Paul Kolb, Director of the Intelligence Project, Harvard University Belfer Center for Science and International Affairs
Paul Colby is the Director of the Intelligence Project at Harvard University’s Belfer Center for Science and International Affairs. He previously served for 25 years as an operations officer in the CIA and was a member of the Senior Intelligence Service, which served in Russia, the Balkans, Indonesia, East Germany, Zimbabwe and Austria.
This article was first published by our friends at Russia is importantOf Harvard Kennedy School’s Belfer Center for Science and International Affairs.
According to US officials, Russia is the potential culprit of the SolarWinds cyber settlement for federal agencies, private sector companies, NGOs, and academic institutions. Size and influence have led to accusations of a reckless and indiscriminate process. Some politicians described the action as war, while other commentators dismissed the SolarWinds settlement as espionage. Calls for revenge spread.
We know few details about the breadth, depth, and impact of SolarWinds’ electronic process, although the size was clearly huge as more than 18,000 SolarWinds customers downloaded tools loaded with malware. But we do not know which companies and agencies were affected, what information was compromised or whether the damage was done to any information systems. This lack of public disclosure is likely to represent caution in revealing what is known and unknown, but it also indicates the difficulty of assessing how badly what we have been through.
So how should the United States respond?
The natural tendency would be to respond in order to modify Russian behavior in the future and introduce stronger cyber deterrence to other potential actors. Responses may include declaring Russian intelligence personnel persona non grata, accusing the perpetrators, targeted punishments, and carrying out similar operations against select Russian regimes. The goal will not only be punishment, but also to change the way risk gains are calculated for Russia and others when considering new electronic operations.
But honestly, all of these measures have been tried in the past and haven’t slowed down the cyberattack. Russia values and adheres to reciprocity, and a carefully calibrated, cross-arc shot is appropriate in response to SolarWinds. But we should not fool ourselves into thinking that such responses will stop cyber espionage or attacks. We are simply too fat and an easy target.
For this reason, revenge is neither the most urgent task nor the most important one. Our most important mission is to relentlessly and comprehensively improve our cyber defense.
SolarWinds has largely revealed what many internet experts know and warn: the United States is broadly vulnerable. The surface of our attack – the systems, networks, and devices that can be targeted and breached – is very large. The skill and number of U.S. adversaries is proliferating – states, criminal organizations, and individuals who may exploit these vulnerabilities. Russia is just one wolf in a sophisticated and growing group of cyber predators.
Read The cyber threat of 2021 will lead to stronger alliances Written by Former Homeland Security Secretary Michael Chertoff exclusively on Cipher Brief
Meanwhile, our networks are intricately interconnected, but we organize our defense in silo by silo. Government defenses are spread across different agencies, companies are reluctant to report abuse, and our intelligence agencies are directed overseas. Nobody has a complete view of the battlefield. Companies consider cyber defense an onerous cost. Government budgets favor crime, and even when new funds are allocated to cyber defense, the focus is on securing government systems, not improving the basic security of the larger and more vulnerable private sector infrastructure.
How can we better address systemic national cyber vulnerability?
First, government efforts to strengthen defense must be focused on the private sector, which builds, owns, manages, and bears responsibility for most of our cyber infrastructure. Better incentives are needed to improve security practices and culture. Disincentives are also needed that take out the cost of putting others at risk. Some elements in this regard may include:
- Federal Security Standards: Implement minimum federal security standards for software and hardware, just like consumer safety products. Manufacturers will complain, as have automobile companies with safety regulations, but progress is unlikely without efforts to build safer components into our electronic infrastructure.
- Harm Law: Hold companies responsible that neglect engineering unsafe systems and devices. In many cases, cutting costs and separating essential security elements put everyone at risk. Hardware and software producers have a special responsibility in this regard and should not be able to transfer cyber risks to millions without fear of repercussions.
- Intelligence sharing: Threat information should flow smoothly and instantly across private and public networks, but instead be broken down by classification, commercial interest, legal restrictions, and cultural tendencies to hide rather than share. There should be a federal requirement to report cybersecurity violations. Rarely is one company a victim of any particular attack, and strong reporting requirements can aid early detection and mitigation. The transparency of the breach also stimulates good security practice and provides a competitive advantage to companies that protect their customers and the electronic commons.
We are in a new “long war”, a surrounded cyber conflict that will continue for decades against multiple enemies. This is a conflict where the best offense may be a good defense. Limiting the potential harm that adversaries can do to us, while preserving the ability to inflict asymmetric harm, provides the best hope for enhancing US national security and creating a world of electronic deterrence and restraint. We hope SolarWinds represents a watershed in the focus of a more effective defense-based national cyber strategy.
The response can be read here: “A punitive response to the solar wind would be misplaced, but cyber deterrence still matters.” By Erica de Burghard