Published by The Lawfare Institute
in Cooperation With
It’s been a little over a week since news broke of a strategic cyber campaign to exploit the update download of the SolarWinds Orion system administration software. Despite public appetite for concrete information, analysis of the exploit itself should be tempered when dealing with something so complicated and so recent. But what is already known about the SolarWinds attack can be drawn upon to provide a helpful use case example of the potential for cyber insecurity that flows from the very nature of cyberspace and to consider how best to address that insecurity.
Based on how the case is currently being framed by U.S. government public reporting, two major strategic lessons are clear: The United States must accelerate its adoption of the doctrine of persistent engagement across the entirety of its intergovernmental space, and it must advance more swiftly to a whole-of-nation-plus overall strategic footing in cyberspace.
This attack has taken place just as the initial shift in the U.S. government approach to cybersecurity has gotten underway to establish the capabilities, tactics and operations to make persistent engagement effective. Had the doctrine been in place fully and comprehensively, the form of this attack and its consequences may have been different. Why? This attack matches with the expectations of the doctrine. And I’m not alone in calling for this change to happen more quickly. The need to accelerate the country’s shift to defend forward and operationally persist aligns with similar findings of the Cyber Solarium Commission’s final report, particularly those discussed on pages 2, 24, 29, 111 and 112.
Some improvements are on the way. Certain provisions within the National Defense Authorization Act passed by Congress in 2020 will allow changes in authorities, agency responsibilities and capabilities to enable continuous cyber operations in defense of the federal government (and beyond). The Biden administration must accelerate U.S. capacity to persist.
Lessons for Whole-of-Nation-Plus
The attack has underscored the need for effective cybersecurity in all components of the federal government. Reports indicate that the locus of compromised systems are in the departments of Treasury, Commerce, State and Homeland Security. If the reporting is correct, this means that the attack hit systems primarily outside the purview of the Department of Defense and its U.S. Cyber Command, whose mission includes protecting the Defense Information Network. Responsibility for protecting the systems of other federal agencies falls to the Department of Homeland Security.
This suggests that considerations should now turn to how the Department of Defense’s defend forward strategy and U.S. Cyber Command’s operational approach of persistent engagement can be extended across these broader U.S. roles, responsibilities and authorities in cyberspace. SolarWinds, in fact, raises the prospect that the current doctrine of persistent engagement is too circumscribed and should be broadened through partnering and adoption across federal government agencies. Persistent engagement is not simply a military approach but should anchor a whole-of-nation-plus orientation in which synergy in the pursuit of cybersecurity exists across four core elements: intergovernmental coordination, alignment between the public and private sectors, and the engagement of ones’ citizenry in actively contributing to securing the digital space through their behavior. The “plus” in this model is that the United States must coordinate similar synergy among its allies because the interconnected nature of cyberspace ties the U.S. closely to them. The United States remains exposed if its allies remain vulnerable to exploitation and vice versa.
While this bureaucratic issue is critical, broader implications must also be considered.
The New Paradigm in Cyber Strategy
The SolarWinds breach helps to highlight certain realities that U.S. cyber strategy must address.
Let’s accept the current public rendering of this case for discussion purposes. Reporting suggests that Russian cyber capabilities were directed at seizing control of a system administration software update download widely used by U.S. federal agencies and private companies. The goal? To use software updates as the entry point to U.S. government networks. This form of attack was seen in the spring 2017 Russian NotPetya attack in Ukraine, in a war context. Thus, SolarWinds can be understood as the result of the operational success achieved three and a half years ago. Thus, it exemplifies the fluidity of cyber capabilities development in which cyber activity developed in one context can open possibilities in a completely different context. While the code is different, the tactical and operational modality of NotPetya created the possibility to seek a new target against a different adversary for an entirely different end—the U.S. is not Ukraine, and U.S. government systems are different from Ukrainian infrastructure. This pattern—same modality, different target, different end—is not unusual but flows from the very nature of cyberspace and is a key reason why operational persistence is necessary for security.
It’s helpful here to consider the possible Russian objectives behind SolarWinds. This is where the case can be an enlightening example of the possible, regardless of what future reporting reveals. Achieving the technical ability to exploit is a simple capabilities development. It does not mean a state will or must deploy that capability. So, while immediate technical mitigation of the consequences of SolarWinds must be the priority, it is the Russian calculation to plan and execute the operation that should be the focus of strategists.
