To call the revelations about Russia’s devastating cyberattack on U.S. government agencies and thousands of American businesses chilling would be a gross understatement. What is even scarier, though, is that despite wave after wave of Russian-sponsored cyberattacks on the United States and its allies for more than a decade now, Washington still apparently lacks the political will to defend against this Russian aggression.
It is possible and even probable that this latest attack will provoke a strong response from the U.S. and its allies, as some have suggested. As well it should. After all, the breach of the network monitoring software made by Texas-based SolarWinds, which has been widely attributed to Russia’s SVR intelligence agency, targeted the digital information architecture of several federal agencies, including the National Security Agency and the departments of Homeland Security, Treasury, Commerce and State. It also affected an estimated 18,000 companies with SolarWinds accounts, including several on the Fortune 500 list.
Over the coming weeks and months, the scope and scale of the cyberattack will become clear. It has already produced fallout for SolarWinds longtime CEO Kevin Thompson, who announced his resignation last week. And if news reports are any guide, the Russian hack could trigger a federal investigation into suspected insider trading, since some SolarWinds shareholders apparently cashed in right before news of the breach became public. But it is easy to imagine much worse scenarios. Second- and third-order effects of the cyberattack might include, for instance, leaks of sensitive information—or worse, sabotage of America’s critical infrastructure, such as electrical grids or banking systems.
Yet given the U.S. government’s poor and well-documented track record to date on developing and implementing a comprehensive strategy for cyberspace, it is also equally possible and far more likely that whatever immediate response the outgoing Trump administration and the incoming Biden administration come up with, it will fall well short of what is required to mitigate the risks of more attacks. That is because what is really needed is not just a response from the White House, but legislative action from Congress, an institution that has failed time and again to develop a sound cyber strategy or build proper cyber defenses. Instead Congress has allowed the politics of the petty, personal and partisan to paralyze this country in its time of greatest crisis.
While the latest move in Russia’s global cyber offensive exposed a fatal flaw in the way Washington formulates its national security priorities, it also reflects a major Kremlin miscalculation. There is a lot of noise around the signal Moscow keeps trying to send with these attacks. But what still comes through clearly is a misplaced belief among Russian leadership that there will be no more costs or consequences for its continued provocations. What President Vladimir Putin apparently fails to see is that the further up the escalation ladder Russia’s security agencies climb with their cyberattacks, the more likely it is that Russia’s sovereign wealth will wind up in America’s crosshairs, through retaliatory sanctions and other financial restrictions.
More ominously, the options in terms of non-military responses narrow considerably after that. No one on either side wants to go there, and everyone in the middle—the European Union especially—is rightfully afraid of such an outcome. But it is not hard to imagine that the release of sensitive data acquired from the SolarWinds breaches, or a second wave attack, could trigger such a scenario. Even if the outcomes were more subtle—say, a series of slow-burning and targeted attacks against American citizens and institutions, or against allied states that Moscow deems particularly troublesome, or, perhaps, leveraging stolen data to foment discord among NATO members—more cyberattacks attributed to Russia will only harden the position of hawks who might advocate for military escalation.
Despite wave after wave of Russian-sponsored cyberattacks on the U.S. and its allies, Washington still apparently lacks the political will to defend against this Russian aggression.
Putin is correct to surmise that any U.S. calculations about retaliating against these cyberattacks will always factor in other challenges, like the multitrack diplomacy required on everything from nuclear weapons to space to climate change, for which the U.S. still needs Russian cooperation. It is folly, however, to assume that the divide and conquer tactics Russia has fomented through its global disinformation campaign will lead to permanent American paralysis. With systemic attacks on supply chains or critical infrastructure, it only takes one misstep to produce catastrophic collateral damage or real human casualties. In fact, the hollowed-out state of American diplomacy after four years of Donald Trump should scare Putin more than it does, because ever since 9/11, the Pentagon hammer has rarely seen a nail it doesn’t want to pound.
Americans should be even more scared, especially Wall Street. In fact, a brief review of how we got here might be useful. The internet has been up and running since 1969, when it was first developed by the Pentagon’s Defense Advanced Research Projects Agency, or DARPA. When Tim Berners-Lee invented the World Wide Web in 1989, he transformed what was a rather clunky, albeit advanced, telecommunications system into a world-shattering, paradigm-shifting technological juggernaut. Since then, there have been hundreds, if not thousands of state-sponsored cyberattacks, according to the Council on Foreign Relations’ handy cyber operations tracker. At the same time, the digital revolution and birth of the online marketplace have generated billions for Wall Street, and trillions for the American economy. That doesn’t mean it will remain that way forever.
The data would seem to indicate that China, Russia, the U.S. and Iran stand out as the biggest players on the pitch when it comes to cyber operations. Yet to date, not one of these countries has stepped forward to say that it’s time to hold a global summit on the future of cyberspace. All that has been done is a lot of tinkering and dickering with policy nonstarters at the United Nations. There has been zero bold thinking—just a lot of authoritarians genuflecting in front of the false god of “cyber sovereignty” and chaotic clutch plays from more democratically inclined states. This state of affairs is likely to continue for the foreseeable future, despite all its risks.
Only time will tell whether the perilous state of America’s cyber defenses and the pitiable lack of a national strategy to safeguard its supply chains from asymmetric attacks further accelerates America’s decline as a major world power. At least some part of the problem can be attributed to the appalling ignorance at the federal, state and local level of the technological innovations that drive the American economy and what it takes to protect them. No doubt, the power-hungry habits of a tech industry that has repeatedly resisted calls to work in earnest with government to build comprehensive solutions to managing cyber risks are also partly to blame. At bottom, however, the torpid U.S. government response to state-sponsored cyberattacks screams out for a wholesale rethink of what constitutes American vital interests.
There are plenty of good ideas out there for shoring up America’s cyber defenses. This latest attack will surely only serve as a rallying cry in support of the consensus view that the most urgent work is needed at the federal level. One of the best ideas to surface in the last couple days comes from the head of the Stanford Internet Observatory, Alex Stamos. He has urged the U.S. government to form “the cyberspace equivalent of the National Transportation Safety Board” that, instead of looking into the causes of plane crashes and train wrecks, “would track attacks, conduct investigations into the root causes of vulnerabilities and issue recommendations on how to prevent them in the future.”
In the near term, the COVID-19 recession might make it tough to build support for that, but think tanks, research organizations and industry associations would do well to get the conversation started about what this cyber security board would look like. In the longer term, Congress needs to get cracking on the ambitious legislative agenda laid out by the congressionally mandated Cyber Solarium Commission. The future of American national security depends on it.