Cybersecurity Requires Collaboration
The recent SolarWinds cyberattack has already entered the history books as the most serious penetration of US computer networks ever. While the scope and scale of the attack continues to unfold, and no official attribution for the attack has been made by President Donald Trump, US lawmakers have likened the attack to an act of war, raising the specter of military conflict with Russia, which has emerged as the most likely perpetrator of the attack. While past Russian efforts to collaborate with the US on cybersecurity were rebuffed, the seriousness of the SolarWinds crisis may provide the political opening for US-Russian cooperation in cybersecurity in the new Biden administration.
In early July 2017, on the eve of the Helsinki Summit with Russian President Vladimir Putin, Trump sent out a pair of tweets suggesting that the US and Russia collaborate on the creation of “an impenetrable Cyber Security unit” to guard against “election hacking & many other negative things.” This idea was furthered during the summit, with Putin telling the media that issues such as the alleged cyberattack on the Democratic National Committee in 2016 could be analyzed by a “joint working group on cybersecurity.”
The concept of a joint US-Russian cybersecurity effort was immediately dismissed by US lawmakers and cybersecurity experts, as was a September 2020 Putin proposal that Russia and the US work together on “reaching global agreement on a political commitment of states on no-first-strike with the use of [cyberweapons] against each other.”
In November 2020, private cybersecurity companies in the US began detecting intrusions in monitored computer networks linked to software updates published by SolarWinds, a Texas-based company that develops software for businesses to help manage their networks, systems and information technology infrastructure. By Dec. 7, 2020, the scope and scale of this cyberattack was significant enough to compel the National Security Agency to publish a cybersecurity advisory, declaring that “Russian state-sponsored malicious cyber actors” exploited specific software which allowed them “access to protected data” while “abusing federated authentication.”
The attackers were able to generate their own credentials in the form of Security Assertion Markup Language authentication assertions, which were then sent to Microsoft’s Active Directory Federation Services, which in turn granted the attackers access to protected data. The attackers were able to gain access to over 17,000 computer networks across a broad spectrum of civil and government users, including the National Security System, Department of Defense, and Defense Industrial Base networks.
According to Thomas Bossert, who served as a homeland security adviser to Trump, the attackers had access to these network servers for six to nine months, during which time they were able to gain administrative control, giving them virtual carte blanche to identify and export data of interest. According to Bossert, it will take years to know for certain which networks the attackers gained control of.
But the real cost, according to Bossert, is the undermining “public and consumer trust in data, written communications and services.” Moreover, the attackers have the power to destroy data impersonate legitimate persons, tools that could be used for, as Bossert put it, “malign influence and misinformation” So far, there is no evidence that the SolarWind cyberattack resulted in anything other than compromised servers and the theft of data.
A New Form of Warfare
US policymakers are in a quandary over how to respond to the attack. “No response is not appropriate, and that’s been our national policy by and large for the past 10 or 15 years,” observed Sen. Angus King of Maine, the co-chair of the Cyberspace Solarium Commission. “I want somebody in the Kremlin, sitting around that table to say, ‘wait a minute, boss, if we do this we are liable to get whacked in some way,’ and right now they are not making that calculus.”
The question of what constitutes getting “whacked,” however, remains an open question. Given the lack of attention to the SolarWinds cyberattack by the Trump administration, the onus for a response will most likely fall on President-elect Joe Biden. When asked about any potential response by his administration, Biden declared that whoever carried out the attack “can be assured that we will respond and probably respond in kind.” But the risk of a military response cannot be ruled out.
The most sobering assessment of the SolarWinds cyberattack came from Brad Smith, president of Microsoft. “This latest cyber-assault,” Smith wrote in an open letter published on Dec. 17, “is effectively an attack on the United States and its government and other critical institutions.” Smith noted that the attack “has put at risk the technology supply chain for the broader economy,” declaring that “it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect,” Smith concluded, “this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure.”
The 2018 Nuclear Posture Review (NPR), published by the Office of the Secretary of Defense, describes the conditions that could lead to the use of nuclear weapons by the US. The NPR says this could occur “in extreme circumstances to defend the vital interests of the United States, its allies, and partners.” The NPR further elaborated that “extreme circumstances” included what was termed “significant non-nuclear strategic attacks.” According to the NPR final report, “[s]ignificant non-nuclear strategic attacks include, but are not limited to, attacks on the US, allied, or partner civilian population or infrastructure, and attacks on US or allied nuclear forces, their command and control, or warning and attack assessment capabilities.”
Brad Smith’s assessment suggests that the SolarWinds cyberattack could be construed as a “significant non-nuclear strategic attack” against civilian infrastructure. In addition, some of the specific targets of the attack come dangerously close to meeting the threshold of a nuclear weapons release justification. In particular, the attack targeted the National Nuclear Security Administration (NNSA) and its parent agency, the Department of Energy. But here is no evidence that the attackers penetrated the mission essential national security functions of the NNSA.
But the targeting of the NNSA highlights the vulnerability of another national security sector named in the NPR as a target of concern in any “significant non-nuclear attack,” namely the nuclear command and control system (NC3). A cyberattack on NC3 would put the US at risk of not being able to effectively respond to what the 2018 NPR called “an unprecedented range and mix of threats,” which included “conventional, chemical, biological, nuclear, space, and cyberthreats.”
For nuclear deterrence to be effective, the NPR noted, potential adversaries must not miscalculate the consequences of their actions, and instead must understand that there be no possible benefits from non-nuclear aggression or limited nuclear escalation. “Correcting any such misperceptions,” the NPR notes, “is now critical to maintaining strategic stability.” One of the ways that misperceptions are “corrected” is that the US will hold those responsible for acts of aggression, including “new forms of aggression,” which would seem to include cyberattacks.
Cybersecurity ‘Rules of the Road’
While Biden promised a strong response to the perpetrators of the SolarWinds cyberattack, he avoided invoking the language of armed conflict. Instead, his emphasis appeared to be on conflict resolution. “We need international rules of the road on cybersecurity,” Biden said.
While others may describe it as an act of war, the SolarWinds cyberattack probably constitutes — according to the Article on State Responsibility, adopted by the UN General Assembly in 2001 — an “internationally wrongful act.” To qualify as such, the perpetrators of the cyberattack must be attributed to a state, and their actions must have breached an obligation owed another state.
The international rules of the road that Biden advocates already exist to some extent in the Tallinn Manual 2.0, published in 2013 and updated in 2017, which provides an analysis on how existing international law applies to cyberattacks. According to the Tallinn Manual 2.0, the SolarWinds cyberattack does not meet the standard of an intervention into the internal affairs of the US. However, the fact that US lawmakers continue to invoke the language of war, and that the current nuclear policy of the US has options authorizing the use of nuclear weapons in response to certain types of cyberattacks, there is clearly a need for universally accepted rules of the road when it comes to cyberoperations.
While the Tallinn Manual 2.0 provides a good starting point, it is not all inclusive, nor does it carry the authority of law. The most important aspect of the US response to the SolarWinds cyberattack is not the form that any potential retaliation might take, but rather the prospect of defining the rules of the road for cybersecurity. An agreement between the US and Russia on the kind of “joint working group on cybersecurity” that had been promulgated by Putin in 2017 but rejected by the US could be a good start. In the aftermath of the SolarWinds crisis, Biden should put such a proposition at the top of his “to do” list regarding Russia. The alternative could be disastrous.