Cybersecurity experts are still assessing the Solar Winds hack and recent penetrations into government and corporate information systems around the world. Already, seven lessons for leaders stand out.
First, this issue is mostly about Russia. While the United States has played up the China espionage threat in recent years, the sobering reality is that Russia has conducted the gravest cyberattacks against the United States. These have included espionage, criminal actions, and political subversion, in addition to signaling capacity to infiltrate and inflict harm for deterrent purposes. China certainly raises serious concerns, but Russia is far more aggressive in what it dares do against the United States.
Second, American cybersecurity vulnerability is permanent, as no matter how much the United States has tried, the level of its digital dependence, pace of technology innovation, number of networked players, and human frailties, combined with a business culture that rewards greater efficiency, virtually ensures that it will never haec total robustness. Natural disasters, human errors, technical failures, criminal actions, and hostile operations will continue to buffet the American digital infrastructure.
Third, American cyberspace dominance is now lost. The National Security Agency and Central Intelligence Agency used to enjoy unmatched digital capabilities to spy and run many covert operations. They still possess far superior capabilities, however, barriers to entry are low and enable even Iran and North Korea to compete in this contest, as well as sophisticated criminal groups and government proxies. Further, Russia has formidable skills along with audacity and higher tolerance for failure.
Fourth, the characterization of cyberattacks poses challenges. Similar cybertools and actions could serve different objectives, like retaliation, espionage, covert actions, political signals, battle preparations, or just unleashed criminality. Nearly all penetrations will be discovered sooner rather than later, and a reasonable assessment in who was behind them will also surface before long, even if a definitive attribution could prove difficult. Yet deciphering those real motivations behind cyberattacks is inherently problematic, while the uncertainty around such motivations also complicates policy decisions for government officials.
Fifth, the benefits of persistent engagement from Cyber Command are overstated, while the risks are overlooked. Cyber Command has touted the virtues of “more proactive” cyberspace operations out of American networks in defense of national security. Operations under these laxer rules of engagement yield considerable benefits. But the premise that more assertive conduct can deter such aggression is unsubstantiated. Further, the Solar Winds hack indicates that others are emboldened to retaliate. It is now the United States that has more to lose.
Sixth, bad deeds in cyberspace hardly go punished. The United States is finally learning what other countries have known for awhile, namely that cyberspace offers rich opportunities for espionage and criminal actions with impunity. Most of the policy options available to respond to digital intrusions, even when they threaten sensitive secrets or endanger other significant interests, are either undesirable or ineffective.
The absence of a broad framework that defines what actions are wrong certainly makes it difficult to develop policy options that could alter the payoff matrix for the perpetrators and sponsors of these actions, which undermines the role that deterrence could play within this context. The United States should create universal rules, and it has the government assets and economic power to enforce such compliance.
Seventh, resilience matters. The discovery of the recent breaches forced extensive shutdowns with computer systems. This drives home the same ideas the United States should have learned from 9/11, Hurricane Katrina, and the coronavirus, where much depends on contingency plans and an allocation of resources to recover from major disasters through backups, redundancies, insurance claims, or material interventions.
This is true where many important assets are concentrated or otherwise susceptible to a common mode of failure, like with the Solar Winds hack. Robustness of the individual entities does count, but broad supply chain integrity and resiliency measures are essential for our society to live and thrive in the growing digital environment around the world.
Ariel Levite is a senior fellow for the nuclear policy program and the cyber policy initiative based at the Carnegie Endowment for International Peace.