It’s simpler to list the agencies that have not been caught up in the SolarWinds infiltration, which was run by Russian hacking group APT29 under the umbrella of the Russian intelligence services, the SVR. So far, only the intelligence community has not been reported to have been breached.
The goal of the operation seems to have been exfiltrating data and digital tools from the targets. The attackers leveraged a supply chain vulnerability in the ubiquitous SolarWinds Orion program, a network monitoring tool, to insert backdoors into an update released months ago. Once inside the networks, the attackers were able to maintain a permanent presence. The operation was so devastating that SolarWinds employees appear to have engaged in a massive sell‐off of stocks prior to public disclosure of the vulnerability.
The impact of the operation is currently unknown. Overall, the likely outcome seems similar to that of the Office of Personal Management (OPM) hack of 2015, which resulted in the massive theft of unclassified government data by China but without any clear use of the data by Beijing in the subsequent years. But the SolarWinds breach will have second‐ and third‐order effects. Already, FireEye’s Red Team tools have been stolen through the SolarWinds vulnerability and reused by the attackers on other systems. The key thing to remember at this point is that the operation seems likely to be able to extract information but not insert or destroy data within government systems.
The SolarWinds operation demonstrates the developing nature of modern great power competition, where rival states employ cyber strategies to steal secrets as well as to conduct limited operations meant to disrupt and degrade. Though media reports often characterize cyber operations as attacks, many operations are better thought of as instruments of political warfare and weak forms of coercion that do not seek destruction. Most cases involve stolen data or limited disruptive effects. There appear to be key firebreaks that limit escalation in cyberspace, keeping it a realm of covert and clandestine operations as opposed to decisive battles.
We have worked with Ryan Maness of the Naval Postgraduate School to compile the Dyadic Cyber Incident Dispute Dataset (DCID), which tracks all known cyber actions between rival nation‐states from 2001 through 2016. Based on an examination of the SolarWinds operation alongside the other operations in this dataset, the operation appears similar to past Russian and Chinese network infiltrations like the aforementioned OPM hack or APT29’s prior operations against the State Department and other government agencies. Great powers use cyberspace to alter the balance of information and gain an advantage in long‐term competition. In this manner, espionage supports broader coercive campaigns and crisis bargaining, helping each side either signal in the shadows or determine the capabilities and resolve of its rival.
The SolarWinds operation demonstrates that U.S. Cyber Command’s vision of persistent engagement, which calls for preventively imposing costs on adversaries to shape competition in cyberspace, appears not to have worked as expected. Persistent engagement and hunting forward on Russian networks apparently did not do enough to change the cost‐benefit or risk calculations of Russian hackers targeting U.S. networks and did not dissuade Moscow from conducting one of the largest data heists in history. This dynamic played out similarly with respect to election hacking. Despite actions aligned with the persistent engagement posture to stop foreign groups from waging sophisticated social media campaigns and probe U.S. election infrastructure, Russia, China and Iran all were caught trying to interfere with U.S. domestic politics.
Punishment strategies—that is, strategies seeking to impose costs—which include constant operations as a matter of public policy are self‐defeating in cyberspace, because there is no wider conception of how the adversary will react. Hunting forward in operation is no guarantee of preemptively disrupting ongoing operations—and it does not impose clear signaled costs on the opposition, as is needed to dissuade limited cyber operations in the realm of espionage.