The SolarWinds hack, attributed to Russia’s Foreign Intelligence Service, was an extensive cyber attack on U.S. private companies, including Microsoft and Intel, and government agencies, including the Department of Justice and the Pentagon. The careful infiltration went unnoticed for months, and the scope of the hack is still unknown. Ultimately, the failure to prevent the attack raises questions as to how the United States can protect itself from future cyberoperations. Additionally, the attack has created a debate over how the Biden administration should respond. While the U.S. government could potentially launch a retaliatory strike to deter future hacks, the best course of action would be to focus on defensive measures to protect American networks from becoming targets to further cyberattacks.
Several months ago, the United States intelligence community discovered the hacking campaign on SolarWinds, one of the most thorough and successful cyber attacks targeting American government sectors and private companies, was likely orchestrated by Russia. The extent of the hack was identified after the private cybersecurity company, FireEye, noticed a breach in its network. The cybersecurity firm announced in December that outside forces were able to steal information from them, suggesting that a state actor was likely behind the attack based on the level of sophistication of the technique used. The hack was traced to SolarWinds’ software system, called Orion.
In early 2020, the hackers were able to use Orion’s routine software update to install malicious code, creating a backdoor to access customers’ information. SolarWinds is a large company, with over 300,000 customers, that develops software for network monitoring and has clients in government agencies and Fortune 500 companies. Because its clients include high ranking companies, such as Microsoft, Credit Suisse, Cisco, and Yahoo!, and government agencies, such as the Department of Defense, NASA, the Department of Justice, and the Department of Homeland Security, the SolarWinds hackers potentially gained access to influential government and private networks.
The breach went unnoticed for months, compromising around 18,000 clients, with the extent of the attack still not fully being known. In U.S. agencies, such as the Department of Treasury, the hackers gained access to email accounts of high ranking officials. So far it has been determined that the hackers stole data from over one hundred private businesses, and nine federal agencies, including the Pentagon and NASA. The fact that the hackers were able to compromise data for such a long period of time before the leak was caught shows a gaping weakness in American cybersecurity. Moreover, the leak was identified by a private company, rather than one of the government agencies which installed the software update, additionally highlighting the need for stronger security measures in the cyberspace.
The responsibility for the SolarWinds hack was traced back to Russian hackers known as APT29 or Cozy Bear who likely operated on the behalf of Russia’s Foreign Intelligence Service, also known as SVR. The same hackers were responsible for the attacks on the White House and the State Department in 2014 and 2015, during which they gathered information from private emails.
In January, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint statement in response to the SolarWinds hack stating:
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The diligence behind the attack also suggests a new look into Russia’s cyberespionage. Previous Russian hacks were typically carried out with more carelessness, such as the NotPetya attack that destroyed Ukraine’s financial data after the Crimean conflict and spread to other countries including the United States, and the 2018 Olympics hack during the opening ceremonies for which Russian military spies used North Korean IP addresses. However, the SolarWinds hack was done much more cautiously, to the point where the full scope of the attack has yet to be established. The purpose of the attack also remains unknown, and some are concerned that the attack may have been meant not only to collect the data but also to alter it.
The SolarWinds hack was one in a series of more recent attacks from Russian hackers using increasingly sophisticated techniques. This month, the U.S. also faced an attack from a Russian hacker group, named Darkside, that took control of the Colonial Pipeline, forcing the company to shut down and trigger fuel shortages across the east. The Colonial Pipeline was only able to restart their work after paying the demanded ransom fee to the hackers, averaging around $5 million. The hack on the pipeline caused severe energy deficiencies and incredibly high gas prices, underscoring the severity of new cyberattacks seen this past year. This leaves behind the worrisome question of how the U.S. government and private companies can protect themselves from future breaches.
The SolarWinds hack introduced a conflict over how the U.S. government should respond to the Russian cyberattack. In April, President Biden’s administration announced economic sanctions against Russia for being involved in the attack. In his executive order, President Biden officially attributed the breach to the Russian Foreign Intelligence Service and declared that:
“All property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person of the following persons are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in:…
(i) to operate or have operated in the technology sector or the defense and related materiel sector of the Russian Federation economy, or any other sector of the Russian Federation economy as may be determined by the Secretary of the Treasury, in consultation with the Secretary of State;
(ii) to be responsible for or complicit in…any of the following for or on behalf of, or for the benefit of, directly or indirectly, the Government of the Russian Federation:
(A) malicious cyber-enabled activities”
Interestingly, in the executive order, President Biden avoided using strong language against the Russians, such as referring to the incident as a ‘cyberstrike’. The reason for this may stem from the conflict over how much of Russia’s actions crossed the cyberespionage norms in the international community. By identifying the attack as unacceptable, the United States would set a precedent in the boundaries of cyberespionage and actively tie its own hands in regards to the cybersecurity operations to collect foreign intelligence that its own agencies could execute in the future. Consequently, while the Biden administration may want to respond with retaliation to the SolarWinds hack, such actions may appear to be hypocritical in light of the United States’ own information-gathering infiltrations.
In the past, the United States has placed destructive malware inside Russia’s power grid, thus taking aggressive action for deterring future cyberoperations against America. It has also engaged in a cyber strike against Iran in 2019, following the drone attack on the oil facilities in Saudi Arabia. Probably one of the largest American cyber operations was the CIA’s ownership of Crypto AG, which remained secret for decades and gave the U.S. government access to encryption technology that the company sold to other countries. This operation lasted until the end of the 20th century, giving the CIA extensive information on foreign state secrets. Therefore, Russia’s hack is not too dissimilar from the cyberattacks that the U.S. has engaged in previously, indicating that it may be counterproductive for the U.S. to launch a counterstrike in retaliation.
Currently, aside from the sanctions, the U.S. further took action by expelling ten Russian diplomats from Washington D.C., encouraging ‘responsible state behavior in cyberspace’, and collaborating with its allies, such as the U.K. and France, to build more advanced defensive systems in cyberspace. The Biden administration is also putting together another executive order to improve the country’s defense to cyberattacks similar to the SolarWinds hack. The order will set forth new requirements for companies that work with the federal government, including routine cybersecurity checks and specific steps for software development, in hopes of spreading these procedures throughout the private sector as well. It will also ask that federal contractors notify the government of any cyber incidents, thus attempting to set up a system where potential breaches can be caught faster.
America’s focus on defensive action suggests that the Biden administration will likely not be engaging in a retaliatory strike. Instead, it would be more useful for the government to dedicate resources to better cybersecurity and preventative actions, to ensure that an attack like the SolarWinds hack has a smaller likelihood of happening again. The SolarWinds hack is a wake up call that we need stronger defensive mechanisms in cyberspace. Engaging in retaliation would diminish the United States’ capacity to engage in similar intelligence operations, so the best course of action is to stop outside organizations from being able to infiltrate networks in U.S. government sectors and private businesses.
Journal on World Affairs, UCLA 