Cybersecurity and Deterrence

Was SolarWinds a Different Type of Cyber Espionage?

By Erica D. Borghard
Tuesday, March 9, 2021, 10:46 AM

The Biden administration announced that it will impose sanctions and other measures against Russia in response to the SolarWinds incident. The cybersecurity firm FireEye disclosed the compromise of numerous government and private-sector networks in December 2020. SolarWinds is among the top cybersecurity breaches the U.S. government has ever confronted and has raised critical questions about the integrity of federal networks and Russia’s ultimate intentions. Given the incident’s significance, it is understandable that the Biden administration is grappling with how to appropriately address it. But, setting aside important limitations of economic sanctions as a policy tool to address malign cyber behavior, there is a gap between how administration officials are framing the nature of the SolarWinds incident and what the available evidence indicates about it. This is problematic because how policymakers understand the nature of a given policy challenge shapes their choices about appropriate responses—and if the former is mistaken, a mismatch between policy and reality could result. 

The crux of the question of how policymakers should understand and address Russia’s breach of federal and private-sector networks, and its exfiltration of data, hinges on whether the Russian campaign was “just” a case of routine cyber espionage, a qualitatively different form of cyber espionage that places it outside the scope of routine state behavior, or a type of cyberattack. The president of Microsoft has described SolarWinds as “the largest and most sophisticated attack the world has ever seen,” and others have even debated whether it might constitute an act of war. Notwithstanding these histrionics, Biden administration officials have been more careful in how they depict the incident and have largely avoided using the language of “cyberattack.” This judiciousness should be commended, because a cyber intrusion that does not result in disruptive or destructive effects is not an attack.

The distinction between cyber espionage and cyberattack is important because espionage—including spying that takes place in and through cyberspace—is a routine aspect of statecraft. For instance, when the United States discovered in 2015 that China had gained access to Office of Personnel Management networks and compromised sensitive information about millions of federal government employees and their families, James Clapper, then-director of National Intelligence, stated, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

All states spy on one another, including allies and adversaries alike. And states have developed informal and tacitly accepted tit-for-tat responses to address espionage operations when they are uncovered (what are often termed “Moscow rules”). Moreover, states can signal what they perceive to be a deviation from acceptable intelligence operations by taking a more forceful response beyond what is typically done in a given instance.

But, while SolarWinds in some aspects may appear to be an example of “routine” cyber espionage, some Biden administration officials seem keen to depict this incident as a different form of espionage. Anne Neuberger, the deputy national security adviser for cyber and emerging technology, noted in her first press conference that SolarWinds is unique in its scale and scope, describing it as “more than a single incident of espionage; it’s fundamentally a concern for the ability for this to become disruptive.” 

There are several issues with this statement. On its face, the United States may be wise to promote a norm according to which cyber espionage that crosses a certain threshold of scale and/or scope warrants a more significant response above usual measures. Specifically, to promote systemic stability, the United States should consider pursuing confidence-building measures that aim to limit large-scale targeting of the supply chain. It would also have to be willing to hold itself to the same standard and not pursue those types of operations. However, in the case of SolarWinds, while the threat actors did compromise tens of thousands of networks—certainly a large scale—their ultimate objective may have been far more targeted, focused on exfiltrating specific data, including emails. If future evidence continues to substantiate this, then SolarWinds’s more tailored objectives suggest that the incident should be characterized as falling within the scope of strategically damaging to the United States but not out of bounds of routine state behavior in cyberspace.

A more significant concern with Neuberger’s statement is that it conflates espionage and disruptive attacks. In doing so, it implicitly—although likely unintentionally—downplays the strategic consequences of even routine cyber espionage, such as the espionage campaign carried out by APT10, a group affiliated with China’s Ministry of State Security and indicted by the U.S. Department of Justice in 2018. Even if SolarWinds were “only” an espionage operation, it could nevertheless lead to several deleterious effects, such as aiding Russia in uncovering impending U.S. foreign policy decisions, identifying critical personnel and understanding decision-making processes, improving Russian counterintelligence operations, and so on. 

Moreover, the tools to address cyber intelligence failures (such as improving defense and counterintelligence) are different from the tools to deter disruptive or destructive attacks (such as threats to retaliate or impose costs). Therefore, given the apparent concern that the Russian operation could transition from espionage to disruption—which may indeed be the case—the Biden administration’s response should differentiate between the policy tools that are aimed at addressing the intelligence failure and those meant to deter possible forthcoming (but as yet unrealized) attacks. 

For instance, Biden’s national security adviser, Jake Sullivan, recently stated on “Face the Nation” that the United States will “ensure that Russia understands where the United States draws the line on this kind of activity.” But this begs the question: Which kind of activity? The United States should not be drawing lines that it cannot or will not meaningfully enforce. Therefore, the Biden administration should communicate to Russia and others that it is drawing a line of unacceptable activity above the threshold of cyber espionage. Ideally, the Biden administration should also capitalize on the opportunity posed by the SolarWinds incident to reengage with allies and partners on more clearly delineating and defining norms of acceptable behavior in cyberspace. In this narrow circumstance, a unilateral effort by the United States to deter Russia from taking a specific action to weaponize the access it has gained may be successful, but over the long term, meaningful international norms will lack traction if the United States pursues them alone. 

Relatedly, there is simply no reason to think Russia will launch a cyberattack against the United States out of the blue. Cyber operations are a manifestation of geopolitics and states’ calculations about their strategic interests. Therefore, while the United States aims to deter a potential attack, the intelligence community should also be developing and collecting against indicators and warnings of potential disruptive activity so that the United States can be better prepared to anticipate it and take proactive measures to shore up its defenses. 

The SolarWinds incident certainly demands a response—including a damage assessment, conducting incident response and remediation, continued intelligence and counterintelligence efforts, and improved overall defenses. But policymakers should be careful about how statements and actions correspond to thresholds of behavior in cyberspace.