US SolarWinds Response Unlikely to Change Russia’s Behavior, Highlights Need for Improved Cyber Defense
The United States has unveiled its overt response to Russia’s SolarWinds cyber operation—the expulsion of 10 Russian Embassy personnel from Washington, along with new sanctions on Russian sovereign debt and on Russian IT firms that support Moscow’s cyber intelligence operations. A “unseen” response promised by national security adviser Jake Sullivan, presumably cyber operations against Russian intelligence networks, has yet to publicly manifest. In response, Russia has denounced the “illegal” sanctions and predictably expelled 10 U.S. diplomats from Moscow.
Amid the flurry of accusation and counteraccusation, the question remains: Will the U.S. response to the SolarWinds compromise deter future Russian cyber activity? Based on what we’ve seen so far, I believe the costs on Russia imposed by the U.S. response will have little effect on future Russian cyber operations against U.S. government and private sector targets.
We do not know what the U.S. may undertake as part of the “unseen” response, but past experience would suggest cyber operations to signal displeasure are unlikely to change Russia’s behavior. A measured and proportional response will be shrugged off as the cost of business, and a cyber “shock and awe” campaign would risk escalation beyond U.S. intent.
Sanctions applied in this case highlight the diminishing impact of financial pressure. Russia had ample time to prepare for a U.S. response and will find work-arounds. The Kremlin will also turn sanctions pain into political gain, using the new U.S. measures to portray a hostile United States determined to weaken and threaten Russia. Appearing to stand strong in the face of this pressure boosts Putin’s image at home and distracts from other problems.
With the overt part of the U.S. response to SolarWinds now clear, let’s briefly consider the previous commentary on possible SolarWinds responses by myself, Erica D. Borghard and Anatol Lieven on this website. Apologies for any mischaracterization.
Borghard argued that a punitive response to SolarWinds would be unwise because the breach was not a destructive attack, but instead simply large-scale espionage against which deterrence is generally ineffective. However, she wrote that deterrence is both necessary and effective against destructive cyberattacks, noting as evidence that a “cyber Pearl Harbor” has not occurred. She commented that the hardest dilemma for policymakers is how to respond to cyber events that are somewhere in the gray middle between espionage and attack.
While it is true that the United States has not suffered a catastrophic cyberattack, it is nonetheless under sustained cyber assault, which is steadily undermining U.S. strategic advantages. However powerful our offensive cyber capability is, it has not deterred China’s sustained campaign to erode our economic, technological and military advantage. Similarly, our strength has not deterred Russia’s asymmetric use of low-cost tools to extract high-value intelligence, propaganda and political advantage.
Borghard is correct that how an incident is characterized—crime, espionage, an influence campaign or destructive attack—has huge bearing on the operational and policy response. However, the distinctions are not always obvious. In the case of SolarWinds, the U.S. was left to argue that, while espionage, the operation was reckless and destructive because the theft was so extensive and the cost to mitigate so expensive.
Both Borghard and Lieven note the need for cyber norms of behavior, and the importance of drawing boundaries of what is accepted (espionage) and what is unacceptable (destructive cyberattacks). Drawing cyber red lines, however, is difficult when espionage, preparation of the cyber battlefield and emplacement of destructive tools all looks the same.
Lieven and Borghard also agree on the problem of double standards. Lieven comments that “international conventions have to be … held and shared in common—and that applies to the U.S. as well as its rivals.” For her part, Borghard similarly makes the point that, “if the United States seeks to promote a norm against supply-chain compromises, for the norm to be meaningful Washington must also be willing to hold itself to the same standard.” The U.S. has been reluctant to negotiate on cyber rules of the road precisely because it doesn’t want to cede its perceived advantage or limit future options. Agreed-upon cyber norms, let alone a formal treaty, are unlikely anytime soon.
Which brings me back to my initial point about the necessity of fundamentally improving our national cyber defense. Reaction and response to cyber incidents, whatever form they take, is important for many reasons. But a strategy of systematically reducing the ability of Russia (or anyone else) to take advantage of our pervasive cyber vulnerability will pay larger dividends and make us fundamentally stronger and more resilient.
Paul Kolbe is the director of the Intelligence Project at Harvard’s Belfer Center and formerly served in the CIA’s Directorate of Operations in a variety of foreign and domestic roles, including as chief of station, chief/Central Eurasia division and Balkans group chief.
U.S. Navy photo shared in the public domain. The opinions expressed herein are solely those of the author.