particular red team tools offered the hackers a more robust understanding of one aspect of how FireEye secures its customers.
Fourth, cyber espionage operations have also formed the bedrock of influence operations, such as the hack-and-leak efforts seen in the U.S. 2016 and French 2017 elections. Russia has a unique history of fusing cyber intrusions with influence operations, and it is more than possible that it will do so again powered by a treasure trove of data from the highest levels of the U.S. government.
Fifth, extensive and quiet persistence in a country’s systems can sow turmoil at home and demonstrate potential weaknesses to a global audience, even if the intelligence exfiltrated from the systems was not leveraged directly. For example, the public aftermath of the SolarWinds operation has shone a bright light on several U.S. policy shortcomings and persisting areas of concern, including operational collaboration between the public and private sectors; the roles, responsibilities, resources, and capabilities of the government; and software supply chain security.
Given this wide range of strategic, operational, and tactical benefits, a cyber operation of this scale, sophistication, and quiet persistence should never be understood as “just espionage.”
Ultimately, the national security of the U.S. rests as much on how well equipped industry and government alike are to respond to these future impacts as it does on the nation’s cybersecurity incident response and prevention capabilities today. As industry, academia, and the policy community seek to contextualize and respond to this hack, they cannot overlook the broader geopolitical environment within which this operation took place. For the U.S. policy community, this will require focusing collective attention on the immensely difficult tasks of assessing the strategic, operational, and tactical value of the data on compromised systems and identifying opportunities to disrupt the use of that data or mitigate the impacts of those uses as far in advance as possible. In short, the incident evaluations and targeted policy interventions must be far broader in scope than holding congressional hearings and producing technical and operational incident reports detailing and responding to what went wrong before and during the SolarWinds hack. While it is important to focus on what happened, the U.S. cannot lose sight of what this operation may yet still enable.
Indeed, as an espionage campaign, SolarWinds is troubling enough. Yet if Russia had wanted to leverage its early footholds for disruptive or even destructive purposes, it could have done so. Once malicious actors gain access (initial entry in) to a target’s system, they decide how they wish to use that foothold. So, why did Russia choose to focus its efforts on accessing and exfiltrating data rather than disrupting or degrading systems?
The SolarWinds campaign was likely never envisioned as anything but espionage. After all, cyber espionage operations provide ample advantages. This type of intelligence-gathering operation has also been pointed to as further evidence of an ongoing and persistent intelligence contest playing out between states in cyberspace, which Joshua Rovner and others have commented on extensively. However, while SolarWinds may be an example of an intelligence operation, that does not mean that future operations against the U.S. will necessarily follow the same pattern. Intelligence operations are, after all, the product of a broader strategic competition between states.
The types of operations the U.S. has faced are not some immutable byproduct of cyberspace. The circumstances that led to previous and current operations can change. The answer to “why espionage?” is as much a reflection of the current geopolitical environment and adversary preferences—their willingness to take risks, strategic goals, and organizational dynamics—as it is a feature of the domain itself. If the geopolitical climate in 2019 and 2020 had been far more contentious than it was, for example, the SolarWinds operation could have looked quite different from the operation that was recently discovered. As a consequence, the pressing policy question is not whether this operation is best understood as espionage but, rather, under what conditions might preferences for data collection evolve into something more disruptive or destructive?
Such a shift could take two forms. First, the operations the U.S. faces in the future could be designed with very different intentions than those believed to be behind the SolarWinds campaign. Destructive and disruptive cyber operations are not merely theoretical. States in general, and Russia in particular, have carried out cyberattacks before, and several have leveraged software supply chains to do so. Notably, however, these cyberattacks have largely occurred amid contentious geopolitical moments between countries: The Russian cyberattacks against Ukraine’s power grid in 2015 and 2016 or the U.S. and Israeli cyberattack against the Iranian Natanz uranium enrichment plant using the Stuxnet worm are notable examples. In short, the SolarWinds campaign may have only ever been envisioned as espionage, but the next operation may not be.
