PERSPECTIVE: Better cyberdefensesThe Strategic Implications of SolarWinds

Recent reports of a broad Russian cyber infiltration across U.S. government networks are a sign of how great-power competition will play out in the twenty-first century. Benjamin Jensen, Brandon Valeriano, and Mark Montgomery write in Lawfare that the new great power game is digital, with the shadowy alleys and cafes of Cold War spy exploits replaced by massive data breaches and compromising corporate security. Some strategies see this world as dominated by offensive operations, but, Jensen, Valeriano, and Montgomery note, the SolarWinds case suggests the opposite.

The U.S. Cyber Solarium Commission, on which the three authors served, found that the future of cybersecurity strategy will come to rely on layered cyber deterrence to enable defensive denial operations, international entanglement, and cost imposition when aggressors defy the norms of the international system. “The SolarWinds hack emphasizes the importance of implementing this strategy,” they write. 

It’s simpler to list the agencies that have not been caught up in the SolarWinds infiltration, which was run by Russian hacking group APT29 under the umbrella of the Russian intelligence services, the SVR. So far, only the intelligence community has not been reported to have been breached. 

Jensen, Valeriano, and Montgomery write:

The SolarWinds operation demonstrates the developing nature of modern great power competition, where rival states employ cyber strategies to steal secrets as well as to conduct limited operations meant to disrupt and degrade. Though media reports often characterize cyber operations as attacks, many operations are better thought of as instruments of political warfareand weak forms of coercion that do not seek destruction. Most cases involve stolen data or limited disruptive effects. There appear to be key firebreaks that limit escalation in cyberspace, keeping it a realm of covert and clandestine operations as opposed to decisive battles.

They noted that the SolarWinds operation demonstrates that U.S. Cyber Command’s vision of persistent engagement, which calls for preventively imposing costs as adversaries to shape competition in cyberspace, appears not to have worked as expected, adding:.

In the future, what is required is a deeper focus on denial-based approaches: How can the U.S. limit the attack surfaces available to the opposition and harden targets to ensure resilience? The goal should be to make it more difficult for states to launch sophisticated, widespread cyber intrusions—and this can be done by reducing the attack surfaces available to the opposition.

….

Finally, in order to better respond to a hack like SolarWinds, Section 1716 [of the FY21 National Defense Authorization Act] grants administrative subpoena authority to CISA so the agency can identify vulnerable systems and notify public and private system owners. And Section 1731 [of the FY21 National Defense Authorization Act] directs the executive branch to submit a report to Congress evaluating the federal cybersecurity centers and the potential for better coordination of federal cybersecurity efforts at a properly functioning integrated cybersecurity center within CISA.

The Biden administration should embrace these changes established by the NDAA and ensure their swift implementation. Beyond this, however, the Biden team also needs to pursue efforts to build a more effective defensive effort to deny adversaries the ability to execute hacks like SolarWinds. This will involve not only improving the federal government’s cybersecurity readiness, but also building the elusive public-private collaboration on critical infrastructure protection that has eluded the past four administrations.