ARGUMENT: Cyber offenseResponsible Cyber Offense

Published 2 August 2021

There is responsible conduct in cyberspace, and there is irresponsible conduct. Perri Adams, Dave Aitel, George Perkovich, and JD Work write that “If the SolarWinds operation was a case of somewhat responsible hacking within the bounds of acceptable state action (even if Russia is far from a responsible actor in cyberspace), the Exchange operation, by contrast, demonstrates how an irresponsibly conducted espionage operation can escalate into collateral damage and instability.” They write that, despite critical preventive efforts, “offensive operations will continue apace in the foreseeable future—conducted by the United States, its allies and its adversaries. The choice is whether and how to engage in them responsibly and minimize cost to societies.”

News of the SolarWinds hack emerged with reports the incident had triggered an emergency Saturday meeting at the National Security Council. In the weeks that followed, the story dominated headlines. Perri Adams, Dave Aitel, George Perkovich, and JD Work write in Lawfare that whereas most offensive cyber operations rarely receive concentrated focus, the name of a Texas-based information technology software company, SolarWinds, became ubiquitous across mainstream news outlets and quickly synonymous with the Russian hacking operation that targeted it. Policymakers, corporations and the entire cybersecurity industry were soon asking, “How do we address SolarWinds?” 

The authors note that Russian state actors had breached SolarWinds’ network to insert a backdoor into a software product used in critical networks across the United States. The hackers then snuck through their carefully hidden entrance to infiltrate the State Department, Treasury Department, Microsoft, and thousands of other government and corporate networks. “The scale of the attacks, along with the high-profile nature of many of the targets, encouraged the widespread coverage and subsequent reaction from elected officials.”

They add:

members of Congress questioned SolarWinds leadership about how they might prevent such a backdoor in the future, attackers installed an entirely different backdoor on hundreds of thousands of servers around the world by leveraging an accidental vulnerability in Microsoft Exchange software. While this wasn’t a supply chain hack per se, these new actors carried it out with more recklessness than their Russian counterparts: They compromised a much larger number of networks, leaving a trail of vandalism in their wake. Yet this campaign failed to capture the sustained interest of the American public or many of its policymakers.

The SolarWinds hack initially grabbed headlines because of the sheer number of networks affected, but this belied the fact that the Russian operators had intentionally disabled almost all their backdoors without ever using them—they were carefully targeting a smaller number of networks. The Exchange perpetrators, conversely, had indiscriminately installed backdoors on any vulnerable server they could find on the internet—an order of magnitude more compromises than the Russians achieved—and had left these backdoors wide open with easily guessed, hard-coded passwords. Whereas the former hack was a carefully executed espionage campaign, not unlike those carried out by the U.S., the latter resulted in tens of thousands of networks left to the mercy of a thriving ransomware industry. 

The White House recently named the perpetrators behind the Exchange hack as Chinese government operatives. “More important than public attribution, the United States needs to build international support for drawing lines between responsible and irresponsible operations in cyberspace,” the authors write, adding:

If the SolarWinds operation was a case of somewhat responsible hacking within the bounds of acceptable state action (even if Russia is far from a responsible actor in cyberspace), the Exchange operation, by contrast, demonstrates how an irresponsibly conducted espionage operation can escalate into collateral damage and instability.

The sense of crisis created by these two operations should not be wasted. Despite critical preventive efforts, offensive operations will continue apace in the foreseeable future—conducted by the United States, its allies and its adversaries. The choice is whether and how to engage in them responsibly and minimize cost to societies. For there are better and worse ways for governments (and their explicit or de facto contractors) to operate in cyberspace. Benign countries should cooperate now to promote verifiable, technicalnorms for responsible offensive cyber operations.