SolarWinds: Cyber strategists are back to the drawing board
The SolarWinds hack — a cyber espionage campaign compromising critical organisations of the United States (US) — has fundamentally disrupted the power dynamics of cyberspace. It is not only a major setback to the cyber statecraft initiatives of the US, which took years to mature, but also challenges the basic assumptions upon which the West’s strategy for cyber dominance rest.
The operation, said to have begun in March, was only discovered this month when FireEye — an American cyber intelligence company — found out that its own network had been breached.
The investigation led responders through a proverbial rabbit hole as it became obvious that, before the intruders audaciously pivoted to FireEye’s network, they had “popped” almost 50 other US organisations, including the departments of treasury, commerce, state, energy and homeland security; companies such as Cisco, Intel, Nvidia, and VMware; and critical agencies such as the National Nuclear Safety Administration.
The hack of the decade is being attributed to SVR, the discrete Russian foreign intelligence agency. The tradecraft employed by the spies was brilliant as they managed to evade every defence in a global surveillance dragnet feeding the counterintelligence capability of the US and its allies.
By backdooring the update mechanism of a wildly popular IT administration software called SolarWinds Orion, the intruders managed to acquire a beachhead in any of its 300,000 customers.
At every step of the “kill chain,” the operators showed remarkable ingenuity.
They had no plans to outmatch the strategic cyber offensive might of the US, so the spies tactically blended-in with the environment, exploited “transitive trust” of the computers, and used deception to look like routine processes.
Yet, beyond all the technical details, it was the palpable strategic calculus which strikes at the heart of US cyber policy.
The intrusion came at a time when the US Cyber Command (USCYBERCOM) — it has a powerful mandate since the Russian interference into the 2016 presidential elections — declared itself as a formidable force.
Its Defend Forward strategy was premised upon undertaking pre-emptive, extrajudicial cyber operations within the adversary’s own information space — neutralising a potential threat even before it was instantiated.
However, the strategy did not assume that USCYBERCOM could undertake such expeditionary manoeuvres in every hostile network. The idea was to send a credible deterrence threat by a selective use of “force” to coerce or compel the adversary.
USCYBERCOM aspired to strike a “tacit bargain” (from the international relations parlance) with the adversary by “signalling” that any malicious action would lead to the imposition of unacceptable costs.
The Defend Forward strategy was based on some broad, sweeping assumptions.
First, that the traditional structures of deterrence by denial and punishment remained valid in cyberspace.
Second, that cyberspace is a “domain” allowing militaristic power projection at a “place and time of choosing.” There was also a retroactive implication that cyber operations more or less adhered to the law of armed conflict, thus bestowing legitimacy upon western offensive counteractions.
Third, that on a broader scale, pre-emptive cyber operations legitimised by the west would trigger a kind of creative destruction, thus calcifying a rules-based order in cyberspace. The overall strategy was that the establishment of global cyber norms premised upon international law would reinstate the “neoliberal institutionalist” concept of power by punishing states that thrived on impunity.
Russia was neither deterred nor compelled by this. Its structures of power projection are purely cognitive. And being an undemocratic entity, such a projection does not impinge upon its internal stability. It is a moment of reckoning for the neoliberal system, which was the very foundation of the internet.