Responsible Cyber Offense


News of the SolarWinds hack emerged with reports the incident had triggered an emergency Saturday meeting at the National Security Council. In the weeks that followed, the story dominated headlines. Whereas most offensive cyber operations rarely receive concentrated focus, the name of a Texas-based information technology software company, SolarWinds, became ubiquitous across mainstream news outlets and quickly synonymous with the Russian hacking operation that targeted it. Policymakers, corporations and the entire cybersecurity industry were soon asking, “How do we address SolarWinds?” 

Russian state actors had breached SolarWinds’ network to insert a backdoor into a software product used in critical networks across the United States. The hackers then snuck through their carefully hidden entrance to infiltrate the State Department, Treasury Department, Microsoft, and thousands of other government and corporate networks. The scale of the attacks, along with the high-profile nature of many of the targets, encouraged the widespread coverage and subsequent reaction from elected officials. Congressional hearings were scheduled, and then-President-elect Biden pledged to address the issue.

The Senate hearing focused in large part on prevention of cyber espionage, which reflected the Capitol’s sanguine attitude toward the issue. While members of Congress questioned SolarWinds leadership about how they might prevent such a backdoor in the future, attackers installed an entirely different backdoor on hundreds of thousands of servers around the world by leveraging an accidental vulnerability in Microsoft Exchange software. While this wasn’t a supply chain hack per se, these new actors carried it out with more recklessness than their Russian counterparts: They compromised a much larger number of networks, leaving a trail of vandalism in their wake. Yet this campaign failed to capture the sustained interest of the American public or many of its policymakers.

The SolarWinds hack initially grabbed headlines because of the sheer number of networks affected, but this belied the fact that the Russian operators had intentionally disabled almost all their backdoors without ever using them—they were carefully targeting a smaller number of networks. The Exchange perpetrators, conversely, had indiscriminately installed backdoors on any vulnerable server they could find on the internet—an order of magnitude more compromises than the Russians achieved—and had left these backdoors wide open with easily guessed, hard-coded passwords. Whereas the former hack was a carefully executed espionage campaign, not unlike those carried out by the U.S., the latter resulted in tens of thousands of networks left to the mercy of a thriving ransomware industry. 

The White House recently named the perpetrators behind the Exchange hack as Chinese government operatives. More important than public attribution, the United States needs to build international support for drawing lines between responsible and irresponsible operations in cyberspace. If the SolarWinds operation was a case of somewhat responsible hacking within the bounds of acceptable state action (even if Russia is far from a responsible actor in cyberspace), the Exchange operation, by contrast, demonstrates how an irresponsibly conducted espionage operation can escalate into collateral damage and instability.

The sense of crisis created by these two operations should not be wasted. Despite critical preventive efforts, offensive operations will continue apace in the foreseeable future—conducted by the United States, its allies and its adversaries. The choice is whether and how to engage in them responsibly and minimize cost to societies. For there are better and worse ways for governments (and their explicit or de facto contractors) to operate in cyberspace. Benign countries should cooperate now to promote verifiable, technical norms for responsible offensive cyber operations.

The U.S. and its allies have previously sought to institute political norms against general categories of nation-state cyber activity. But broad norms, such as the one against all “supply chain hacks,” are sometimes technically ambiguous and impossible to enforce. Further, it would be hard to justify to adversaries why they should willingly constrain themselves from a potent method of access when they have no reason to believe the U.S. will reciprocate. A more diplomatically and technically plausible argument that Secretary of State Antony Blinken or National Security Adviser Jake Sullivan could credibly make to their Russian and Chinese counterparts is for reciprocal agreements not to use irresponsible techniques, such as haphazard backdoors and indiscriminate targeting, which cause significant instability and collateral damage.

More broadly, the U.S. should lead an international effort to decompose cyber operations into their component methods and behaviors and assess each on a spectrum of responsibility. This will be technically challenging for political leaders and others to understand, but cyber operators and those seeking to defend against them will appreciate the various distinctions, as we try to explain them here. Indeed, a key need in this field is for political leaders in dominant cyber powers to become educated about important variables in cyber operations and to engage each other in bringing oversight to them. This approach could be augmented with engagement between the leadership of states’ various operational entities. Adversaries will be more amenable to frank acknowledgement of a shared reality and accountability, rather than demands for wholesale cessation of all cyber operations. 

Offensive Cyber Operations

Nation-states engage in many virtual activities that fall into the amorphous space of offensive cyber operations: websites taken offline by an unprecedented influx of traffic, hospital networks irretrievably encrypted by malware, state secrets quietly copied from government computers. While any of these might colloquially be referred to as an “attack,” it is helpful to distinguish between cyber espionage—obtaining and exfiltrating confidential information—and cyberattacks, which are intended to achieve some kind of deleterious effect on an adversary’s system. This might be the difference between hacking a computer to read confidential data, or to corrupt or erase it. 

Although many operations become public because they are disruptive attacks by design, most offensive actions by state actors are attempts at espionage, not destruction. These efforts happen quietly and frequently, aided by the plethora of insecurities plaguing computer networks and software. The offense has an asymmetric advantage; it will always be easier to find a single way inside a system than to prevent all possible methods of ingress. Many of these technical problems are still decades away from being ameliorated. Moreover, prevention is a question not simply of technical ability but of incentive alignment, extensive deployment and effective use—in both the public and the private sectors. 

We do not suggest that investing in defense is Sisyphean. On the contrary, the U.S. government must undertake a multipronged campaign to improve its cybersecurity. But this should be done without saddling the still-nascent effort with quixotic expectations, which then warp the U.S. reaction whenever spying is uncovered. If widespread prevention is impossible, protecting the internet from systematic failure will require shifting focus to shaping competitors’ actions toward predictable outcomes and effects.

Reduce Risks of Unintended Effects

Descending into the technical depths of cyber operations leads to the realization that a cyberattack is difficult to distinguish from espionage. The techniques used to gain access to a network and then navigate through it are often the same, regardless of the end goal. So, too, in many cases are the tools and infrastructure used. Differences between an attack and espionage might only appear once the operators begin executing their plan to cause damage or exfiltrate data. But neither is dispositive, as an attacker might care less about stealth, but a mediocre or lazy spy could also lack stealth and, worse, cause accidental damage.

While there is no clear technical divide between different kinds of cyber operations, there are important geopolitical differences between them. No state wants to be…


Read More:Responsible Cyber Offense