Punitive Response to SolarWinds Would Be Misplaced, But Cyber Deterrence Still Matters

Why does any of this matter? Quite simply, states do not—and should not—attempt to deter espionage because spying is a routine aspect of strategic interaction in the international system. Deterrence entails a credible threat to inflict punishment on an adversary for, or deny their ability to engage in, some as yet untaken action. In other words, deterrence strategies aim to prevent something from taking place through manipulating the target’s perception of the overall balance of the costs, benefits and risks of doing so. However, when it comes to espionage, because all states routinely spy on one another, threatening some retaliatory response to an uncovered espionage operation makes little sense. Rather, deterrence is meant to apply to behavior that is beyond the bounds of routine aspects of statecraft—like attacking another state. However, this does not mean that states should refrain from taking steps to make espionage more difficult, or to better protect national security information from falling into the wrong hands.

While the United States is still ascertaining the full scope of the breach and assessing the extent of the damage, the available evidence indicates that the SolarWinds operation is an example of cyber espionage conducted for national security purposes. It appears that, while the Russian-affiliated threat actors compromised a significant number of federal and private sector networks, data was exfiltrated from a limited number of targets and appears to have been motivated by national security objectives. Hence, while this compromise represents a momentous intelligence failure—one with significant strategic implications—at this point it does not constitute a cyberattack. Cyberattacks are distinct from intelligence operations because they generate effects against a targeted network or system, such as those that disrupt, deny or degrade. Therefore, in this case, a deterrence approach grounded in retaliation is mismatched to the nature of the strategic challenge. In this sense, Kolbe is correct that investing in improving defenses and intelligence sharing should be the primary focus of the government’s effort—as well as improving counterintelligence and strategic warning capabilities.

That said, sometimes states do respond to an adversary’s espionage operation with more significant retaliatory measures. When this occurs, it is typically because the state is signaling that the particular form of espionage that took place goes beyond what it finds to be acceptable. Norms of acceptable espionage behavior are not written down or clearly defined in any public agreements or treaties. Instead, the accumulation of state practice helps shape the implicit, informal norms about what forms of espionage will be tolerated.   

This raises the question of whether the United States wants to define future cyber operations that are similar to SolarWinds as forms of acceptable espionage or not. Some policymakers argue that the scope and scale of the SolarWinds compromise places it in a different category and that, while cyber espionage is to be expected, large-scale compromises of the information and communications technology supply chain are unacceptable. In this case, retaliatory measures that go beyond typical responses could help communicate how the United States defines different types of cyber espionage. However, if the United States seeks to promote a norm against supply-chain compromises, for the norm to be meaningful Washington must also be willing to hold itself to the same standard.

Furthermore, while a deterrence framework may be inappropriate for cyber espionage, there are other types of cyber behavior where deterrence—which rests on the threat of retaliation—remains relevant. These include cyberattacks that have disruptive or destructive effects. In fact, in the United States, cyber deterrence largely appears to be working. Despite policymakers repeatedly sounding the alarm about the risks of a “Cyber Pearl Harbor” or a “Cyber 9/11,” the reality is that the United States has not yet suffered a major cyberattack. This is arguably because the United States retains credible, full-spectrum response options for cyberattacks that it sees as falling above a use-of-force threshold.

Instead, the trickier deterrence challenge rests not at the level of cyber espionage (where deterrence does not apply) or strategic cyberattacks (where deterrence seems to have been successful), but rather in the middle band of that spectrum. Examples of these types of cyberattacks include Iran’s sustained distributed denial of service attacks against the U.S. financial sector, known as Operation Ababil, in 2012-2013, or Russia’s “active measures” campaign to interfere in the 2016 U.S. presidential election. The United States is still struggling with how to reduce the magnitude and frequency of cyberattacks that have national security and economic consequences, but do not rise to a level of violence or significance where more robust retaliatory options would be relevant. Rather than prioritizing either offense or defense in the cyber domain, the United States needs to first do a better job of clarifying different categories of behavior in cyberspace and figuring out the optimal mix of offensive and defensive investments to address these at different thresholds.

Erica D. Borghard is a senior fellow with the New American Engagement Initiative at the Scowcroft Center for Strategy and Security at the Atlantic Council. She also serves as a senior director on the U.S. Cyberspace Solarium Commission.The article, originally published in Russia Matters, is published here courtesy of the Harvard Kennedy School’s Russia Matters.