Published by The Lawfare Institute
in Cooperation With
“Brexit means Brexit” started out its life in the U.K. as a spectacularly successful political slogan four and a half years ago. It sounded authoritative and purposeful, yet at the same time unobjectionable. It was enough to convince British supporters of leaving the European Union that a new prime minister, Theresa May, who had supported staying in the bloc, would deliver what they wanted. More importantly, it was enough to reassure a shocked nation that the uncharted journey ahead was in safe hands.
Its genius as a slogan was its undoing as a governing philosophy. As a slogan it worked because no one really understood what it meant, and therefore anyone could interpret it as they chose. In government, that malleability could not and did not hold. Moreover, as a slogan it made Brexit sound simple. The governing reality was that the process of leaving the European Union was extraordinarily complicated and involved extremely difficult choices.
The slogan of Western cyber policy—that “we will impose costs to deter our adversaries” (or variants of these words)—is at least as old as “Brexit means Brexit.” As head of the U.K.’s cybersecurity efforts from 2014 to 2020, I heard it many times. I heard it when standing alongside Philip Hammond, one of May’s most senior ministers when the U.K.’s National Cyber Security Strategy was launched, just a few months after the Brexit referendum in December 2016. A year later, Boris Johnson, then British foreign secretary, flew to Moscow with a heavily briefed public warning to his Russian counterpart that the U.K. would seek to impose costs on Russian cyber activity. Johnson resigned (over Brexit) shortly afterward, to be replaced by Jeremy Hunt. They may have differed over Brexit, but Hunt’s cyber deterrence rhetoric was from the same script. In 2019, in a speech in Glasgow, he said that “the British government’s starting point is that we must impose a price on malicious cyber activity.” Johnson is now of course back, as prime minister, reunited with the permanent slogan of British cyber policy.
The cyber slogan serves the same function as its Brexit counterpart. It conveys purpose and authority without saying anything in detail. But so far it has proved equally unsuccessful: Whatever other improvements that have been made in Western cybersecurity in the past few years, and there have been many, deterring hostile state attackers has not been one of them. “Imposing costs” has become the “Brexit means Brexit” of the cyber domain: a catchy, useful political slogan devoid of meaning, substance and—consequently—impact.
So it is striking that the phrase made a reappearance in President-elect Biden’s otherwise very impressive Dec. 17 statement on the SolarWinds operation. Biden’s statement talks of prioritizing cybersecurity in light of the massive campaign of digital espionage carried out by the Russian intelligence services. Biden’s statement is hugely welcomed by anyone who cares about the security of Western cyberspace. It shows that the Biden team, unlike the outgoing administration, understands the significance of what happened as a result of the operation. Its pledge to make cybersecurity “a top priority” is borne out by those who’ve been in contact with senior members of the incoming administration.
Toward the end of the statement, however, the president-elect reverts to the well-worn cyber slogan. He states that the new administration will seek “to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place” and that “we will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks” (note the remarkable resemblance to the statement by the then British foreign secretary in 2019). Given the unhappy record of successful delivery on such statements, the audience is entitled to wonder what that might actually mean.
First, let’s look at what those phrases are often thought to mean but, in reality, can rarely, if ever, mean: direct retaliation and escalation in cyberspace. Like “Brexit means Brexit,” “imposing costs” can mean what you want it to mean. So for many, it’s taken to mean that the U.S. (and allies) will now unleash hitherto locked-away offensive cyber capabilities that have previously been voluntarily foregone, and take the cyber fight to the adversary. (Biden, in presaging his “imposing substantial costs” remark with “a good defense is not enough,” gives cause to speculate that this is what he might be hinting at. In the same way, in the U.K. back in 2017, Johnson was clear to Russian Foreign Minister Sergey Lavrov that he was talking about like-for-like retaliation as a response to Russian cyber activity. To be fair, Hunt, in 2019, spoke of a broader range of responses than just offensive cyber.)
This interpretation of imposing costs is attractive not least because, thanks to the sometimes necessary secrecy surrounding cyber operations, the government doesn’t have to prove that it’s responded effectively. It just has to hint that it has responded in kind, or is planning to, and answer no further questions. Such sentiments are often accompanied by the language of war, equating cyber intrusions with military strikes. According to this way of thinking, the aggrieved Western country is going to sort out the problem of Russian state hacking by whacking them on some sort of secret, invisible digital battlefield.
This approach is deeply flawed in both principle and practice. Part of the problem arises from the conflation of two related but distinct concepts: that of cybersecurity on the one hand, and cyber power on the other. There are links between the two, of course. But they are two different things, serving two quite distinct purposes.
