Since even before he took office, President Joe Biden has promised a response to the massive campaign of Russian hacking that came to light just after he was elected. The rhetoric has only grown more heated since, with reports that some sort of reprisal may come in the next three weeks. That's just long enough, cyber policy experts hope, for the Biden administration to rethink its approach and avoid a punitive action against Moscow that, while perhaps politically expedient, would accomplish little and could even detract from efforts to curb a far more dangerous category of Russian hacking.
On Sunday evening, The New York Times published a report stating that the White House plans to retaliate against Vladimir Putin's regime for the intrusion campaign that has come to be known as the SolarWinds hack, in which likely Russian hackers compromised IT management software to access as many as 18,000 networks globally. The list of confirmed victims includes nine US federal agencies, including the Pentagon, the Justice Department, and NASA. The Times reported that the Biden administration plans to respond with "a series of clandestine actions across Russian networks" intended to signal that Russia's hacking campaign crossed a line—"clarifying what the United States believes are in bounds and out of bounds, and what we are prepared to do in response," as national security adviser Jake Sullivan told the paper.
But before the US mounts a saber-rattling counterattack, it should pin down exactly what line Russia crossed. Cyber policy wonks are quick to note that any rule that could justify SolarWinds retaliation is one that the US also violates with its own cyberespionage. As politically tempting as exacting punishment may be, it would not only be hypocritical but also would muddle any real attempt to control the Kremlin's other, far more reckless acts of hacking. And whatever precedent the Biden administration sets would likely have implications, too, for its response to a more recent, still-unfolding mass hacking event in which Chinese hackers used Microsoft Exchange vulnerabilities to break into tens of thousands of US networks.
"There are plenty of things to respond to in terms of Russia's malignant behavior, both inside and outside of cyber. This is not one of them," says Dmitri Alperovitch, cofounder of security firm CrowdStrike and now the executive chair of Silverado Policy Accelerator. Alperovitch points out that there's still no evidence that Russia's hacking in this case went beyond stealthy intelligence gathering of the sort the US performs routinely around the world. Even Russia's use of large-scale hacking and supply chain attacks are techniques the US has carried out in the past, through the CIA's secret control of Swiss encryption firm Crypto AG, for instance, or the NSA's backdoor implants in Cisco hardware exposed in the Snowden documents.
The SolarWinds operation stands in stark contrast to another class of far more clearly norm-breaking Russian hacking activities, Alperovitch argues. Those more reckless incidents include operations by Russia's GRU military intelligence agency that stole and leaked emails from the Democratic National Committee and Clinton Campaign in 2016, unleashed the NotPetya worm that spread around the world and cost $10 billion in damages, and disrupted the 2018 Winter Olympics by destroying the games' IT backend. Russia's Olympics hack in particular received practically no response from the international community until the US indicted six of the GRU hackers allegedly involved more than two and a half years later.
By contrast the SolarWinds hackers were far from reckless, going so far as to add a kill switch to their code designed to remove their malware from victim networks they ultimately decided not to hit, Alperovitch points out. "It was very targeted, very responsible," he says. "So not only is it not appropriate to whack them over the head for this, but it's actually counterproductive. Because guess what? You're going to piss them off, and the next time they're going to say, screw you, we were responsible last time and we got hammered, so this time we won't be."
Just how the White House actually plans to respond to the SolarWinds campaign remains far from clear. In comments to CNBC correspondent Eamon Javers, a White House official partially contradicted the Times' story, particularly its description of a "cyberstrike" that was later removed from the article's headline. (The White House didn't respond to WIRED's request for comment.)
That confusion may partly stem from internal debate over potential responses, suggests Jacqueline Schneider, a cybersecurity-focused Hoover Fellow at Stanford University. If so, Schneider says, she hopes it's not too late to steer the White House away from a punitive counterstrike. "My biggest critique would be their framing of SolarWinds as something that was 'unacceptable,'" says Schneider. Biden, for instance, has described the operation as a "cyber assault" and vowed that he won't "stand idly by" in its wake. "I think that norm is going to be almost impossible for them to actually build and really, really hard to enforce," Schneider adds. "And it binds the US's hands in places where we might otherwise have advantages."
Instead of retaliation intended to "signal" something to Russia or define a rule that the US won't want to abide by itself, Schneider suggests that any counterstrike for the SolarWinds campaign should target the hackers' ability to carry out that sort of operation again. It would look less like an effort to punish the Kremlin—such as an equivalent hack of Russian infrastructure or even economic sanctions—so much as a targeted disruption of the machines or networks used by the SolarWinds hackers themselves. Past examples of that sort of counterstrike would be US Cyber Command's disruption of the criminal Trickbot botnet, for instance, or the data-destructive attack on the network of Russia's disinformation-spewing Internet Research Agency. "You make their job harder to do, which makes them invest more resources, which diverts resources from other nefarious things," Schneider says. "The hope is that this gets them to focus on defense and they have fewer teams allocated towards finding vulnerabilities in, say, electric grids."
One former US government cybersecurity official described a slightly different approach that he analogized to a "brushback pitch," the baseball term for a close, inside pitch that forces the batter to back away from the plate. "We're going to make you duck," he says. "This ball won't hit you, but you're going to know that we're coming after you and take a step back."
That brushback tactic may not actually differ from a "retaliation" strike in substance. But framing it as a direct warning or counterstrike to the adversary hackers themselves rather than a norm-setting "punishment" for their bosses in the Kremlin could make that action more effective. "The kind of words that we're using for these things can matter a great deal," the former official says.
There are also steps short of a counterstrike that could still prove effective, says J. Michael Daniel, the former cybersecurity coordinator for the Obama administration. The US has tools to send subtle, diplomatic signals to adversaries, he points out. "You could use the cyber hotline that has been established between the United States and Russia and send a message that says 'hey, we know this is you, knock it off,'" Daniel says. "You can tie up certain diplomatic things that maybe the Russians want at the UN that the US otherwise might not object to but decides to slow roll. There are other ways to express your diplomatic displeasure."
But ultimately spying, even at the SolarWinds scale, is within the rules of the game, Silverado's Alperovitch argues. He harkens back to the comments of director of national intelligence James Clapper in a 2015 congressional hearing about the Chinese breach of the Office of Personnel Management, which resulted in the theft of reams of highly sensitive personal data on government officials. Clapper made clear in that hearing that he did not see the OPM breach as an "attack" but rather an act of espionage of the kind the US might well have carried out itself.
"This is a case of 'good on them, shame on us,'" Alperovitch says, loosely paraphrasing Clapper's remarks. "Let's focus on making sure that we make it really hard for them to do this to us again."