And this is the core extrapolation—the Russians could see this operation as a two-level game. There were strategic gains that the Russians achieved as the operation was taking place, and then the Kremlin also made a major strategic gain when the exploit was discovered. Why would you not pursue such an operation in which both operational success and failure produce gains in an overall strategic competition to leverage cyberspace to undermine the advantages the United States might hold relative to Russia?
The First-Level Game
The reported cluster of agencies breached—Treasury, Commerce, State and Homeland Security—point to a potential first-level objective (among others) of critical importance to Russia: the United States’s sanctions policies that continue to hamper Russian economic activity and the financial access and physical movement of Russian leaders. The first three agencies play a major role in U.S. sanctions policy planning and implementation. If Russia could gain direct insight on U.S. sanctions policies, it would enable Russian leaders to anticipate U.S. reaction to policies they might pursue—they might have a window into where the sanctions might have been weakening or redlines for them to avoid. Why the Department of Homeland Security? Getting into Homeland Security systems would help anticipate whether the operation was being discovered.
At one level, this is traditional espionage activity, but its scale and scope make it something qualitatively different. This is exactly the sort of campaign—leveraging espionage—that historian Michael Warner (now at U.S. Cyber Command) has been arguing is likely to occur due to the access and scale of operations that cyberspace now permits. In a noncyber context, placing a mole in each of these agencies would have been quite a feat. And even if a state could achieve that, the single person would exfiltrate just so much information (even the best-placed human spies of the 20th century, such as Britain’s infamous Cambridge Five, could hardly match what cyber exploitation now makes possible).
But the type of system administration control that the Russian government appears to have achieved through the SolarWinds breach goes well beyond simply extracting information. It means real-time constant monitoring across networks of these agencies and the potential to manipulate data and information traveling across them. Not your simple diversionary tactic of inserting a false paper folder on someone’s desk, but subtly shaping information flow at scale and speed consonant with decision-making processes. Imagine having the potential to subtly change an analysis document of potential sanctions targets and going into a document and dropping a particular sanction from a proposed new list. This means that an otherwise effective policy might get eliminated by Russian actors before it moves up through the bureaucracy to U.S. senior leadership. While there is no indication this has occurred, it is the potential that U.S. strategists must ponder now. There is a comprehensiveness (depth and breadth combined with potential direct action in real time) about this type of cyber operation that moves it beyond simply an intelligence contest.
And then comes the added benefit in this case. The rolling up of an intelligence operation always has some costs. When the spying ceases, one examines how the spy ring operated and assesses the width and depth of the spy-ring access. This costs time and focus, and in truly big cases takes years. But the outlines of SolarWinds suggest a second-level game that the discovery of the operation has enabled.
The Second-Level Game
The damage inflicted by the SolarWinds breach will continue long after the U.S. purges the exploit from its internal systems. In fact, the Russians achieved a strategic victory by the public detection of the operation.
The discovery of the exploit means that the United States can begin to mitigate the damage of Russian access. From a technical standpoint, it will be an arduous task. And given the interconnected nature of the technology, U.S. federal agencies will have to work under the assumption that their communication remains compromised now and potentially for some time across all its (unknown) agencies. This introduces a level of organizational friction into the federal government that goes well beyond technical mitigation and damage assessments. The 2017 U.S. National Security Strategy recognizes that the United States is in a strategic competition with other great powers and that cyberspace can be leveraged for strategic gain to advance national interests. The competition in cyberspace is all about who can exploit vulnerabilities to seize the initiative for themselves in advancing their interests. One possible initial explanation, thus, for this operation is that sanctions (and other policies) had given the United States some advantages in constraining Russian policy. SolarWinds provided the Russians the opportunity to regain their footing and minimally unbalance the United States by creating uncertainty within its bureaucracy and questioning about planning it might have had relative to future Russian relations. The way to understand this case best is to see that Russia has seized the initiative from the United States through a cyber campaign, not merely a single operation. It has introduced a condition of insecurity within U.S. systems that now requires the U.S. government to focus on internal processes, vulnerabilities, and lost diplomatic, economic and national security advantages it might have had not only with its sanctions approach but also through larger policy agendas under each of the victim agencies.
It’s not automatic that a country can take advantage of this scenario. So, the gain for Russia is not knowable at this early stage, but what observers can understand better from this case is the reality of cyberspace and the potential to undermine security.
