SolarWinds: Accountability, Attribution, and Advancing the Ball

In its long-anticipated public response to the SolarWinds Orion incident, the Biden administration attributed the hacking campaign to Russia’s Foreign Intelligence Service (SVR), issued a new Executive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation, and imposed sanctions on “companies operating in the technology sector of the Russian Federation economy that support Russian Intelligence Services.” The administration took other actions related to Russia’s occupation of Crimea and election interference as well, but I’ll focus here on the SolarWinds-specific actions and especially on what they portend for the development of international law and norms on state behavior in cyberspace.

In a January 5 statement, the FBI, CISA, ODNI, and the NSA characterized the SolarWinds incident as “an intelligence gathering effort” by “an Advanced Persistent Threat (APT) actor, likely Russian in origin.” Both before and after this statement, questions arose about whether the United States would respond to an intrusion that was “just espionage.” In a February 17 press briefing, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger seemed to say that it was not “just espionage”; rather, she said, “when there is a compromise of this scope and scale, both across government and across the U.S. technology sector to lead to follow-on intrusions, it is more than a single incident of espionage; it’s fundamentally of concern for the ability for this to become disruptive.” But the question remained, if the United States wanted to condemn the SolarWinds incident, what line could it draw that wouldn’t open the United States up to charges of hypocrisy?

The administration didn’t provide a line, but instead provided a cluster of factors that, taken together, made the SolarWinds hack worthy of a public response in a way that, for example, the 2015 Office of Personnel Management hack was not. Multifactor tests are not unusual for the Executive Branch, but the lack of clarity about the necessity and relative weight of various factors is less than ideal in this context where the administration is communicating internationally about acceptable and unacceptable state behavior. The administration’s commitment to providing training to foreign policymakers on publicly attributing cyberattacks is, however, a very promising sign for expanding the range of states engaged in defining the rules of state behavior in cyberspace.

A Multi-Factor Test for Responding to Cyber Incidents

So what are the factors?

The White House Fact Sheet cited the scope of the compromise and the burden it imposed on the private sector:

The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide. The scope of this compromise is a national security and public safety concern. Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident.

The Treasury Department Press Release added more factors, including Russia’s history of “disruptive cyber operations,” risk to the supply chain, and theft of red team tools—the intrusion into FireEye that caused discovery of the whole operation. The Release explained:

This intrusion compromised thousands of U.S. government and private sector networks. The scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyber operations makes it a national security concern. The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds’ customers. Victims of the compromise include the financial sector, critical infrastructure, government networks, and many others. Further, this incident will cost businesses and consumers in the United States and worldwide millions of dollars to fully address.

Additionally, the SVR stole “red team tools,” which mimic cyber attacks to help customers better protect themselves, from a U.S. cyber security company. These tools, if made public or used offensively by the SVR or other actors, would create additional opportunities for malign actors to target computer systems worldwide.

In a press call Thursday afternoon, a senior administration official pointed to “three core reasons” the United States “saw the need to make clear that this behavior was unacceptable”:

First, that broad scope and scale of the compromise, it’s a national security and public safety concern.

Second, as you noted, the speed with which an actor can move from espionage to degrading or disrupting a network is at the blink of an eye, and a defender cannot move at that speed.  And given the history of Russia’s malicious activity in cyberspace and their reckless behavior in cyberspace, that was a key concern.

And finally, the hack placed an undue burden on the mostly private-sector victims who must bear the unusually high costs of mitigating this incident.

Putting all of these statements together, the SolarWinds incident is not “just espionage” and warrants a response due to a combination of the scope and scale of the compromise, the burden imposed on the private sector, risk of escalation into disruptive behavior, risk to the global supply chain, and theft of red team tools. In a post in December, I highlighted the risk of escalation into a disruptive attack as a reason the United States should break its usual silence on espionage-focused intrusions, so I was glad to see it appear as a factor in the press call (though the quoted statement is unclear about whether the risk of escalation is specific to this incident or applies to Russian actions more generally). The statements so far do not clarify whether all of these features are required or the relative importance of the various factors.

