SolarWinds: Cyber strategists are back to the drawing board
The SolarWinds hack – a cyber espionage campaign compromising critical organisations of the US – has fundamentally disrupted the power dynamics of cyberspace.
It is not only a major setback to the cyber statecraft initiatives of the United States (US) which took years to mature, but also challenges the basic assumptions upon which the West’s strategy for cyber dominance rest.
The operation, said to have begun in March, was only discovered this month when FireEye – an American cyber intelligence company – found out that its own network had been breached.
The investigation led responders through a proverbial rabbit hole as it became obvious that, before the intruders audaciously pivoted to FireEye’s network, they had “popped” almost 50 other US organisations including the departments of Treasury, Commerce, State, Energy & Homeland Security; companies such as Cisco, Intel, Nvidia, and VMware; and critical agencies such as the National Nuclear Safety Administration.
The hack of the decade is being attributed to SVR, the discrete Russian foreign intelligence agency. The tradecraft employed by the spies was brilliant as they managed to evade every defence in a global surveillance dragnet feeding the counterintelligence capability of the US and its allies.
By backdooring the update mechanism of a wildly popular IT administration software called SolarWinds Orion, the intruders managed to acquire a beachhead in any of its 300,000 customers.
At every step of the “kill chain,” the operators showed remarkable ingenuity.
They had no plans to outmatch the strategic cyber offensive might of the US, so the spies tactically blended-in with the environment, exploited “transitive trust” of the computers, and used deception to look like routine processes.
Yet, beyond all the technical details, it was the palpable strategic calculus which strikes at the heart of US cyber policy.
The intrusion came at a time when the US Cyber Command (USCYBERCOM) – it has a powerful mandate since the Russian interference into the 2016 presidential elections – declared itself as a formidable force.
Its Defend Forward strategy was premised upon undertaking pre-emptive, extrajudicial cyber operations within the adversary’s own information space – neutralising a potential threat even before it was instantiated.
However, the strategy did not assume that USCYBERCOM could undertake such expeditionary manoeuvres in every hostile network. The idea was to send a credible deterrence threat by a selective use of “force” to coerce or compel the adversary.
USCYBERCOM aspired to strike a ‘tacit bargain’ (from the international relations parlance) with the adversary by ‘signalling’ that any malicious action would lead to the imposition of unacceptable costs.
The Defend Forward strategy was based on some broad, sweeping assumptions.
First, that the traditional structures of deterrence by denial and punishment remained valid in cyberspace.
Second, that cyberspace is a ‘domain’ allowing militaristic power projection at a ‘place and time of choosing.’ There was also a retroactive implication that cyber operations more or less adhered to the law of armed conflict, thus bestowing legitimacy upon Western offensive counteractions.
Third, that on a broader scale, pre-emptive cyber operations legitimised by the West would trigger a kind of creative destruction, thus calcifying a rules-based order in cyberspace. The overall strategy was that the establishment of global cyber norms premised upon international law would reinstate the ‘neoliberal institutionalist’ concept of power by punishing states that thrived on impunity.
Busy with the 2020 elections and potentially distracted by the threat of Russian disinformation, the US establishment thought that it could somehow stretch Defend Forward into a national doctrine. And so, what was basically an expeditionary manoeuvre, which had evolved in a specific cultural silo of the US cyber apparatus, became the cornerstone of statecraft.
The groupthink was obvious as the Cyberspace Solarium Commission – a whole-of-government grand strategy for cyberspace formulated by the US government – even elevated Defend Forward to the hallowed pedestal of “Layered Cyber Deterrence,” a proposed international strategy.
All this happened almost overnight even as the evidence of Defend Forward’s success remained limited in the public sphere.
It was a perfect storm in the making and the SVR made the best of it. Russia was neither deterred nor compelled; it could not be coerced, nor did it opt for an explicit or tacit bargain.
In fact, as a dichotomy which would never ever be encountered in a conventional domain of war like land, sea or air, Russia chooses to see cyberspace using a wholly different assumptive paradigm.
Its structures of power projection are purely cognitive. And being an undemocratic entity, such a projection does not impinge upon its internal stability.
General-Major V. D. Ryabchuk, the father of Russian strategic deception, alluded that “thought is the first to enter battle.” In that sense, Russia’s cyber actions have successfully managed to break the will, demoralise and eventually deter its adversaries – including those from the West – quite a few times.
The fact of the matter is that state-to-state espionage is a-okay, which is what this hack was.
Cyber strategists are now back to the drawing board as even the most meticulously derived variables and equations of cyber power look like unfounded abstractions. It is a moment of reckoning for the neoliberal system which was the very foundation of the Internet.
Pukhraj Singh is a cyber intelligence analyst who has worked with the Indian government and response teams of global companies
The views expressed are personal