Due to cyberspace’s interconnected structure and its fluid technology base, this operation likely allowed Russia to change the conditions of security and insecurity in its favor for some period of time on several fronts of consequence. But it wasn’t just the operation that did the damage. It was through a discovery of that same operation that Russia was able to inflict more damage on American power. How? The undermining of the government’s cyber unclassified bureaucratic backbone will cause an erosion of trust in institutions at the federal level. The loss of trust in wide-scale base systems of communication, information storage and bureaucratic action is the consequence of the Russian activity being discovered. There were gains from the operation itself, but the scale and scope of the seven-month (so far) campaign has led to a completely different success, even as the campaign’s accesses are now being denied. This is an exemplar of the reality of competition in and through cyberspace. It is, in short, a textbook victory of operational persistence against the United States for the state that perpetrated it.
The Need to Counter Persistence
Persistent engagement and attendant strategies of defend forward and tactics like hunt forward all assume an environment of constant action due to the nature of cyberspace itself. They assume this form of adversary activity will continue. The best way to counter persistent cyber campaigns of adversaries who stay below the threshold of armed attack is to anticipate their actions continuously. This means grappling over who has the initiative in setting conditions of security and insecurity in and through cyberspace.
The U.S. needs to accelerate its shift away from a reactive posture. With the initiative, one can mitigate, in an anticipatory way ideally, the consequences that will flow from these continuous operations and campaigns. Security (for the U.S.) comes from making the consequences of (Russian) action inconsequential. Improving defenses and shortening recovery times are crucial but insufficient elements of comprehensive cybersecurity. Defense and resilience cannot be as effective if under constant stress, which a reactive posture does nothing to relieve.
Persistent engagement offers a more sustainable solution to the problem of adversary cyber aggression. It supports defense and resilience efforts with complementary efforts to require U.S. adversaries to use their pools of talent, time and treasure to focus internally as well.
The Russians appear to have achieved initiative in this case through a seam within U.S. authorities, roles and responsibilities created by the fact that the element of the U.S. government moving most rapidly to an anticipatory footing required for effective persistent engagement—U.S. Cyber Command—is not directly responsible for defending federal government systems. Shifting the defense enterprise away from decades of reactive threat strategies is no small undertaking. It began only a few years ago and is still under way. Shifting the entirety of the U.S. government’s posture to an anticipatory operational footing is a much bigger task. It will take an acceleration and broadening of the new paradigm of continually active engagement to counter adversaries who are themselves honing their strategies of persistence in and through cyberspace. This is where understanding the constructs of persistent engagement and defend forward opens the door for leveraging them for organizational change. The United States’s new way of pursuing greater security in cyberspace can drive changes in how the nation organizes to secure cyberspace.
Thus, there needs to be not only a broad shift in operational approach but also a shift in organizational structure toward a true whole-of-nation-plus approach. This means lots of changes. Such an approach will, for example, consider the private-public alignment necessary for more effective third-party outsourcing of software development. Because some portion of U.S. systems will rely on private-sector-produced software and hardware, anticipating their breach as a soft underbelly will have to inform security policies and practices in this environment in which state actors will leverage weak links in supply chains. One guiding principle is that U.S. policy must seek synergy at scale, not enhanced bureaucratic segmentation (rejecting, for example, talk of splitting the National Security Agency-U.S. Cyber Command dual-hat arrangement, which is a key organizational synergy point that the United States has gotten right).
Time to Persist and Accelerate Change
The exploitation of SolarWinds suggests what is possible when initiative is seized in cyberspace below the threshold of armed attack. It suggests the incentive structure that exists for states to build on capabilities and seek opportunities to exploit changes in the conditions of security in their favor. And given that broad incentive and the inherent opportunity that flows in cyberspace itself, the SolarWinds case suggests the absolute need for the United States to accelerate its shift to the doctrine of persistent engagement across a whole-of-nation-plus frame. While it reacts to the damage, the United States must proactively seek to regain its balance and eventually its initiative. Persistent engagement assumes exactly what appears to have occurred here. It offers the remedy to counter and, more importantly, preclude adversaries’ additional opportunities for exploitation. To do otherwise is to cede the field and leave the United States vulnerable to cyber campaigns at scale, scope and speed that will cumulatively undermine U.S. national power. In an environment of constant action, reliance on reaction is a recipe for decline and eventual defeat.