ARGUMENT: Different kind of spyingWas SolarWinds a Different Type of Cyber Espionage?
The Biden administration announced that it will impose sanctions and other measures against Russia in response to the SolarWinds incident. The cybersecurity firm FireEye disclosed the compromise of numerous government and private-sector networks in December 2020. SolarWinds is among the top cybersecurity breaches the U.S. government has ever confronted and has raised critical questions about the integrity of federal networks and Russia’s ultimate intentions. “Given the incident’s significance, it is understandable that the Biden administration is grappling with how to appropriately address it,” Erica D. Borghard writes. But setting aside important limitations of economic sanctions as a policy tool to address malign cyber behavior, “there is a gap between how administration officials are framing the nature of the SolarWinds incident and what the available evidence indicates about it,” she adds.
The Biden administration announced that it will impose sanctions and other measures against Russia in response to the SolarWinds incident. The cybersecurity firm FireEye disclosed the compromise of numerous government and private-sector networks in December 2020. SolarWinds is among the top cybersecurity breaches the U.S. government has ever confronted and has raised critical questions about the integrity of federal networks and Russia’s ultimate intentions. Given the incident’s significance, it is understandable that the Biden administration is grappling with how to appropriately address it.
But, Erica D. Borghard writes in Lawfare, setting aside important limitations of economic sanctions as a policy tool to address malign cyber behavior, “there is a gap between how administration officials are framing the nature of the SolarWinds incident and what the available evidence indicates about it. This is problematic because how policymakers understand the nature of a given policy challenge shapes their choices about appropriate responses—and if the former is mistaken, a mismatch between policy and reality could result.”
She adds:
The crux of the question of how policymakers should understand and address Russia’s breach of federal and private-sector networks, and its exfiltration of data, hinges on whether the Russian campaign was “just” a case of routine cyber espionage, a qualitatively different form of cyber espionage that places it outside the scope of routine state behavior, or a type of cyberattack. The president of Microsoft has described SolarWinds as “the largest and most sophisticated attack the world has ever seen,” and others have even debated whether it might constitute an act of war. Notwithstanding these histrionics, Biden administration officials have been more careful in how they depict the incident and have largely avoided using the language of “cyberattack.” This judiciousness should be commended, because a cyber intrusion that does not result in disruptive or destructive effects is not an attack.
The distinction between cyber espionage and cyberattack is important because espionage—including spying that takes place in and through cyberspace—is a routine aspect of statecraft. All states spy on one another, including allies and adversaries alike. And states have developed informal and tacitly accepted tit-for-tat responses to address espionage operations when they are uncovered (what are often termed “Moscow rules”).
But, while SolarWinds in some aspects may appear to be an example of “routine” cyber espionage, some Biden administration officials seem keen to depict this incident as a different form of espionage. Anne Neuberger, the deputy national security adviser for cyber and emerging technology, noted in her first press conferencethat SolarWinds is unique in its scale and scope, describing it as “more than a single incident of espionage; it’s fundamentally a concern for the ability for this to become disruptive.”
Borghard writes that there are several issues with this statement, chief among them
is that it conflates espionage and disruptive attacks. In doing so, it implicitly—although likely unintentionally—downplays the strategic consequences of even routine cyber espionage, such as the espionage campaign carried out by APT10, a group affiliated with China’s Ministry of State Security and indictedby the U.S. Department of Justice in 2018. Even if SolarWinds were “only” an espionage operation, it could nevertheless lead to several deleterious effects, such as aiding Russia in uncovering impending U.S. foreign policy decisions, identifying critical personnel and understanding decision-making processes, improving Russian counterintelligence operations, and so on.
Borghard concludes:
The SolarWinds incident certainly demands a response—including a damage assessment, conducting incident response and remediation, continued intelligence and counterintelligence efforts, and improved overall defenses. But policymakers should be careful about how statements and actions correspond to thresholds of behavior in cyberspace.
