A lesson in cyber spying vs. cyber attack
One of the very first challenges for the Biden administration in foreign and security policy will be how to respond to the massive “SolarWinds” hack of U.S. government systems, most probably (though not yet certainly) carried out by the Russian intelligence services.
President-elect Joe Biden has said that the incident will be “an overwhelming focus for my administration.”
This is a relatively uncharted region of interstate relations, for which it is vitally important to draw up ground rules. Unfortunately, the response to the hack by American officials, politicians, and the media has already done much to blur the facts of the case and make a sensible response more difficult.
The most important thing to remember in this regard is the difference between an “attack” and an act of espionage. The SolarWinds hack has been generally described in the United States as the former (including by incoming national security adviser Jake Sullivan, and Biden), but was in fact the latter. Nobody is suggesting that the hackers in this case introduced viruses to paralyze U.S. state systems or damage domestic infrastructure and services. This was purely an information-gathering exercise.
This distinction is crucial. An attack on the citizens or infrastructure of another state has traditionally been considered an act of war. Actions by the United States, Russia, Israel and other countries in recent decades have somewhat blurred this distinction. But no one can doubt that if another country carried out a major act of sabotage on American soil, (especially one threatening the lives of citizens), then Washington’s response would — rightly — be a ferocious one.
As a matter of fact, while Russia has engaged in limited operations against Estonia and Ukraine, the only countries that have to date carried out a truly successful and destructive act of cyber-sabotage are the U.S. and Israel, through the “Stuxnet” virus, which as introduced into the Iranian nuclear system and first uncovered in 2010.
Espionage by contrast is something that all states do all the time — often to friends as well as adversaries. We may remember the scandal under the Obama administration when U.S. intelligence was found to have hacked into the communications of German Chancellor Angela Merkel and other senior leaders of NATO countries. The hacking of a Belgian telecom company by British intelligence (“Operation Socialist”) is another example. And I would be both shocked and deeply disappointed to learn that U.S. intelligence is not trying to penetrate the state information systems of Russia and China.
And for each revealed act of espionage there is a well-established and calibrated set of responses. The aggrieved country issues a formal protest and expels a given number of “diplomats” from the country responsible. That country expels an equal number of diplomats. The media and the writers of spy thriller writers have a party. Then everything goes back to normal. For after all, everybody knows that there is no chance whatsoever that states will ever give up spying.
There are, however, three aspects of cyber-espionage that make it different from and more dangerous than traditional espionage.
Firstly, as Jake Sullivan has pointed out, unlike most forms of espionage, hacking can be used both for spying and for sabotage, and one can form the basis for the other. A key goal of responsible statecraft should be to establish a clear line between the two when it comes to cyberspace: to develop a set of calibrated and limited responses to cyber-espionage, and to make clear that cyber-sabotage will lead to a much fiercer and more damaging retaliation.
Secondly, unlike traditional espionage, the cyber variety is an area where third parties, uncontrolled by either side, can play a major role and cause serious damage to relations (and of course this also gives all sides plausible deniability — as with U.S. moves against Iran).
For example, those behind the authors of the 2011 cyber-attack on the G20 summit in Paris have never been identified. Several major hacks have been conducted by independent cyber-anarchists, or even by clever teenagers, sometimes it seems simply for fun. In the present atmosphere, however, all such hacks against the United States are likely to be blamed on Russia and to lead to a further deterioration of relations.
Thirdly, and in part because of these blurred lines, no clear and understood international traditions are in place concerning the response to cyber-espionage, and there is a serious risk of overreaction leading to a spiraling escalation of tension and retaliation.
This is what the Biden administration must avoid. Apart from the immediate damage to relations, overreaction would mean that when — as is bound to happen someday — Russia or China eventually discover a cyber-espionage operation against them by U.S. intelligence, they will not only look justified in a disproportionate and escalatory response — they will actually be justified.
One thing that Biden must definitely not do is to follow the suggestion that the United States should shut Russia out of the SWIFT international bank transfer system which— the most damaging of all U.S. sanctions against Iran, and one that would have a disastrous effect on Russian trade.
Last year, then Russian prime minister Dmitry Medvedev said that Russia would regard such a move as equivalent to an act of war and would respond accordingly. Various Russian responses would be possible, including a definitive move into the Chinese geopolitical camp and massive military aid to Iran. Without doubt however, one of them would be to move from cyber-espionage to cyber-sabotage against the United States.
The most sensible response would in fact be to follow literally President-elect Biden’s statement that his administration will “respond in kind” to the attack is the most sensible — that is to say in the cyber-field. The first step (as after any counter-intelligence failure) must obviously be to strengthen U.S. cyber-defenses which. Amongst other things, this requires using presidential orders to combine, streamline, and rationalize the competing plethora of U.S. agencies currently responsible for cyber-security.
The second entirely appropriate response is for Washington to intensify its own existing cyber-intelligence operations against Russia. That, however, is another reason not to engage in overblown moral outrage over the latest hack. The American pot already has quite a global reputation for calling kettles black, and there is no need to blacken it further.
Finally, the Biden administration should do everything possible to develop agreed international restraints on state cyber-operations, including an absolute ban on cyber-sabotage. This should involve opening new negotiations with Moscow on longstanding Russian proposals for an international “arms control” treaty in the area of cyber-warfare, and for a joint U.S.-Russian working group to establish mutual ground rules and confidence building measures.
These Russian proposals cannot be accepted as they stand (above all because of Moscow’s desire to limit free flows of information); however, more than a decade ago, then- National Security Agency Director Keith Alexander said that “I do think that we have to establish the rules, and I think what Russia has put forward is, perhaps, the starting point for international debate.” This remains true today, and the danger of a failure to reach international agreement has grown vastly since then.
One of the worst things about hysterical statements in the United States about “cyber-attacks” is that unwary readers might mistakenly conclude from them that things can’t get any worse. They can get much, much worse.