Paul Kolbe, Director, Intelligence Project, Harvard University’s Belfer Center for Science and International Affairs
Paul Kolbe is the director of The Intelligence Project at Harvard University’s Belfer Center for Science and International Affairs. He previously served for 25 years as an operational officer in the CIA and was a member of the Senior Intelligence Service, in Russia, the Balkans, Indonesia, East Germany, Zimbabwe and Austria.
This article was first published by our friends from Russia Matters, of the Harvard Kennedy School’s Belfer Center for Science and International Affairs.
According to US officials, Russia is the likely perpetrator of the SolarWinds cyber compromise by federal agencies, private sector companies, NGOs and academic institutions. The scale and impact led to the accusation of a reckless and indiscriminate operation. Some politicians have labeled it as an act of war, while other commentators have dismissed the SolarWinds compromise as espionage. Demands for punishment were widespread.
We know few details about the breadth, depth and impact of SolarWinds’ IT operations, although the scale was clearly enormous with over 18,000 SolarWinds customers loading malware-laden tools. But we don’t know which companies and agencies have been affected, what information has been compromised or if there has been damage to information systems. This lack of public disclosure probably represents caution in disclosing what is known and unknown, but it also signals the difficulty of assessing how bad we have been.
So how should the United States respond?
A natural inclination will be to fight back to change future Russian behavior and to introduce greater cyber deterrence for other potential actors. Responses could include declaring Russian intelligence personnel persona non grata, prosecuting perpetrators, targeted sanctions, and carrying out similar operations against selected Russian systems. The goal would not only be punishment, but to change the risk gain calculation for Russia and others, when considering new IT operations.
But frankly, all of these actions have been attempted in the past and have not slowed the cyber assault. Russia appreciates and adheres to reciprocity, and a specific and carefully calibrated bow stroke is appropriate in response to SolarWinds. But we shouldn’t be fooled into thinking that such responses will stop cyber espionage or assaults. We are simply too fat and easy a target.
For this reason, retaliation is neither the most urgent nor the most important task at hand. Our most critical mission is to continually and comprehensively improve our cyber defense.
SolarWinds has dramatically highlighted what many cyber experts have known and warned: that the United States is pervasively and systematically vulnerable. Our attack surface – the systems, networks and devices that can be targeted and compromised – is incredibly large. The skill and number of US adversaries – states, criminal organizations, and individuals who exploit these vulnerabilities – are proliferating. Russia is just a wolf in an ever-changing pack of cyber predators.
Read The 2021 Cyber Threat Will Drive Former National Security Secretary Michael Chertoff’s Strongest Alliances Exclusively in The Cipher Brief
Meanwhile, our networks are closely intertwined, but we organize our defense in one compartment after another. Government defenses are scattered across agencies, companies are reluctant to share news of violations, and our intelligence agencies are outward-facing. Nobody has a complete view of the battlefield. Companies see cyber defense as a heavy cost. Government budgets favor crime, and even when new funding is allocated to cyber defense, the focus is on protecting government systems, not improving the fundamental security of the largest and most vulnerable private sector infrastructures.
How could we better address our national systemic cyber vulnerability?
First, government efforts to strengthen defense should focus on the private sector, which builds, owns, manages and is responsible for most of our information infrastructure. Better incentives are needed to improve safety practices and culture. Disincentives are also needed that extrapolate a cost to put others at risk. Some elements in this regard could include:
- Federal Security Standards: Enforce minimum federal security standards for software and devices, much like consumer security products. Manufacturers will complain, as will automakers with safety regulations, but effortless progress is unlikely to build more secure components of our IT infrastructure.
- Liability: Companies that negligently design unsafe systems and devices should be held accountable. In too many cases, reducing costs and eliminating basic security elements put everyone at risk. Hardware and software manufacturers have a particular responsibility in this regard and should not be able to happily pass cyber risk to the millions without fear of consequences.
- Sharing intelligence: Threat information must flow seamlessly and instantly between public and private networks, but is instead fragmented by classification, business interests, legal restrictions, and cultural inclinations to hide rather than share. There should be a federal requirement to report cyber security breaches. Rarely does a single company fall victim to a given attack, and robust reporting requirements could help early detection and mitigation. Transparency of breaches would also incentivize good security practices and provide a competitive advantage to companies that protect their customers and cyber commons.
We are in a new “Long War”, an environmental cyber conflict that will take place over decades against multiple adversaries. This is a conflict where the best offense can be a good defense. Limiting the potential damage that adversaries can inflict on us, while maintaining the ability to inflict asymmetric damage, offers the best hope of bolstering US national security and creating a world of cyber deterrence and restraint. It is hoped that SolarWinds marks the turning point of a pivot towards a more effective defense-based national cyber strategy.
An answer can be read here: “The punitive response to SolarWinds would be out of place, but cyber deterrence is still important” by Erica D. Borghard
The Cipher Brief hosts private briefings with the world’s most experienced national and global security experts. Become a member today.