To be sure, the Executive Branch loves a good multifactor test. Consider the Office of Legal Counsel’s long-standing approach to determining whether congressional authorization is required for uses of military force. OLC considers whether the military operations (1) “serve sufficiently important national interests” to justify action, and (2) whether the operations “would be sufficiently extensive in ‘nature, scope, and duration’ to constitute a ‘war.’” Or consider then-State Department Legal Adviser Harold Hongju Koh’s 2011 congressional testimony on why the Obama administration’s actions in Libya did not constitute “hostilities” for purposes of the War Powers Resolution. Koh cited four factors—the limited mission, limited exposure of U.S. armed forces, limited risk of escalation, and limited military means—and concluded that “[h]ad any of these elements been absent in Libya, or present in different degrees, a different legal conclusion might have been drawn.” These tests, however, apply domestically to the allocation of authorities between Congress and the President.

A lack of clarity about the necessity and relative importance of various factors in a multifactor test may be more problematic when deployed internationally, particularly in a context where the United States is attempting to set norms or law about appropriate state behavior. The choice of a cluster over a line, a standard over a rule, isn’t surprising given the difficulty (really, impossibility) of distinguishing the SolarWinds incident from past hacking campaigns based on a single characteristic. As Bobby Chesney points out, it’s “possible—probable even—that there are diverse views” across different government agencies about “which redline, if any, the SolarWinds Orion campaign crossed.”

But at the same time, it highlights that there remains important work to be done to better define the lessons other states should take from the U.S. actions and from confirmatory attributions by allies. Canada, for example, confirmed that it also assesses that the SVR is responsible for the SolarWinds hack, but in addition to the cost of mitigations for the private sector, it cited a potential additional factor, namely that the intrusion “may have undermined public confidence in downloading software updates,” a point that Microsoft has also made with respect to the SolarWinds incident. Rep. Jim Langevin (D-RI) noted that “[t]he SolarWinds incident . . . had all the trappings of traditional espionage that, while unfortunate, has not historically been outside the bounds of responsible state behavior” and “encourage[d] the President and Secretary of State Antony Blinken to fully explain the contours of their new policy that seems to focus on Russia’s reckless history of attacks like NotPetya and the immense cleanup costs associated with SolarWinds.” Langevin is right that more explanation would be helpful in clarifying when exactly the United States will react to cyber intrusions and what exactly it regards as out of bounds.

Capacity Building on Public Attribution

Another piece of the White House’s announcement today has received less attention than the sanctions, but may be very important in the long run. The White House announced that it will train foreign governments’ policymakers on publicly attributing cyber incidents and on the application of international law to cyberspace:

We are providing a first-of-its kind course for policymakers worldwide on the policy and technical aspects of publicly attributing cyber incidents, which will be inaugurated this year at the George C. Marshall Center in Garmisch, Germany. We are also bolstering our efforts through the Marshall Center to provide training to foreign ministry lawyers and policymakers on the applicability of international law to state behavior in cyberspace and the non-binding peacetime norms that were negotiated in the United Nations and endorsed by the UN General Assembly.

It is notable that this will be training not just on the technical side of determining who is responsible for a cyber intrusion, but also on making such attributions public. I’ve argued that public attributions of cyberattacks are pieces of the effort to define rules of the road for cyberspace because they provide evidence of the state practice required to establish customary international law. Engaging in capacity building to expand the number of states that engage in credible, public attributions is a very promising development.

Image: President Joe Biden announces new economic sanctions against the Russia government from the East Room of the White House on April 15, 2021 in Washington, DC. Biden announced sanctions against 32 companies and individuals that are aimed at choking off lending to the Russian government and in response to the 2020 hacking operation that breached American government agencies and some of the nation’s largest companies. (Photo by Chip Somodevilla/Getty Images)

 

About the Author(s)

Kristen Eichensehr

Professor of Law at University of Virginia School of Law, Affiliate at Stanford Law School's Center for Internet and Society and Stanford Center for International Security and Cooperation, Former Special Assistant to the Legal Adviser of the U.S. Department of State. Member of the editorial board of Just Security. Follow her on Twitter (@K_Eichensehr).