Cyber Retaliation Needs to Be Decisive, Swift, and Meaningful
Editor’s note: On 15 April the Biden Administration formally attributed the Solar Winds attacks to Russia’s Foreign Intelligence Service, the SVR. Soon thereafter they issued several directives implementing sanctions against Russia and some Russian related business leaders. The fall out from these actions is still underway and we will continue to track and assess how these matters could impact business and government strategies and decision-making. This post provides context important in assessing why any cyber retaliation needs to be both quick and meaningful.-bg
The United States finds itself in a precarious position having been victimized by two major breaches that have far-reaching impacts. The 2020 SolarWinds breach by suspected Russian state actors remains extraordinary in the number of global government and Fortune 500 companies and organizations affected. The breach caught several important U.S. government and military entities exposed, among them the Department of Commerce, the Department of Defense, the Department of Homeland Security, and the Department of Treasury, among others. While SolarWinds stood at the apex of data breaches when it was eventually identified, another breach by another state actor quickly revealed the extent of which sophisticated cyber espionage campaigns plagued the United States, threatening its national security. In March 2021, Microsoft disclosed that China state-sponsored actors had leveraged zero-day vulnerabilities to gain entry into Microsoft Exchange Servers, deploying additional malware to sustain long-term access. Data collected in mid-March indicated that Germany, the United States, and the United Kingdom were the most targeted countries, with government, military, manufacturing, financials, and software vendors accounting for a quarter of all exploit attempts.
The SolarWinds and MS Exchange Server breaches are very similar in that two cyber powers successfully executed sophisticated supply chain attacks to support cyber spying activities. Both China and Russia have been cited in numerous U.S. Intelligence Community worldwide threat assessments as being stalwart cyber threat actors with the capabilities to conduct a variety of cyber operations. But the expanse, demonstrated effort, and sophistication of these breaches draws comparisons to the U.S.’s own capabilities, famously revealed in the Snowden disclosures that unmasked the U.S.’ global surveillance and cyber espionage apparatus. These adversaries not only had the skillsets and patience to pull off such ambitious activities, but Beijing and Moscow proved themselves worthy competitors to U.S. cyber dominance.
However, the gravity of these attacks cannot be overlooked, immediately issuing alarms throughout the U.S. national security establishment. The fact that the U.S. government failed to detect the SolarWinds breach and had to be notified by a private sector company was a complete embarrassment, raising questions about its cyber security programs, resources, and defensive capabilities. An Intelligence Community review of the SolarWinds hack revealed Russian culpability, demanding some level of response from a Biden Administration that asserted retaliation at a time and place of its choosing. The public statement of making a retaliatory strike against Russia has put Moscow on the immediate defensive, giving it advanced warning, and enabling it to prepare for and mitigate an attack even if it goes undetected. But the more important question remains: as its first cyber test and against a near-peer cyber power to the U.S., what is the Biden Administration prepared to do?
The current Administration has gone out of its way to eschew any of the policies its predecessor promoted. As such, it would follow that this will extend to the cyber arena. Even though he may not have fully understand the complexities of the cyber domain (Trump infamously called it “the cyber” when running for election), as president, Trump nevertheless proved decisive when it came to offensive cyber operations. In 2018, Trump granted the Central Intelligence Agency more authority to conduct cyber attacks and covert activities against targets of interest. Then in 2019, he promptly sanctioned U.S. Cyber Command (CYBERCOM) to execute cyber strikes against Iran for its alleged attacks on two oil tankers in the Persian Gulf. By giving his leaders discretion in the execution of orders empowered them to operate more freely, a successfully strategy exemplified in CYBERCOM’s activities to take down a Russian troll farm ahead of the 2018 U.S. midterm elections. While these activities did not deter these adversaries’ behavior, they did demonstrate that Trump would conduct proportional responses in a timely, relevant manner. Trump may not have been a wunderkind in the cyber realm, but he certainly understood that in a domain where attacks occur within a nanosecond, it was necessary to act swiftly and resolutely in retribution less too much time transpire to make an effective statement.
It is undetermined how Biden will approach cyberspace. Unlike his predecessor, there is some evidence to suggest he (or perhaps the cast around him) has a better idea about the need for cyber security. The White House issue a new cyber executive order shortly to improve the government’s ability to address cyber security incidents, in addition to promoting supply chain security. Biden included approximately USD 10 billion in his recent COVID-19 package to improve the nation’s cyber security to include USD 9 billion investment in the Department of Homeland Security’s “Cybersecurity and Infrastructure Security Agency and the General Services Administration to execute new cyber security and IT shared services.” Additionally, the White House has selected a National Cyber Director role to centralize federal cyber security policy, and recently announced the selection of individuals to head up two important senior cyber roles.
