How to Respond to Russia’s SolarWinds Cyberattack
Opinion
Hal Brands
When Chinese hackers breached the US Office of Personnel Management in 2014, scooping up the sensitive personal data of Americans holding government security clearances, the consensus among experts was that the intrusion was extremely damaging, but not out of bounds. “This is not ‘shame on China,’ ” explained Michael Hayden, the former head of the National Security Agency. “This is ‘shame on us’ for not protecting that kind of information.” It would be a grave mistake to respond to a more recent — and more spectacular — alleged hack by Russian agents in the same way. The so-called SolarWinds breach represents a step up in cyberespionage, exposing a new degree of democratic vulnerability and authoritarian ambition. According to public reporting, Russian hackers with ties to the Kremlin inserted malicious code into software made by the US tech firm SolarWinds. Corrupted updates were then downloaded by private companies and government agencies, giving Russian intelligence a backdoor into their networks. Such “supply-chain” attacks are not unprecedented: In 2018, there were reports (denied by all parties) that Chinese hackers had used a hardware supply-chain attack to compromise a variety of sensitive networks. But this approach is what makes the Russian gambit so concerning. Moscow didn’t simply attack a single, lucrative target — as Beijing did in penetrating Office of Personnel Management. Russian agents compromised an entire supply chain, and thus, potentially, many of the entities that rely on that chain. The breach reportedly affected hundreds of government and private networks, including those of the National Nuclear Security Administration (which manages America’s nuclear weapons stockpile) and other key federal institutions. As former Homeland Security Adviser Tom Bossert wrote in the New York Times, “It will take years to know for certain which networks the Russians control and which ones they just occupy.” This relates to a second noteworthy feature of the hack. Espionage is often intended not simply to harvest information but also to sow vulnerability. When Beijing gained access to millions of security clearance records, it may also have gained access to powerful weapons of blackmail. The SolarWinds episode creates much deeper and broader vulnerabilities, across civil society and government, than anything the US has experienced before. While Russia’s intent in penetrating these networks remains unclear, Vladimir Putin’s government now has the ability to gum up the works of departments and agencies from the Department of Homeland Security to the Department of Energy. It could delete sensitive data in public or private-sector networks, or use them to launder disinformation through seemingly reputable sources. The potential for mischief is breathtaking: As Bossert writes, President-elect Joe Biden must assume that anything he reads about the attack is being read by Russia, and assume that any communication could be falsified. Even if Putin does nothing to weaponize the access he has gained, confidence in America’s critical digital infrastructure will likely suffer. Simply assessing, let alone repairing, the damage will be a monumental undertaking. Yet there are also three larger strategic implications. First, don’t fall asleep on Russia, even as the Chinese threat attracts the majority of America’s geopolitical attention. Putin’s Russia may be a declining, economically moribund power. But his high tolerance for risk, combined with Moscow’s talent for identifying and exploiting Western vulnerabilities, means that Washington downplays the Russian challenge at its peril. Second, effective cyberstrategy must blend unilateral and multilateral measures. It seems likely that many other countries were victimized by the SolarWinds hack. The US must therefore work more closely with other advanced democracies to strengthen shared warning networks, coordinate damage assessments, and impose sharp costs on malign actors. As Microsoft president Brad Smith argues, “In a world where authoritarian countries are launching cyberattacks against the world’s democracies, it is more important than ever for democratic governments to work together.” Third, those responses cannot be solely defensive. SolarWinds highlights the basic offense-defense asymmetry in cyberspace: A clever attack will require remediation efforts costing orders of magnitude more than the attack itself. Moreover, the relatively open nature of the democratic internet, and the fact that responsibility for cybersecurity is diffused among so many public and private actors, creates vectors of vulnerability that will always tempt authoritarian regimes. US Cyber Command has been pursuing a “defend forward” posture that emphasizes keeping adversaries off balance by penetrating and, occasionally, disrupting their networks. The premium on doing so just got higher. In the wake of this attack, the US must find subtle ways of showing that it can achieve equivalent or greater breaches of Russian networks — those used by Putin’s security services and propaganda organs, for instance, or by financial firms that are linked to the Kremlin and handle the flow of dirty money that lubricates that regime. Doing so is not costless, because it requires revealing where America’s offensive cyberwarriors are lurking. But sometimes it is necessary to show one’s hand, or just a couple of cards in it, to achieve the desired psychological effect. The US, preferably in concert with allies, might also impose targeted financial and diplomatic sanctions, less for the tangible pain they inflict than to demonstrate that America retains the right to respond to major cyberbreaches with whatever tools it deems appropriate. Such a response would raise tensions in the short term. Over time, however, it might promote a sort of mutual restraint when it comes to cyberattacks with the potential to seriously disrupt modern societies. These bargains can be struck: During the Cold War, Moscow and Washington reached a tacit agreement not to shoot down each other’s spy satellites, once it was clear that each side could respond in kind, and that neither side would benefit from unrestrained competition. Now as in the past, achieving eventual de-escalation will first require making clear that escalation will not pay. Bloomberg
from Asharq AL-awsat https://english.aawsat.com/home/article/2693111/hal-brands/how-respond-russia%E2%80%99s-solarwinds-cyberattack
No comments:
Post a Comment