Cybersecurity is, well, cybersecurity. It is about the security of the digital homeland: of the networks and devices and digital services and capabilities on which our societies depend. It’s about the protection of everything online from consumers to corporations to personal data to state secrets. Cyber power, on the other hand, is the protection of national security from any type of threat where the use of cyber capabilities might be appropriate to further that goal, as well as the projection of state power for any relevant policy goal through cyber capabilities. Therefore, cybersecurity is not a subset of cyber power, and the aim of cyber power is not cybersecurity. To say otherwise is to adopt the boxing-ring mentality of cyberspace: that cyberspace is a special, enclosed domain with its own rules and whoever is better at cyber will come out better.
In reality, while cyber power has its uses, it is already clear that it is remarkably ineffective as a response to, or deterrent against, hostile state cyber activity. Two months ago at King’s College London, I set out a five-level taxonomy for thinking about how, why and when offensive cyber capabilities might be used. I won’t reanalyze it in detail here, but using it to chart the options for a SolarWinds response shows just how few, if any, realistic response options offensive capabilities provide in such cases.
Many of the already confirmed uses of cyber offense (such as those against international terrorists and online child sex exploiters), as well as those that are planned (to support conventional warfighting) are laudable and may prove effective. But they don’t have anything to do with deterring hostile state digital spies and hackers. There is no reason why heightened offensive activity in these areas, which most Five Eyes countries are planning, would have any deterrent effect at all on hostile state hacking.
There are some narrow exceptions to that rule. A direct cyberattack on an adversary’s infrastructure to destroy it and therefore prevent its future hostile use is one obvious possibility. The U.S. seems to have carried this out against Russia’s Internet Research Agency in order to disrupt its ability to propagate election-related disinformation. It has been used against transnational cyber criminals in the past and should, in my view, be deployed where possible against the scourge of ransomware. So it might, theoretically, work in response to SolarWinds.
But the SolarWinds hackers will prove a much harder target. (Let’s assume it’s the SVR, one of the main intelligence agencies, as is widely reported. If it isn’t them, it’s highly likely to be one of the other major Russian intelligence services.) The Internet Research Agency is just a troll farm, making up lies, or hunting for already-published lies, and spreading them on the Internet. So the Internet Research Agency is low hanging fruit. The SVR, by contrast, is an elite intelligence agency with expensive covert infrastructure and better operational security. It’s a much harder target. Even if successful, the SVR would regard such an attack as a setback, not a deterrent. And there’s also the problem of reciprocity: In launching offensive operations against the SVR, the U.S. must realize it is saying that a direct, destructive attack against intelligence agency infrastructure is acceptable conduct in cyberspace. That might be right, but it will cut both ways.
Going beyond this direct cyber retaliation—in effect, going for escalation—is either impractical or unjustifiable in this and similar cases. Cyber operations such as spreading disinformation or misinformation within Russia are doable, but it’s not clear whom or what it would deter (“sending a message to the adversary” has become a suitably meaningless subset of “imposing costs”). And if detected, it would be seen to legitimize the same activity in the opposite direction as an appropriate response to American espionage.
Attacking civilian critical infrastructure, or even launching a so-called prepositioning attack with the implicit threat to do so, is also something the U.S. and allies are perfectly capable of doing technically. Russia has turned off a French TV station and switched out the lights in Kiev; the U.S. and its allies can technically match (at least) those attacks. But to do this type of operation—especially anything that disrupted or risked the lives of civilians—in response to an espionage operation would be an extraordinary decision: disproportionate, unethical, illegal, counterproductive and pointlessly escalatory.
All this explains the apparent paradox of U.S. cyber policy. President Obama could have correctly asserted, as he did in 2016, that the U.S. has the best offensive cyber capabilities in the world. John Bolton as national security adviser in 2018, boasted of unleashing those same capabilities two years later, saying that “our hands are no longer tied, as they were in the Obama administration.” And yet just two years later, the U.S. has suffered one of the worst cyber breaches in its history, orchestrated by a principal adversary, and this awesome offensive arsenal offers few, if any, serious options to respond to the intrusion.
Offensive cyber capabilities have their place, but by and large they don’t work in imposing costs on hostile cyberattackers and they certainly don’t deter them. Indeed, as Jason Healey has argued powerfully on this site, they may even incentivize adversaries to improve their own capabilities and increase their willingness to use them.
But the West should respond. So what do we do to impose costs once we’ve realized the solution does not lie on some fictional and unseeable battlefield? The answer probably lies in two areas of sustained, incremental effort as well as facing up to the consequences of one hard choice.
The first sustained effort is around improving cybersecurity. Making the job of a hostile state hacker extremely onerous by having strong defenses is much less interesting than the idea of covert digital combat. But it can be very effective. Cybersecurity is fundamentally attritional. Hardening defenses doesn’t immunize against attack, but over the long haul it yields results. True, the sophistication of the SolarWinds operation makes some of this “security-first” argument a harder sell, not least because those who eschewed best practice and did not install the compromised SolarWinds update escaped harm. And Ben Buchanan has expertly set out just how hard this particular operation was to defend against. But many other hostile nation-state compromises are much easier to guard against through effective cybersecurity. For example, basic improvements would have stopped, or substantially mitigated, the huge Chinese supply chain compromise through information technology services companies exposed in 2018.
