Less than four months after the revelation of one of the biggest hacking events in history—Russia’s massive breach of thousands of networks that’s come to be known as the SolarWinds hack—the US has now sent the Kremlin a message in the form of a punishing package of diplomatic and economic measures. But even as the retribution for SolarWinds becomes clear, the question remains: What exactly is that message? By most any interpretation, it doesn’t seem to be based on a rule that the United States has ever spelled out before.
On Thursday, the Biden administration fulfilled its repeated promises of retaliation for both the SolarWinds hacking campaign and a broad array of other Russian misbehavior that includes the Kremlin's continuing disinformation operations and other interference in the 2020 election, the poisoning of Putin political adversary Aleksey Navalny, and even older Russian misdeeds including the NotPetya worm and the cyberattack on the 2018 Winter Olympics. The Treasury Department has leveled new sanctions at six cybersecurity companies with purported ties to Russian intelligence services, as well as four organizations associated with its disinformation operations. They also specifically targeted oligarch Yevgeniy Prigozhin and Kremlin agent Konstantin Kilimnik, whom you may recall from the Mueller investigation.
But the most prominent of those sanctions—and most unprecedented—is the administration’s specific response to the SolarWinds campaign, in which the Russian foreign intelligence agency known as the SVR hid their code in the software updates of the SolarWinds IT management tool known as Orion to penetrate as many as 18,000 networks. Using that software supply chain attack and other vulnerabilities, the SVR breached at least nine US federal agencies, including the Department of Justice, DHS, the State Department, and NASA.
Russian intelligence services, the sanctions statement from the US Treasury reads, “have executed some of the most dangerous and disruptive cyberattacks in recent history, including the SolarWinds cyberattack,” officially naming the SVR for the first time as the culprit behind SolarWinds. “The scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyberoperations makes it a national security concern. The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds’ customers.”
But look closely at the SolarWinds sanctions response, and it's tough to see exactly what rule or norm for the world of state-sponsored hackers the Biden administration is seeking to write—or at least, what rule that the US itself hasn't broken in its own hacking operations—says Bobby Chesney, a law professor at the University of Austin focused on cybersecurity and national security. Any rule that SolarWinds violates would be a new one, he argues, given that the hacking campaign was by all appearances focused on the kind of cyberespionage US intelligence agencies routinely carry out, with no clear evidence that it was intended to cause disruptive effects. The SVR hackers were even somewhat restrained, going so far as to use a kill-switch that removed their malware from targets they didn't intend to spy on.
"It's all espionage, right? In fact, it looks like a fairly carefully crafted espionage campaign," says Chesney. "And so the question is, since we're now saying that crossed a line—you can't sanction somebody and say you're retaliating and punishing them for this and not mean to be drawing some kind of red line—what is it?"
The difference, Chensey suggests, is one of scale rather than substance. The SolarWinds hacking campaign took a "shotgun, blunderbuss" approach that could distinguish it. The SVR's corruption of the software supply chain could be seen as uniquely reckless, but the US has tried that too, with operations that have compromised Cisco routers during shipping or built backdoors into the Swiss encryption software firm Crypto AG.
Some cyberpolicy critics see Biden's sanctions for SolarWinds spying in more cynical terms: an incoherent, knee-jerk response designed to satisfy anyone who'd accuse the administration of being soft on Russia. "This is not an attempt to correct Russia's behavior," says Dmitri Alperovitch, former CTO of security firm CrowdStrike and the founder of the cybersecurity-focused Silverado Policy Accelerator. "This is more about making us feel good that we're hitting back and mostly, frankly, for a domestic audience."
Alperovitch argues that by punishing the Kremlin for careful cyberspying—and lumping it in with a large collection of far worse actions—in fact makes it even harder to rein in the Kremlin. "I'm not opposed to hammering Russia," Alperovitch says. "But it would have been much more effective if we'd focused on one or two things that we really think are beyond the pale and told them if you correct this behavior these sanctions will drop. That's how you achieve effects or at least have a chance of achieving effects. This is not it."
Still, administration officials have argued that even espionage can cross boundaries, especially at this scale. "In some ways the rule isn't new, though it might be new to cyberactivity," says J. Michael Daniel, the president of the Cyber Threat Alliance and the former cyber coordinator in the Obama White House. "Just because there's an acknowledgement that every state conducts espionage doesn't mean you don't respond when those activities get too big and too brazen."
Tom Bossert, the homeland security advisor to former President Donald Trump, echoes that view, and says that he would have taken similar steps to punish Russia had his tenure extended to the SolarWinds campaign. He argues that it falls under the same rule against hacking that lacks “discrimination and proportionality” that he intended to set with sanctions in response to Russia's NotPetya cyberattack in 2017, which caused $10 billion damage around the world. Letting SolarWinds go unanswered, Bossert says, would be “like Japanese planes circling Pearl Harbor and we’re all sitting around saying, ‘Well, I’m certain and confident that this is just an espionage effort. They’re just up there taking pictures,‘” he says. “At this point, it’s Japanese planes not only over Pearl Harbor, but over New York, Washington, DC, Indiana, and LA, holding companies and agencies at risk.”
Biden administration officials said as much on Thursday, holding up the potential for destruction that the SolarWinds hackers’ degree of access could have caused as a key factor in its response. “What’s concerning is, from that platform, from the broad scale availability of the access they achieved, there’s the opportunity to do other things, and that’s something we can’t tolerate” said NSA director of cybersecurity Rob Joyce in a call with reporters Thursday. “And that’s why the US government is imposing costs and pushing back.
But critics of the administration’s response point out that while the SVR could have used its SolarWinds hacking to carry out enormous disruption, it didn’t. “You don’t hammer someone for what they could have done,” Alperovitch says. “You focus on what they actually did do.”
The White House, however, is likely judging Russia also on what it has done, the University of Texas’s Chesney argues. The NotPetya attack similarly used software supply chain hacking to spread destructive malware in what would come to be recognized as the costliest cyberattack in history. Russia’s GRU military intelligence agency carried out NotPetya, rather than the relatively careful and stealthy SVR. But that distinction may matter less than the similarity of the methods they used. “Russia is seen as a group,” says Chesney. “One kid in the group burnt their permission slip. And now everyone’s punished for it.”