In the Wake of SolarWinds: Making and Breaking a Rules-Based Global Cyber Order


Paul Kolbe is entirely correct in reminding us that there is a great deal we still do not know about the SolarWinds hack. Russian official responsibility does seem probable, but it is not absolutely proven. The strongest statement that the U.S. agencies concerned have come up with is that the hack was “likely Russian in origin.”

Kolbe’s article and Erica Borghard’s response are also very valuable for their warning of the need to distinguish between cyber espionage and cyber sabotage or terrorism, as this crucial distinction has been blurred by the loose and lazy term “cyber attack,” as well as by the hysterical response to the SolarWinds hack by some U.S. politicians, with their very dangerous talk of an “act of war” (on which I have written previously here and here).

I would however like to point out in response to Borghard that Russia’s denial of responsibility is absolutely normal in espionage operations, even when these have been unquestionably revealed. In 2006, the British government denied Russian allegations of a British spying operation in Moscow using a device hidden in a fake rock, though after a few years a former British official admitted that the story was entirely true. The difference in the case of cyber operations is that (with all due allowance for freelances and double agents) conventional espionage has been the monopoly of states. On the internet, there are vastly more opportunities for independent actors, seeking personal gain or mere amusement. Most teenage hackers in the U.S. are not working for the CIA.

Kolbe is right to say that, given the nature of the hack, strengthening U.S. cyber defenses is a much better response than offense or retaliation. As in response to previous successful espionage operations against the U.S., a thorough review of practices and reforms of institutions are required. As after 9/11 (not that I wish to compare SolarWinds in any way to the criminality and the horror of that attack), a chaotic mixture of separate, overlapping and mutually antagonistic U.S. agencies must be pulled together into a coordinated and effective system.

As usual, this also requires a redirection of funding. Much has been said by military figures and military experts about how Russia is far more likely to use various forms of cyber infiltration and destabilization against the U.S. and NATO than engage in a horribly risky direct military attack; yet the Pentagon budget does not yet remotely reflect this. Cybersecurity is still an orphan compared to programs like additional main battle tanks, which the Army says it does not need and for which there are very few conceivable uses.

I feel that two other things should be added to Kolbe’s and Borghard’s remarks. The first is that a recognition of the need to make careful distinctions between different categories of cyber operations, and to shun the use of emotive and misleading language about “attacks,” should also be extended to the field of political influence via the internet. Using cyberspace to spread propaganda, influence political outcomes and reveal or invent damaging information is an extension of tactics that have been used in different ways for millennia—including by the U.S.

Actually trying to rig U.S. elections by tampering with the count online would be completely different and vastly more serious. It would be cyber sabotage but more dangerous even than the sabotage of infrastructure because it would undermine the credibility and legitimacy of the entire U.S. democratic process. Any such operation should certainly be regarded as an “attack” and should prompt strong U.S. retaliation.

Russia has certainly engaged in influence operations—though as calmer heads have pointed out, their impact appears tiny in proportion both to the immense mass of domestic U.S. political information and disinformation on the web and to the impact of revelations such as those of Edward Snowden. Russian intelligence did not however attempt to tamper with the vote itself. As the report of the U.S. Senate Committee charged with investigating Russian interference in the 2016 elections states in its findings, “The Committee has seen no evidence that any votes were changed or any voting machines were manipulated.” It is also worth pointing out that in this report, as in many cases, the actual words of U.S. intelligence services were more tentative than the way they were reproduced by the media and politicians: “Dr. Samuel Liles, Acting Director of the Cyber Analysis Division within DHS's [Department of Homeland Security’s] Office of Intelligence and Analysis (I&A), testified to the Committee on June 21, 2017, that ‘by late September, we determined that internet-connected election-related networks in 21 states were potentially targeted by Russian government cyber actors’" [italics mine].

This leads me to my final point: that to be effective in constraining behavior, limiting disputes and maintaining peace, international conventions do have to be, to a reasonable extent, held and shared in common—and that applies to the U.S. as well as its rivals. Few things have been more damaging to U.S. and European hopes of a “rules-based global order” than the perception that the U.S. both makes the rules and breaks them whenever it sees fit, including in cyberspace.

U.S. audiences have a tendency to accept this, because of an instinctive belief that the defense and spread of democracy gives the U.S. rights that are denied to other states; but, of course, neither international traditions nor common sense allow any such assumption. States that see the U.S. behaving in a certain way—especially toward them—will most certainly behave in the same way themselves.

This applies in the first instance to actual cyber sabotage by states. By far the most effective use of this to date has been the Stuxnet cyber operation, attributed to but denied by the U.S. and Israel, to damage Iran’s nuclear program. In the Iranian mind, this has been linked—not unreasonably—with the Israeli campaign (whether or not aided by U.S. intelligence we do not know) to assassinate Iranian nuclear scientists. According to the New York Times, the U.S. has also planted “malware” in Russia’s energy grid in a way that appears to exceed what Russia has yet done against the U.S.: Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid. But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before. It is intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow.”

As a “deterrent” against genuine Russian attacks on the U.S., this may perhaps make sense. But this is precisely why we must be very clear indeed about what really constitutes an attack, and avoid loose and hysterical language on the subject. If the U.S. released such malware in response to a mere Russian cyber espionage operation, Russia would have every justification to turn to sabotage in its turn, creating a truly disastrous cycle of escalation.

A degree of balance and objectivity is also required in the area of political operations on the net. The U.S. maintains an overt international propaganda apparatus that vastly exceeds in scope and effectiveness anything that Russia or China can manage. The U.S. calls it “public diplomacy” and sees this machine as dedicated to propagating freedom and democracy. While this is true in certain parts of the world, my Arab students here in Qatar are extremely cynical on this subject—understandably enough, given the past and present U.S. record of supporting ruthless dictatorships in the Middle East. Like Soviet intelligence, the FBI and CIA in the 1960s and 70s also used “black propaganda”—the planting of misinformation to damage rival states and hostile political forces—on a large scale. (See the congressional report on the FBI’s COINTELPRO operation and this account of the CIA’s covert propaganda in the Cold War.)

Though it is not clear how active U.S. intelligence is in this area today, the past has obviously left a legacy of suspicion. In an ideal world, all states would eschew these tactics. In the real world, they will have to live with each other’s behavior—irritated no doubt, but without overreacting. Cyberspace increases the opportunities for influence operations of all kind—but it does not change the basic equations involved.