Last weekend, news broke that alleged Russian government hackers had breached the U.S. Treasury and Commerce Departments starting between March and June via compromised updates to software from SolarWinds. The Departments of State and Homeland Security and the National Institutes of Health were soon added to the list, as were the Pentagon and Department of Energy. In a filing with the Securities & Exchange Commission, SolarWinds disclosed that 18,000 of its customers may have installed the compromised software, and its customers include “[n]early all Fortune 500 companies.” Microsoft identified downloads of the infected update around the world and its use in targeted attacks against victims in countries outside the United States, including Belgium, Canada, Israel, Mexico, Spain, United Arab Emirates, and the United Kingdom.
While the full scope of the compromises and their implications are not yet known, the U.S. government’s public reactions have been muted and bureaucratic. On Sunday, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing agencies to “disconnect or power down” the affected SolarWinds products. On Tuesday, the National Security Council spokesperson simply announced that pursuant to Presidential Policy Directive-41, a “Cyber Unified Coordination Group (UCG) has been established to ensure continued unity of effort across the United States Government in response to a significant cyber incident.” On Wednesday, the FBI, CISA, and the Office of the Director of National Intelligence issued a joint statement indicating, “This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.” And on Thursday, CISA released an alert flagging that it “has evidence of initial access vectors, other than” SolarWinds.
One New York Times story highlighted that “it was hard to know which was worse: that the federal government was blindsided again by Russian intelligence agencies, or that when it was evident what was happening, White House officials said nothing.” Two of the story’s authors continued this line of commentary on Twitter. David Sanger said, “Remarkable that the US government has said nothing in public about one of the biggest attacks on US Govt in memory, other than ‘we are looking at it.’” Nicole Perlroth noted, “The silence is deafening.”
While President Trump’s failures to condemn Russia are nothing new, here the absence to date of executive branch attribution and condemnation of the intrusions may be strategic silence—following a playbook the executive branch has used in the immediate aftermath of past cyber intrusions by foreign governments, at least when those breaches involve traditional espionage. In such situations, what is there to say? Espionage alone doesn’t violate international law, and the United States does it too. In this case, however, strategic silence may not serve the United States well. The scale of these intrusions is massive, and they pose a significant risk of further disruption.
Silence after State Spying
Official executive branch silence in the wake of a foreign government’s cyber intrusions follows a well-trodden path. Perhaps the best example was the 2015 hack of the Office of Personnel Management (OPM), which compromised the personal information of more than 20 million people and involved the exfiltration of sensitive personnel files, including background check information. The first public attribution by the executive branch famously came several weeks after the breach was announced when Director of National Intelligence James Clapper said: “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
Therein lies the issue. The OPM hack was hugely damaging for the United States. In a July 2020 speech FBI Director Christopher Wray cited the OPM hack, among others, and alleged that “the data China stole is of obvious value as they attempt to identify people for secret intelligence gathering.” The current hacks are likely to be even worse because they appear to be much more far-ranging, both within and outside the U.S. government. But so far, they also seem to be focused on spying – using sophisticated techniques to ensure “long-term access” to targets and exfiltrating data, but so far as the public is aware, stopping there. Would the United States “hesitate for a minute” to pursue the same access against foreign targets? As Jack Goldsmith asked this week, “is what the Russians did to U.S. government networks different from what the National Security Agency does on a daily basis?”
Despite these issues, there may be reason for the United States to break its silence here: There is a serious risk that the intrusions could go beyond “just espionage.” Information Technology security staff all across the country and world are surely working to try to kick the hackers out of their networks. But while those efforts continue, there is the possibility that espionage could escalate to disruption and destruction, which would raise very different legal issues.
Former Trump homeland security adviser Thomas P. Bossert warned in an op-ed., “The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people.”
As bad as the “just espionage” version of the intrusions is, the possibilities Bossert warns about would be far worse in both their nature and potential scope given the many non-governmental entities that are likely on the victim list. Breaking strategic silence to quickly attribute the intrusions and warn against any further actions could help to bring about the least bad version of the story that’s still being written.
Of course, public silence doesn’t necessarily mean government inaction. The U.S. government may very well be responding in ways it does not make public. The announced policy of the Department of Defense is to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” Such actions have previously targeted Russian actors, taking the Internet Research Agency troll farm offline in an effort to defend the 2018 midterm elections.
In a statement released Thursday, President-elect Joe Biden promised to “make cybersecurity a top priority at every level of government,” and warned that “a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place.” He suggested that his administration will “do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”
Whether “substantial” can be made substantial enough is a big, open question, but perhaps the clearest lesson of this week is that the United States has a lot more work to do on its defense.