CybersecurityPunitive Response to SolarWinds Would Be Misplaced, But Cyber Deterrence Still Matters

By Erica D. Borghard

Published 5 April 2021

Some analysts argue that the United States should respond to the SolarWinds breach by focusing on improving defenses, rather than on conducting a retaliatory response such as some government officials have been advocating. Apunitive response to SolarWinds may be unwise because the available evidence indicates that the objective of the operation was national security espionage. However, this does not mean that the pursuit of deterrence strategies to address other types of malicious behavior in cyberspace, beyond espionage, is a fool’s errand. Deterrence is not a one-size-fits-all concept in cyberspace—or in any other domain.

In a recent Russia Matters article, Paul Kolbe argues that the United States should respond to the SolarWinds breach by focusing on improving defenses, rather than on conducting a retaliatory response such as some government officials have been advocating. Kolbe claims that prior U.S. responses to Russian cyber behavior—which have involved imposing sanctions, issuing indictments or conducting cyber operations—have failed to deter Russian operations or meaningfully change Moscow’s calculus.

Kolbe is right that, when it comes to SolarWinds, it is unlikely that retaliatory measures aiming to impose costs against Russia (inside or outside of cyberspace) will work to shift the Russian government’s risk-benefit assessment—but he’s right for the wrong reasons. It is also important to note that Russia continues to deny responsibility for the SolarWinds incident. Regardless, a punitive response to SolarWinds is unwise because the available evidence indicates that the objective of the operation was national security espionage. However, this does not mean that the pursuit of deterrence strategies to address other types of malicious behavior in cyberspace, beyond espionage, is a fool’s errand. Deterrence is not a one-size-fits-all concept in cyberspace—or in any other domain.

Espionage, whether it is conducted using cyber means or other forms of intelligence collection, is a tacitly accepted practice between states. That said, the United States has attempted to draw a distinction between cyber espionage conducted for national security purposes (such as obtaining private information about policymaking or U.S. strategy) versus for economic advantage (such as cyber-enabled intellectual property theft). Specifically, it largely defines the former as being regrettable but part of the unwritten rules of the game, while it deems the latter to be unacceptable. This distinction has been particularly important for how the United States has sought to address Chinese behavior in cyberspace, which has included a combination of diplomatic outreach and attempts to establish norms against economic espionage, such as the 2015 agreement struck between presidents Obama and Xi, as well as retaliatory measures pursued during the Trump administration, such as tariffs, export controls and economic sanctions.