But despite these positive initiatives, there are inconsistencies with how Biden is addressing the complexities of the cyber environment. Biden’s recent USD 2.25 trillion infrastructure plan did not include any funding to protect critical infrastructure against cyber attacks. This is an interesting development given the focus on the importance of safeguarding these industries, as well as the “Green” technologies that Biden advocates and that are being developed without a cyber security strategy in mind. Questions linger on whether Biden has an actual strategy for cyber space (the last one was developed in 2018), or if he will pay enough lip service to the cyber problem to give the impression that his Administration is working the issue.
More importantly, how will Biden approach our cyber adversaries, two of which are ranked in the top ten in the Belfer Center’s 2020 National Cyber Power Index and cited in the recent 2021 Intelligence Community Worldwide Threat Assessment? If history is a guide, Biden’s penchant for avoiding conflict (e.g., advising against the attack that killed Osama Bin Laden, preferring to compete against rather confront China) and relying on partner collectives instead of assuming a leadership role, begs the question if he’s ready to exercise his will on adversaries. While he has made public statements to the contrary (e.g., calling Putin a killer, saying he’s going to strike Russia for its alleged involvement in the SolarWinds breach), his interim national security strategy stresses containment over confrontation with international cooperation as the preferred engagement strategy. This suggests that cyber responses will be carefully thought out and debated but will ultimately lack the timeliness that such a response requires.
This ultimately works in the favors of our adversaries that can weaken these coalitions via other economic and diplomatic means and deals. What’s more, the longer Biden waits, the more uncertain and less formidable he appears when it comes to cyber issues and events, and the more emboldened states like China, Iran, and Russia become. Again, this favors our adversaries who have demonstrated intent and capability to decisively act when they deem it in their interests to do so.
One thing is clear: Biden’s response to the SolarWinds and Exchange Servers breaches are an important test for the White House’s understanding of today’s cyber environment. All signs to Biden imposing sanctions, though this doesn’t rule out a lower visibility cyber strike. A cyber retaliation needs to be more than a digital slap on the wrist; it needs to convey not only the president’s resolve but achieve a strategic calculus that sends a message to our adversaries who continue to exploit cyberspace at the U.S. expense. The ball is unquestionably in Biden’s court; it just remains to be seen if and when he decides to pick it up.
Global Risk and Geopolitical Sensemaking: This page serves as a dynamic resource for OODA Network members looking for insights into the geopolitical dynamics driving global risks. This collection of resources includes content produced exclusively for OODA members as well as a continually updated list of insights from our daily pulse report.
OODA on Corporate Intelligence in the New Age: We strongly encourage every company, large or small, to set aside dedicated time to focus on ways to improve your ability to understand the nature of the significantly changed risk environment we are all operating in today, and then assess how your organizational thinking should change. As an aid to assessing your corporate sensemaking abilities, this post summarizes OODA’s research and analysis into optimizing corporate intelligence for the modern age.
C-Suite Considerations Regarding Current Geopolitical Tensions: Something is different in the geopolitical situation today. The reasons are probably a combination of factors that include the pandemic, the rise of the global grid of cyberspace, plus the payoff of years of planning and strategic moves by our adversaries. But whatever the reasons, the world today is more complicated and more dangerous than the world of just a year ago, and in many cases the risks being faced by open societies have never been seen before. The changes are so significant, OODA recommends all business leaders take stock of the geopolitical situation and assess how the nature of these changes should impact your business strategy.
The Intelligent Enterprise Series: Special reports from OODA focused on corporate intelligence
Useful Standards For Corporate Intelligence: Based on lessons learned from the US intelligence community and corporate America
Optimizing Corporate Intelligence: Tips and best practices and actionable recommendations to make intelligence programs better.
A Practitioner’s View of Corporate Intelligence: insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making.
An Executive’s Guide To Cognitive Bias in Decision Making: Cognitive Bias and the errors in judgement they produce are seen in every aspect of human decision-making, including in the business world. Companies that have a better understanding of these cognitive biases can optimize decision making at all levels of the organization, leading to better performance in the market.
Russia Threat Brief:
Russia should be considered a kleptocracy, where the rule of law exists as long as it supports the objectives of the state and the ruling oligarchs. All U.S. businesses should exercise extreme caution before doing business in or with Russia. Our special report on The Russian Threat captures insights on the full spectrum of Russian capabilities and intention, including their actions in cyber conflict. For more read the continuously updated Russia Threat Brief. Also, be sure to check out our special report: Russia 2020: What Will Putin Do Next? and The Kinetic Potential of Russian Cyber War, which examines Russia’s mastery of cyber and kinetic linkages, and What Kleptocratic Support for Cybercriminals Means for Russian Cyber Capabilities and Cybercriminals as the Russian State’s Deniable Proxies and The Five Most Dangerous Criminal Organizations Acting As Proxies for Russia.