Until a couple months ago, the average American did not know of SolarWinds. Now, the technology company is the victim of one of the most serious cyberattacks in recent history.
SolarWinds provides monitoring services to many US government departments and Fortune 500 companies. The list of departments that were hacked is painfully long. Hackers managed to access the most recent update of SolarWinds’s software, thereby giving them a backdoor to US government department information, as well as information on other companies. The scope of the hack could be as broad as 18,000 customers, but the US government is definitely on the list.
Russian officials have continuously denied allegations that they were behind the hack, but the FBI, CISA, ODNI, and the NSA released a statement linking the attack back to Russian hackers. A Russian cybersecurity firm, Kaspersky, published a report detailing the similarities between the SolarWinds hack and previous Russian hacks. The links are rather complicated and involve the specific coding used by the hackers, but Kaspersky claims the similarities are more than coincidence.
While there appears to be evidence of Russian involvement in the attack, it is still nearly impossible to definitively attribute an attack to an individual, much less a country, as there are ways that hackers can hide their identities behind computers. In the case of Russia, these efforts to conceal one’s identity are taken a step further. Russia most likely uses criminal networks to conduct their cyber attacks on other nations, allowing them to reap the benefits of criminal activity without the blame. These individuals are not actually associated with the Kremlin, so attributing attacks to the Russian government has become much more difficult, even when the attacks get traced back to Russian criminals.
As long as Russia continues to use cyber as a coercive tool, the global security environment is bound to change drastically to adapt to cyber warfare. The SolarWinds attack will most likely be a major impetus for such change, and will be used as an example to demonstrate the dangers of cyber attacks for years to come.
Gray is the New Black
Globally, Russia’s trend toward cyber war carries dire implications for the security of the international community as it becomes harder to distinguish which attacks justify war, and which do not present a serious enough threat to do so. This describes the dilemma surrounding gray zone conflicts, which according to the US Special Operations Command definition are “competitive interactions among and within state and non-state actors that fall between the traditional war and peace duality.” In simplified terms, they are actions that do not appear to directly amount to aggression, but often inflict damage or escalate to a point where they inflict damage. Russia’s use of cyber warfare is a prime example of a gray zone conflict that could eventually boil over into a real and devastating war.
To better understand this, it is helpful to divide the cyber threat into three fronts: offensively it can be used as a weapon, preemptively it can prevent Russia from being attacked, and strategically it can be used for espionage. This breakdown can illuminate how Russian cyber warfare poses a threat to international security.
In terms of offense, Russia can conduct strikes on critical and vulnerable infrastructure sites. One can imagine a situation where hospitals are crippled or the transportation system goes offline, wreaking havoc even if the sites are only compromised for a few hours. Such an attack could be sufficient pressure to convince a country to give major concessions to Russia. Though rare, these attacks are not impossible and should not be underestimated. Given Russia’s significant investment in cyberspace, it is even more important to exercise caution because they could represent a massive security threat.
In terms of preemption, Russia can physically disable weapons that attacked countries view as necessary to their security. Russia can forestall another country’s defense so that when attacked, they have no response and are left crippled.
Finally, espionage is the tactic that Russia has used the most so far. In 2016, they helped sway the outcome of the US election by hacking into email servers and manipulating social media. The SolarWinds attack could prove equally damaging since it is likely that Russia has collected valuable information that may be leveraged against the government and US companies in the near future. Even more terrifying is the ease with which one can imagine a situation where Russia could mimic the voices of world leaders (deep fakes), using inflammatory language to start conflict.
Given that cyber warfare is so new, its greatest threat may still be unknown. This is part of what makes it so scary: many cyber scenarios seem like conjecture, but could be looming on the horizon.
Cyber is the Latest Vogue
From a strategic perspective, Russia has strong incentives to continue investing in its cyber program. This includes both the criminal arm as well as governmental military intelligence development.
