Follow us on social

Cyber-war-scaled

A lesson in cyber spying vs. cyber attack

So far the the 'Solar Winds' hack has added up to espionage, not sabotage. Let's be careful how we respond.

Analysis | Europe

One of the very first challenges for the Biden administration in foreign and security policy will be how to respond to the massive “SolarWinds” hack of U.S. government systems, most probably (though not yet certainly) carried out by the Russian intelligence services.

President-elect Joe Biden has said that the incident will be “an overwhelming focus for my administration.”

This is a relatively uncharted region of interstate relations, for which it is vitally important to draw up ground rules. Unfortunately, the response to the hack by American officials, politicians, and the media has already done much to blur the facts of the case and make a sensible response more difficult.

The most important thing to remember in this regard is the difference between an “attack” and an act of espionage. The SolarWinds hack has been generally described in the United States as the former (including by incoming national security adviser Jake Sullivan, and Biden), but was in fact the latter. Nobody is suggesting that the hackers in this case introduced viruses to paralyze U.S. state systems or damage domestic infrastructure and services. This was purely an information-gathering exercise.

This distinction is crucial. An attack on the citizens or infrastructure of another state has traditionally been considered an act of war. Actions by the United States, Russia, Israel and other countries in recent decades have somewhat blurred this distinction. But no one can doubt that if another country carried out a major act of sabotage on American soil, (especially one threatening the lives of citizens), then Washington’s response would — rightly — be a ferocious one.

As a matter of fact, while Russia has engaged in limited operations against Estonia and Ukraine, the only countries that have to date carried out a truly successful and destructive act of cyber-sabotage are the U.S. and Israel, through the "Stuxnet” virus, which as introduced into the Iranian nuclear system and first uncovered in 2010. 

Espionage by contrast is something that all states do all the time — often to friends as well as adversaries. We may remember the scandal under the Obama administration when U.S. intelligence was found to have hacked into the communications of German Chancellor Angela Merkel and other senior leaders of NATO countries. The hacking of a Belgian telecom company by British intelligence (“Operation Socialist”) is another example. And I would be both shocked and deeply disappointed to learn that U.S. intelligence is not trying to penetrate the state information systems of Russia and China. 

And for each revealed act of espionage there is a well-established and calibrated set of responses. The aggrieved country issues a formal protest and expels a given number of “diplomats” from the country responsible. That country expels an equal number of diplomats. The media and the writers of spy thriller writers have a party. Then everything goes back to normal. For after all, everybody knows that there is no chance whatsoever that states will ever give up spying.

There are, however, three aspects of cyber-espionage that make it different from and more dangerous than traditional espionage.

Firstly, as Jake Sullivan has pointed out, unlike most forms of espionage, hacking can be used both for spying and for sabotage, and one can form the basis for the other. A key goal of responsible statecraft should be to establish a clear line between the two when it comes to cyberspace: to develop a set of calibrated and limited responses to cyber-espionage, and to make clear that cyber-sabotage will lead to a much fiercer and more damaging retaliation.

Secondly, unlike traditional espionage, the cyber variety is an area where third parties, uncontrolled by either side, can play a major role and cause serious damage to relations (and of course this also gives all sides plausible deniability — as with U.S. moves against Iran).

For example, those behind the authors of the 2011 cyber-attack on the G20 summit in Paris have never been identified. Several major hacks have been conducted by independent cyber-anarchists, or even by clever teenagers, sometimes it seems simply for fun. In the present atmosphere, however, all such hacks against the United States are likely to be blamed on Russia and to lead to a further deterioration of relations.

Thirdly, and in part because of these blurred lines, no clear and understood international traditions are in place concerning the response to cyber-espionage, and there is a serious risk of overreaction leading to a spiraling escalation of tension and retaliation.

This is what the Biden administration must avoid. Apart from the immediate damage to relations, overreaction would mean that when — as is bound to happen someday — Russia or China eventually discover a cyber-espionage operation against them by U.S. intelligence, they will not only look justified in a disproportionate and escalatory response — they will actually be justified.

One thing that Biden must definitely not do is to follow the suggestion that the United States should shut Russia out of the SWIFT international bank transfer system which— the most damaging of all U.S. sanctions against Iran, and one that would have a disastrous effect on Russian trade.

