Espionage attempts like the SolarWinds hack are inevitable, so it’s safer to focus on defense
In the wake of the major espionage operation in which people alleged to be Russian government agents infiltrated the digital networks of the U.S. Defense, Treasury and Homeland Security departments – as well as other government agencies and private companies – President Joe Biden is considering how to respond.
It’s not clear exactly what data the hackers actually stole in the time they had access, roughly from March through December 2020, but they exploited software made by the Texas-based firm SolarWinds to gain access to key research and security information, including research for future nuclear weapons.
Since taking office, Biden has ordered a thorough intelligence review of Russian aggression around the world, which includes hacking, election interference, poisoning political opponents and posting bounties for killing U.S. soldiers. And on Jan. 21, his first full day in office, Biden received a report from a congressional cybersecurity commission with 15 recommendations expected to prevent another major cyber breach.
Those included boosting America’s cyber capabilities by increasing funding for U.S. Cyber Command and establishing a civilian reserve group that draws on cybersecurity talent in private industry and cybersecurity companies.
His administration faces pressure from members of Congress in both parties and former government officials to respond forcefully to the SolarWinds breach.
He is reportedly considering retaliatory cyberattacks against Russia and targeted financial sanctions against the individuals involved.
But the U.S. government may not be able to stop future intrusions into American computer systems. Scholarship describes how difficult it can be to effectively deter cyberattacks or punish those responsible. In fact, as a scholar of cyber conflict, my research strongly indicates that retaliation – in whatever form it might take – will almost certainly invite counterhacks from Russia, worsening tensions between the countries and potentially escalating into the offline world.
A sophisticated attack
The SolarWinds hack was more advanced than previous ones: The hackers actually compromised software updates that the network management company regularly provides to the businesses and government agencies that use its software. The hackers inserted malicious code into the official updates, which countless administrators trusted and installed on nearly 18,000 systems across the country.
Once installed, the malicious software connected to servers controlled by the hackers and gave them access to key data about government and corporate research and operations.
This isn’t the first major digital attack on the U.S. And its severity shows that past efforts to discourage cyberattacks have not been effective.
Under President Barack Obama, for instance, the U.S. leveled economic and diplomatic sanctions against the people and governments responsible for cyberespionage, including North Korea and Russia. The Trump administration likewise imposed sanctions against Iranian and North Korean hackers for a range of cyberattacks targeting U.S. companies, universities and government agencies.
Several scholars, including my collaborators and me, have shown that though economic sanctions do hurt their targets, they also hurt the country imposing the restrictions – in this case, the United States – which misses out on business opportunities in the targeted countries. Newer rounds of sanctions also bar U.S. companies from doing business with third-country firms that operate in targeted countries.