And anyway, SolarWinds exposes the need to address fundamental cybersecurity questions about the way technology markets work. Why is it so hard to assess the quality of the security of providers? Why does insurance not provide the same incentive to improve security that it does in all sorts of other areas? Why is it that governments fail to spot the concentrated risk in the supply chain of single points of failure like SolarWinds, and act to mitigate that? The Biden statement implies renewed impetus and focus on these types of mundane but essential questions. (The statement says plainly, “We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks.”) Good.
The second sustained effort to impose costs lies in the statecraft of response using the full range of government capabilities: economic, technical, legal and diplomatic. As with offensive cyber operations, there is no magic button to press here and the details seem underwhelming. And, like cybersecurity, it’s a long, hard, unglamorous slog.
But there is clear evidence that some measures are effective in some circumstances at least some of the time. Suzanne Spaulding, a commissioner on the Cyberspace Solarium Commission and senior cybersecurity figure in the Obama administration, has rightly pointed out that the Obama administration’s pushback on China through the threat of sanctions, indictments and diplomatic exposure (the tireless diplomatic work of Chris Painter deserves special credit here) brought Beijing to the table in 2015. The subsequent agreement, hugely imperfect though it was, led to significantly quieter hostile Chinese activity for several years. The power of the indictment, in particular, which rules out safe travel to the entire West for the individual hacker, for life, has had impact beyond China. Indictments are not a magic solution, but they irritate hacker and hostile government alike.
It’s fair to say that some of these techniques have proved less effective against Russia. But exposing and publishing the technical details of their attacks, as U.S.- and U.K.-led alliances have done on repeated occasions, blunts the effectiveness of these Russian operations. If you’re seriously interested in imposing costs that deter attackers, then putting the details of Russian attacks online renders them useless in the future and allows victims to find compromises. It’s a seemingly dull but sometimes effective measure. If these types of activity are what the president-elect really means by “imposing substantial costs,” that could potentially be very powerful, particularly if accompanied by a sustained improvement in domestic cybersecurity. And Biden has a well of expertise to draw from among those who pioneered some of these techniques in the Obama administration.
Then comes the hard choice. The latest U.S. intelligence community assessment bears out what experts like Dmitri Alperovitch have said all along: SolarWinds looks like a massive espionage operation; nothing more, nothing less. And, as Jack Goldsmith pointed out in his excoriating critique of some of the hyperbole around SolarWinds, massive espionage operations are what the Five Eyes do better than anyone.
There are good reasons why the Biden administration will want to respond to SolarWinds. But there are serious reciprocity concerns to keep in mind. It would be most unwise for the incoming administration to send a signal that it regards this type of activity by Russia as inherently unacceptable unless it is prepared to face up to the consequences of that conclusion for the Five Eyes’s own activities. Indeed, the description of Russian activity in the latest U.S. intelligence statement on SolarWinds bears striking resemblance to the sorts of arguments I personally swore to in court statements defending the U.K. government in post-Snowden legal cases: Digital intelligence gathering requires sweeping accesses, sometimes gained through unwitting compromise of the private sector, and these accesses are then whittled down into a much smaller number of useful targets for intelligence exploitation.
It is unlikely that the Five Eyes will want to forego the security benefits of its large-scale digital espionage operations. There are sound reasons not to. But for as long as the Five Eyes continue to benefit from their own operations, it makes no sense to overreact to those intrusions. Among the United States’s allies, even in very pro-U.S. Britain, there is a sense that while the U.S. (and, by extension, its allies) has been harmed by the SolarWinds intrusions, there is no sense the U.S. has been wronged by them. The Biden administration demonstrably cares more about the views of allies than does the administration it is replacing, going so far as to stress the importance of working with allies in his statement. The Biden administration would not gain support from allies if it escalated a dangerous cyber conflict with Russia in response to Russian activity that very closely resembles our own activities. If, however, it embarked on a sustained program of engagement on improvements to the security of the West’s digital economy, and on accompanying pushback to hostile cyber activity by more effective means, its leadership will once again be hugely welcomed.
The lesson of SolarWinds for Western governments, including the incoming U.S. administration, is this: There isn’t some menu of options for “imposing costs” that we’ve all just been too lazy or timid to order from. Beware, in particular, the snake-oil sales pitch of offensive cyber as a deterrent. Defending a free and open digital society is a difficult, challenging, long-term, whole-of-society problem. It’s precisely because Western digital societies are sophisticated, open and free that the West has more to lose from the weaponization of cyberspace. Much better to harden the West’s defenses and respond in ways that the likes of Russia will actually care about.
As with Brexit, you can’t sloganize your way out of a fiendish problem of statecraft. There are options for imposing costs, but they’re hard, and unglamorous.