“It is a tale told by an idiot, full of sound and fury, signifying nothing.” Shakespeare, Macbeth
This quote just about sums up President Elect, Joe Biden’s and much of the intelligence community’s response to the recent SolarWinds attack on numerous government agencies and private corporations.
I realize that they don’t want to show their hand, or, as Biden remarked, “there’s many options, which I will not discuss now.” However, Biden went on to elaborate. “A good defense isn’t enough; We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place.” Do you really believe the intelligence community hasn’t been doing this all along? Maybe he is suggesting that they have to be more aggressive in this regard. He does go on to say that, he will impose “substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.” But what will those substantial costs entail? What, in fact, will you do?
During his presidency, Trump was known for preferring cyber attacks over traditional military actions. But, unsurprisingly, Biden blames Trump for the attacks in the first place. “The truth is this: The Trump administration failed to prioritize cybersecurity,” I’d have to ask what evidence Biden offers for this. True, Trump is as much of a cybersecurity expert as Biden, but I have trouble believing that those in the intelligence community were dissuaded from taking cyber threats seriously. It just doesn’t make sense.
Biden continues with his sound and fury. If Trump doesn’t take any action regarding this attack, “rest assured, even if he does not take it seriously, I will.” He goes on to explain that ” cyberattacks must be treated as a serious threat by our leadership.” “We can’t let this go unanswered.” Senator Mitt Romney added more fuel to the flames in a Twitter post.
No, Mitt. It’s not the same as bombers flying over the country undetected. If this were the case, no damage would have been done. But damage was done and the extent of that damage remains to be determined. True, the strength of the U.S. cyber security defenses needs to be investigated and improvements need to be made. My guess is that Romney doesn’t know the extent of the cyber warfare capabilities available to the U.S. I would submit that they are as good, if not better than, those of any other country. The question is how the U.S. should deploy them, if at all.
So, we have a threat of retaliation but no real answers on how this should be accomplished. But, if it is assumed that the U.S. needs to retaliate, what options are actually available?
Before any retaliation can be considered, the U.S. must be quite sure who it is retaliating against. The consensus seems to be that it is Russia, but even in its most recent post (JOINT STATEMENT BY THE FEDERAL BUREAU OF INVESTIGATION (FBI), THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY (CISA), THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE (ODNI), AND THE NATIONAL SECURITY AGENCY (NSA)), there is still some hedging on this point.
The post includes conditional statements such as “an Advanced Persistent Threat (APT) actor, likely Russian in origin is responsible for most or all of the recently discovered, ongoing cyber compromises”, and that they were still “analyzing the evidence to determine further attribution.” It always bothers me when such a so-called sophisticated attack is so quickly attributed to a specific actor. It’s normal for skilled hackers to hide their affiliation by putting in code from other well-known nation-state malware or by making comments in a language seemingly from the perpetrator’s country. All of this is done to obscure the origins of the attack. That said, for the sake of this post, I will assume that the perpetrator was a Russian-government-affiliated hacking team (aka Cozy Bear) . It is, then, they that must be targeted with retaliation.
Possible Forms of Retaliation
Sanctions would be primarily symbolic as none of the members of the Cozy Bear hacking team will ever be extradited to the U.S. Economic sanctions may have more of an impact but would probably not disrupt the already ailing Russian economy. Sanctions on big private companies may hurt a bit more and, by extension, hurt the Russian economy. There is some talk of barring Russia from using the SWIFT international banking system. This would stop Russia’s international companies from doing business with many foreign firms. However, Russia has been preparing an alternative to SWIFT since 2014 called, SPSF. China is also developing its own transfer system called, CIPS. In short, the SWIFT ban may hurt for a while, but will probably force Russian companies and companies dealing with Russia to adopt these alternative transfer methods.
Do unto them what they did unto you. In other words, launch a similar attack against Russia. Biden has actually announced this course of action. The Russians “can be assured that we will respond and probably respond in kind.” So, in other words, he’s not sure how he will respond. The problem is that we don’t know the full extent of the SolarWinds attack. At the moment, it appears to be an espionage attack; an attack looking for information. However, it may be that the information they find will be used to fuel a more destructive attack, like an attack on the U.S. infrastructure. In other words, a reciprocal attack is solely reactive. My guess is that the necessary malware for such a reciprocal attack is already in place and has been in place for years within Russian networks. The Russians just haven’t discovered it yet. The problem with the reciprocal option is that Russia may not even realize they are being retaliated against. In order for a reciprocal attack to be effective, the entity attacked needs to realize the reciprocity. This approach, in principle, anyway, is meant to deter them from future attacks.
An article in Business Insider claims that “with Trump taking no action, Biden’s team are concerned that in the coming weeks the president-elect may be left with only one tool: bluster.” This may, sadly, be true. So, expect a lot of talk about attacks without much action. Biden claimed that the hack occurred because “the Trump administration failed to prioritize cybersecurity. This happened on Donald Trump’s watch.” Yeah, but what about one of the most devastating hacks in history, the Office of Personnel Management hack, which occurred when you were on watch as Vice President? In the end, despite a lot of sound and fury, there was no real retaliation against China for the OPM hack. If the response was hidden, it certainly did nothing to inhibit further attacks on the U.S.
Offensive Cyber Attacks
Offensive cyber attacks against those who have attacked the U.S. are always in the arsenal. They are rarely used for fear of a reciprocal attack. There is also the fear of harming innocent people. The U.S. could, for example, take down part of the Russian internet, but would hospitals be affected and would lives be lost? How many lives may be lost if part of the electric grid was taken down? And what would happen if there was retaliation in kind? Yes, make no mistake about it. The U.S, has the cyber weapons to do all of these things, but using them is risky.
So can nothing really be done in retaliation? It may seem that way, but there are options available. The options would have to be those similar to the ones launched against Iran a number of times. These were targeted to undermine specific military functions. The most famous of these was the Stuxnet attack which destroyed Iranian centrifuges and hurt their development of nuclear weapons. Another attack in 2019 destroyed a database used by the Iranian army. These sorts of attacks can do appreciable damage without harming civilians. In the current situation, the U.S. could, for example, target the servers or infrastructure used by Russian intelligence. It could leave indications that linked the damage to the U.S. to let the Russian know that enough is enough.
However, the picture has been further complicated by the fact that both FireEye and Crowdstrike have been reluctant to attribute the attack to Russia. As one spokesman noted, “We have not made any attribution beyond assigning this activity to UNC 2452. An UNC group, short for unclassified, is a cluster of cyber-intrusion activity — which includes observable artifacts such as adversary infrastructure, tools, and tradecraft — that we are not yet ready to give a classification such as APT or FIN,” So, at least for the moment, we are back to square one. Who does the U.S. retaliate against?