Second, and of direct concern given the significant access to and persistence in U.S. networks discovered in the wake of SolarWinds, existing persistence in U.S. systems could shift from maintaining access to more disruptive and destructive goals. Espionage is merely one form of access. Access can also include establishing the groundwork for a subsequent disruptive or destructive operation (like operational preparation of the environment) or simply maintaining persistence in networks for as long as possible to allow for the possibility of a variety of operations in the future (holding an adversary at risk). A prime example of this concern occurred in 2018, when news broke of Russia’s ongoing presence within U.S. power grids and how it might leverage that access in the future—scouting could later become sabotage.
While Ben Buchanan and others have written extensively on the dilemma of interpretation complicating how targets interpret discovered malicious cyber activity within their systems— access for espionage purposes and access that lays the groundwork for an attack can be difficult to distinguish in practice—the concern here is far greater. These types of operations may be difficult to distinguish, but equally important, persistence in a network provides strategic and operational flexibility for malicious actors in the future. Depending on the type of persistence (or access) established, pivoting from espionage to attack may be easier or harder. But an important first step in any cyber espionage operation or cyberattack is gaining access to networks and systems in general (initial entry into and maintaining persistence over time in a targeted network) and specific subcomponents in particular (internal reconnaissance and lateral movement or pivoting once inside a network).
Sergio Caltagirone, vice president of threat intelligence at Dragos, identified this initial concern—long-term, persistence in networks, and systems shifting from access to attack—back in December 2020 when speaking about the SolarWinds intrusion. Caltagirone pushed back against many in the IT community who were labeling SolarWinds as just espionage: “At Dragos, and generally in the [industrial control systems (ICS)] community, we don’t make that early [espionage] statement for a reason[.]” Why? Because persistence in ICS networks, as well as access gained specifically through software supply chains, has routinely been leveraged for both espionage and attacks. In fact, access and attacks can often be distinct in practice, as Caltagirone emphasized, with an access operations team gaining a foothold in a system followed by multiple effects operations (Dragos’s term for a cyberattack or computer network attack) teams that leverage that access for a variety of disruptive or destructive purposes in the future.
Simply because SolarWinds appears to have been focused on access at the time of its discovery does not preclude the possibility that some of its footholds could have been leveraged for other purposes in the future. Notably, the reach of the SolarWinds campaign extended beyond U.S. government systems and cybersecurity firms such as FireEye. The Orion platform is used by both vendors and operators of industrial control systems and critical infrastructure, many of which do not have the visibility into their respective networks necessary to adequately assess whether that initial access led to subsequent actions within their environments.
None of this is to say that the operators carrying out the SolarWinds hack were secretly waiting to carry out disruptive or destructive goals while masquerading their operation as espionage or that the particular type of access gained, maintained, and exploited in this instance would have been well suited for a rapid shift toward more disruptive or destructive goals. Rather, it serves as an important note of caution. Without having this broader cyber conflict conversation around the evolving circumstances shaping both adversary preferences and the character of cyber conflict, the U.S. risks getting caught flat-footed—prepared for the operations the U.S. faced and discovered in the past but ill-equipped for and surprised by the operations it may face in the future. In short, establishing what happened with this one recently discovered Russian campaign is not the same task as determining how representative of future cyber operations it is likely to be.
The U.S. is facing a critical policy moment. A moment that demands that policymakers ask and answer the right questions in order to move forward from a place of strength. In policy discussions to date, analysts, academics, and the policy community alike have all too frequently overlooked the broader tactical, operational, and strategic goals cyber espionage operations can support. Yet those goals can have a severe impact on U.S. national security. More broadly, and perhaps more concerningly, too much of the existing cybersecurity work and policy has been retrospective, extrapolating the days ahead based on, without the necessary scrutiny, days gone by. Both oversights put the U.S. in a precarious national security position now and in the future.