Last year, then Russian prime minister Dmitry Medvedev said that Russia would regard such a move as equivalent to an act of war and would respond accordingly. Various Russian responses would be possible, including a definitive move into the Chinese geopolitical camp and massive military aid to Iran. Without doubt however, one of them would be to move from cyber-espionage to cyber-sabotage against the United States.

The most sensible response would in fact be to follow literally President-elect Biden’s statement that his administration will “respond in kind” to the attack is the most sensible — that is to say in the cyber-field. The first step (as after any counter-intelligence failure) must obviously be to strengthen U.S. cyber-defenses which. Amongst other things, this requires using presidential orders to combine, streamline, and rationalize the competing plethora of U.S. agencies currently responsible for cyber-security.

The second entirely appropriate response is for Washington to intensify its own existing cyber-intelligence operations against Russia. That, however, is another reason not to engage in overblown moral outrage over the latest hack. The American pot already has quite a global reputation for calling kettles black, and there is no need to blacken it further.

Finally, the Biden administration should do everything possible to develop agreed international restraints on state cyber-operations, including an absolute ban on cyber-sabotage. This should involve opening new negotiations with Moscow on longstanding Russian proposals for an international “arms control” treaty in the area of cyber-warfare, and for a joint U.S.-Russian working group to establish mutual ground rules and confidence building measures.

These Russian proposals cannot be accepted as they stand (above all because of Moscow’s desire to limit free flows of information); however, more than a decade ago, then- National Security Agency Director Keith Alexander said that “I do think that we have to establish the rules, and I think what Russia has put forward is, perhaps, the starting point for international debate.” This remains true today, and the danger of a failure to reach international agreement has grown vastly since then.

One of the worst things about hysterical statements in the United States about "cyber-attacks" is that unwary readers might mistakenly conclude from them that things can't get any worse. They can get much, much worse.


(FrameStockFootages/Shutterstock)
Analysis | Europe
Kim Jong Un
Top photo credit: North Korean leader Kim Jong Un visits the construction site of the Ragwon County Offshore Farm, North Korea July 13, 2025. KCNA via REUTERS

Kim Jong Un is nuking up and playing hard to get

Asia-Pacific

President Donald Trump’s second term has so far been a series of “shock and awe” campaigns both at home and abroad. But so far has left North Korea untouched even as it arms for the future.

The president dramatically broke with precedent during his first term, holding two summits as well as a brief meeting at the Demilitarized Zone with the North’s Supreme Leader Kim Jong-un. Unfortunately, engagement crashed and burned in Hanoi. The DPRK then pulled back, essentially severing contact with both the U.S. and South Korea.

keep readingShow less
Why new CENTCOM chief Brad Cooper is as wrong as the old one
Top photo credit: U.S. Navy Vice Admiral Brad Cooper speaks to guests at the IISS Manama Dialogue in Manama, Bahrain, November 17, 2023. REUTERS/Hamad I Mohammed

Why new CENTCOM chief Brad Cooper is as wrong as the old one

Middle East

If accounts of President Donald Trump’s decision to strike Iranian nuclear facilities this past month are to be believed, the president’s initial impulse to stay out of the Israel-Iran conflict failed to survive the prodding of hawkish advisers, chiefly U.S. Central Command (CENTCOM) chief Michael Kurilla.

With Kurilla, an Iran hawk and staunch ally of both the Israeli government and erstwhile national security adviser Mike Waltz, set to leave office this summer, advocates of a more restrained foreign policy may understandably feel like they are out of the woods.

keep readingShow less
Putin Trump
Top photo credit: Vladimir Putin (Office of the President of the Russian Federation) and Donald Trump (US Southern Command photo)

How Trump's 50-day deadline threat against Putin will backfire

Europe

In the first six months of his second term, President Donald Trump has demonstrated his love for three things: deals, tariffs, and ultimatums.

He got to combine these passions during his Oval Office meeting with NATO Secretary General Mark Rutte on Monday. Only moments after the two leaders announced a new plan to get military aid to Ukraine, Trump issued an ominous 50-day deadline for Russian President Vladimir Putin to agree to a ceasefire. “We're going to be doing secondary tariffs if we don't have a deal within 50 days,” Trump told the assembled reporters.

keep readingShow less

LATEST

QIOSK

Newsletter

Subscribe now to our weekly round-up and don't miss a beat with your favorite RS contributors and reporters, as well as staff analysis, opinion, and news promoting a positive, non-partisan vision of U.S. foreign policy.