Since the collapse of the Soviet Union, Russia has had trouble rebuilding its military. During the 1990s, Russia fought to keep its military alive. During the 2000s, Russia still struggled to stay above water, but began creating plans for military modernization. Many of these plans were realized during the 2010s as Russia boosted its ground forces and strengthened its command and control system. But even now, Russia’s military is far inferior to that of the United States. Russia’s $1.7 trillion GDP is but a fraction of the $21.433 trillion US economy, and the United States spends over ten times more than Russia on national defense. In conventional warfare, Russian capabilities lag far behind those of the United States.
This helps to explain the strategic aspect of Russia’s pivot to cyber. By nature, cyber warfare is asymmetric since it involves little investment to develop and requires little funding to carry out the attack. Nevertheless, cyber attacks can deal large amounts of damage as described above. At this point, Russia’s offensive cyber capabilities are replacing their conventional capabilities as the stronghold of their military power. With Putin trying to remake Russia into a world power, this tactical shift is all the more important as it helps secure their rise.
Cyber seems to be the latest trend in the changing playing field of war. Cyber does not have geographic limitations, since troops do not have to go overseas in order to carry out the attack. This especially benefits a geographically isolated Russia, which is surrounded by rugged territory on all borders. In addition, cyber does not require hundreds of thousands of people in order to inflict damage on a more powerful military. With a declining population, this is also appealing for Russia. Perhaps most importantly, cyber attacks can be waged at any time, almost instantly. This means that Russia can always have the advantage of surprise, even if they do not have the military capability to defeat another nation.
Better yet, cyber attacks protect Russia against retaliation from countries they attack using cyber weapons. As a “niche” capability that few other countries have developed as extensively as Russia, Russia is in a unique position to attack other countries without experiencing cyber retaliation: by shutting down communication nodes, Russia’s cyberattacks create enough chaos that countries lack the means to respond regardless of whether or not they have strong cyber capabilities themselves. On top of all of this, Russia’s use of criminal networks and anonymity makes countries even less likely to respond as if the attack were coming from Russia itself, since it makes it even more difficult to verify if those hackers were state-sponsored or independent actors.
This is the happy medium for Russia: it can still compete on the international sphere with significantly less resources than its opponents.
Designing Regulations
There are two main challenges the international community must reconcile in order to address the cyber warfare threat in the aftermath of the SolarWinds hack.
First, how should countries deter and respond to cyber attacks? Some have responded with sanctions on Russian individuals and organizations, while others have merely denounced Russian actions. They hope that these measures will convince Russia not to commit such aggressions again.
Scholars are still debating the effectiveness of actions like sanctions and naming-and-shaming, but are rather unconvinced that they have meaningfully impacted Russia. Instead, academics are calling for more sanctions on specific Russian individuals, especially on oligarchs with the money and power to influence the government.
But governments can only target Russian individuals if they know who is responsible for the attacks, which introduces the second challenge with cyberwarfare: how should countries assign blame for cyber attacks? This question is far more puzzling since the anonymity associated with cyberspace actions makes attribution much more difficult. This is currently what enables Russia to commit attacks and benefit from stealing information while suffering none of the fallout.
While solutions are being developed to enhance security and uncover identities, it is possible that they will be outpaced by the innovations of hackers. The current method of trusting gut instinct is by no means perfect, but it seems like the best any country can do at the moment.
When examining the SolarWinds hack, it becomes evident that even though the United States is not entirely certain that the Russian government committed the attack, it should still react as though Russia did. The United States has an abundance of evidence linking the attack back to Russian hackers and has reason to believe that those hackers have connections to the government. Thus, it is necessary to prepare for the worst case scenario, in which Russia has obtained valuable information regarding US security.One thing is for certain: the international system needs to create regulations surrounding cyber tactics. The current situation leaves too many unanswered questions, which could easily spiral out of control. Countries will be more tempted to respond with aggression to cyber attacks as they begin to realize its dangerous possibilities, and Russia will only become more emboldened as it continues to test the waters and push its boundaries. The concern is that Russia may clash with another actor, crossing a line it did not know existed, potentially sparking war outside of cyberspace.