Follow us on social

Putin-biden

Biden's retaliatory cyberattacks against Russia are folly

This act of aggression could end up causing far more harm to the U.S. than the initial SolarWinds hack did.

Analysis | Europe

The Biden administration is reportedly planning a “retaliation” against Russia in the next three weeks or so for last year’s massive “SolarWinds” hack of U.S. cyber infrastructure, for which Russia was allegedly responsible.  

The New York Times has written that U.S. plans include both new sanctions against Russia and U.S. cyber hacking of Russian state institutions. According to the Times, this will include “a series of clandestine actions across Russian networks,” which U.S. intelligence has already prepared. According to National Security Adviser Jake Sullivan, the response is intended to show Russia “what (actions) the United States believes are in bounds, and out of bounds.”

We hope that wiser counsels can still prevail, and in particular, that someone in the administration will notice both the logical incompatibility of these two responses, and the fact that they could set a precedent that will be used against America itself in future.

Because, as Sullivan’s remarks indicate, the imposition of sanctions implies a belief that state cyber hacking is illegitimate in what the United States  calls a “rules-based global order.” The threat of U.S. retaliation in kind declares out in the open that the United States also plans to engage in these supposedly illegitimate actions, and is an implicit acknowledgement that Washington has indeed repeatedly engaged in similar actions in recent years. 

More importantly, the planned action reflects two very serious errors in judgement, which left unchecked, could increase in scope under the new Biden administration. The first is a tendency, amplified by much of the U.S. media, to attribute blame to Russia for negative developments based on inadequate evidence, which the American public is hardly given a chance to view or assess. Furthermore, there is a proclivity to base U.S. policy on information that may be unclear, exaggerated, or simply untrue.

Concerning the SolarWinds hack, U.S. intelligence services can only say that the Russian state was “most probably” or “very probably” to blame for the hack. The New York Times has reported this as a certainty, but it is in fact extremely difficult to pin down for certain the national origins of such hacks, and even more difficult to determine if they were the work of state forces or independent actors. We may well reasonably assume that Russian intelligence services were responsible, but action of the kind that the Biden administration is contemplating should be based on something more than probability.

The second error, as I pointed out in Responsible Statecrafton January 13, and as has been argued since in a paper by Major Juliet Skingsley  for Chatham House in London, and in Wired by Andy Greenberg, is the use of the phrase “cyberattack,” reflecting an extremely dangerous confusion between cyber espionage and cyber sabotage.

Cyber sabotage is like all forms of sabotage: a deliberate attempt to damage public or private infrastructure. If it leads to deaths, then it can well be considered an act of terrorism or of war. This is indeed action that violates all traditional rules of international behavior in peacetime. 

Writing about a “Russian cyberattack” against the U.S. Energy Department and Nuclear Security Administration suggests actual damage to those institutions and the infrastructure they control. Among other hysterical political reactions, Democratic Senator Dick Durbin called the SolarWinds hack (which of course he described as a “cyberattack” and attributed unconditionally to Russia) as “virtually a declaration of war.” This has been echoed by Senator Chris Coons and others.

No such attack happened. Nor is it at all likely that Russia would carry out such sabotage unless Russia and the United States were already on the edge of war. This suggestion is in keeping with the equally absurd warning last year from NATO officials that in time of peace, Russian submarines might attack undersea communications cables — in the process, by the way, doing great damage to Russia itself, and to Russian partners. This analysis appears to have emanated in the first instance from the British Navy, in an absolutely transparent attempt to save itself from budget cuts. As with most of the SolarWinds allegations, these suggestions involved a confusion —whether careless or deliberate — between espionage and sabotage operations 

The SolarWinds hack was an act of espionage by contemporary means. As pointed out in the analysis for Chatham House, an interesting (and amusing) feature of the hack is that if it had not been voluntarily reported to the U.S. government by a private security firm, then — as with all the most successful espionage operations — nobody in America would ever have known that it had happened. Believe me, if Russia ever does decide to attack America, we will know about it. 

