The Strategic Implications of SolarWinds

Recent reports of a widespread Russian cyber infiltration across U.S. government networks are a sign of how great power competition will play out in the 21st century. The new great power game is digital, with the shadowy alleys and cafes of Cold War spy games replaced by massive data breaches and compromising corporate security. Some strategies see this world as dominated by offensive operations—but the SolarWinds case suggests the opposite. The U.S. Cyber Solarium Commission, on which we served, found that the future of cyber security strategy will come to rely on layered cyber deterrence to enable defensive denial operations, international entanglement and cost imposition when aggressors defy the norms of the international system. The SolarWinds hack emphasizes the importance of implementing this strategy. 

It’s simpler to list the agencies that have not been caught up in the SolarWinds infiltration, which was run by Russian hacking group APT29 under the umbrella of the Russian intelligence services, the SVR. So far, only the intelligence community has not been reported to have been breached. 

The goal of the operation seems to have been exfiltrating data and digital tools from the targets. The attackers leveraged a supply chain vulnerability in the ubiquitous SolarWinds Orion program, a network monitoring tool, to insert backdoors into an update released months ago. Once inside the networks, the attackers were able to maintain a permanent presence. The operation was so devastating that SolarWinds employees appear to have engaged in a massive sell off of stocks prior to public disclosure of the vulnerability.

The impact of the operation is currently unknown. Overall, the likely outcome seems similar to that of the Office of Personal Management (OPM) Hack of 2015, which resulted in the massive theft of unclassified government data by China but without any clear use of the data by Beijing in the subsequent years. But the SolarWinds breach will have second and third order effects. Already, FireEye’s Red Team tools have been stolen through the SolarWinds vulnerability and reused by the attackers on other systems. The key thing to remember at this point is that the operation seems likely to be able to extract information but not insert or destroy data within government systems. 

The SolarWinds operation demonstrates the developing nature of modern great power competition, where rival states employ cyber strategies to steal secrets as well as to conduct limited operations meant to disrupt and degrade. Though media reports often characterize cyber operations as attacks, many operations are better thought of as instruments of political warfare and weak forms of coercion that do not seek destruction. Most cases involve stolen data or limited disruptive effects. There appear to be key firebreaks that limit escalation in cyberspace, keeping it a realm of covert and clandestine operations as opposed to decisive battles.

We have worked with Ryan Maness of the Naval Post Graduate School to compile the Dyadic Cyber Incident Dispute Dataset (DCID), which tracks all known cyber actions between rival nation-states from 2001 through 2016. Examining the SolarWinds operation alongside the other operations in this dataset, the operation appears similar to past Russian and Chinese network infiltrations like the aforementioned OPM hack or Russia APT29’s prior operations against the State Department and other government agencies. Great powers use cyberspace to alter the balance of information and gain an advantage in long-term competition. In this manner, espionage supports broader coercive campaigns and crisis bargainingBecome a supporter of IT Security News and help us remove the ads.