All states conduct espionage, including most notably the United States itself. Edward Snowden revealed the massive scale of electronic and cyber espionage, not only against Russia and other U.S. rivals but against America’s closest allies. In 2015, Wikileaks revealed that for decades, the National Security Agency had been spying on top German government communications, including hacking the phone of German Chancellor Angela Merkel. 

Moreover, the United States is a global leader in cyber sabotage. As the Timesitself has reported, not only has Washington carried out massive cyberattacks on Iran, it has planted malware in much of Russia’s energy infrastructure — though supposedly only to be activated in response to a Russian attack.

Under the new “Defend Forward” cyber-strategy, the Trump administration decided that the United States would itself set out to disrupt any potential cyberattack before it occurred. This is a cyber version of the Bush administration’s disastrous Preventive War strategy, and like that strategy, involves Washington in exactly the sort of aggressive actions that it condemns and seeks to prevent on the part of others. 

If the Biden administration does respond to espionage with sabotage it will take national rivalry in cyberspace to a wholly new level of danger, and start a potentially disastrous vicious circle of retaliatory attacks. It will give a green light to all future targets of American cyber-espionage to respond with cyberattacks on the United States.

Furthermore, to retaliate in this way would be a clear break with ancient international conventions and with the longstanding policy of the United States itself. For example in 2014, Russian intelligence was credibly reported to have hacked into the emails of the White House, State and Defense Departments. The Obama administration classified this as traditional espionage and did not retaliate.

The planned response to the SolarWinds hack reflects a much deeper problem in the Washington establishment’s attitudes and policy: the belief that the United States can unilaterally set the rules of the international system, and yet set different rules for itself whenever it feels an urgent need to do so. This was never an approach that was going to be accepted by other powerful states. In the area of cybersecurity it makes even less sense, for the internet really is (in many bad ways, alas) a great leveler. To adapt a famous meme: on the internet nobody knows that you are the only superpower.


Russian President Vladimir Putin (ID1974/Shutterstock) and President Joe Biden (Stratos Brilakis/shutterstock)
Analysis | Europe
Golden Dome Iron Dome
Top Image Credit: Israel's Iron Dome anti-missile system intercepts rockets after Iran fired a salvo of ballistic missiles, as seen from Ashkelon, Israel, October 1, 2024 REUTERS/Amir Cohen TPX

Saying the quiet part out loud: All that glitters is not 'Golden Dome'

Military Industrial Complex

As the Trump administration proceeds full speed ahead on its Golden Dome missile defense project, U.S. officials and engineering experts alike suggest it's a next to impossible undertaking.

Gen. Michael Guetlein, Space Force vice chief, likened Golden Dome to the WWII-era Manhattan project, which created the atom bomb. Acting DoD official Steven J. Morani called it a “monster systems engineering problem.” Trump himself compared it to President Ronald Reagan’s 1983 Strategic Defense Initiative (SDI), or “Star Wars,” a space-based defense system that never made it past the drawing board.

keep readingShow less
Thomas Massie
Top photo: U.S. Congressman Thomas Massie (Gage Skidmore/Creative Commons)

Massie interview: Houthi strikes 'not America First'

QiOSK

In an interview this morning with RS, Rep. Thomas Massie (R-KY) said there was clearly "no urgency" for U.S. military airstrikes against the Houthis in Yemen, now in their 13th day. Therefore, the administration should have gone to Congress for authorization and without it, those strikes are illegal.

Massie pointed to Vice President J.D. Vance's contribution to the now infamous signal chat which described the strikes as they were happening. "JD" as identified in the chat, which has been authenticated by the administration, among other points, said that "there is a strong argument for delaying this a month, doing the messaging work on why this matters, seeing where the economy is, etc.”

keep readingShow less
POGO
Top image credit: Project on Government Oversight

The non-empires strike back

Military Industrial Complex

The Bunker appears originally at the Project on Government Oversight and is republished here with permission.

keep readingShow less

Trump transition

Latest

Newsletter

Subscribe now to our weekly round-up and don't miss a beat with your favorite RS contributors and reporters, as well as staff analysis, opinion, and news promoting a positive, non-partisan vision of U.S. foreign policy.