Read the original article: SolarWinds: The Need for Persistent Engagement
It’s been a little over a week since news broke of a strategic cyber campaign to exploit the update download of the SolarWinds Orion system administration software. Despite public appetite for concrete information, analysis of the exploit itself should be tempered when dealing with something so complicated and so recent. But what is already known about the SolarWinds attack can be drawn upon to provide a helpful use case example of the potential for cyber insecurity that flows from the very nature of cyberspace and to consider how best to address that insecurity.
Based on how the case is currently being framed by U.S. government public reporting, two major strategic lessons are clear: The United States must accelerate its adoption of the doctrine of persistent engagement across the entirety of its intergovernmental space, and it must advance more swiftly to a whole-of-nation-plus overall strategic footing in cyberspace.
This attack has taken place just as the initial shift in the U.S. government approach to cybersecurity has gotten underway to establish the capabilities, tactics and operations to make persistent engagement effective. Had the doctrine been in place fully and comprehensively, the form of this attack and its consequences may have been different. Why? This attack matches with the expectations of the doctrine. And I’m not alone in calling for this change to happen more quickly. The need to accelerate the country’s shift to defend forward and operationally persist aligns with similar findings of the Cyber Solarium Commission’s final report, particularly those discussed on pages 2, 24, 29, 111 and 112.
Some improvements are on the way. Certain provisions within the National Defense Authorization Act passed by Congress in 2020 will allow changes in authorities, agency responsibilities and capabilities to enable continuous cyber operations in defense of the federal government (and beyond). The Biden administration must accelerate U.S. capacity to persist.
Lessons for Whole-of-Nation-Plus
The attack has underscored the need for effective cybersecurity in all components of the federal government. Reports indicate that the locus of compromised systems are in the departments of Treasury, Commerce, State and Homeland Security. If the reporting is correct, this means that the attack hit systems primarily outside the purview of the Department of Defense and its U.S. Cyber Command, whose mission includes protecting the Defense Information Network. Responsibility for protecting the systems of other federal agencies falls to the Department of Homeland Security.
This suggests that considerations should now turn to how the Department of Defense’s defend forward strategy and U.S. Cyber Command’s operational approach of persistent engagement can be extended across these broader U.S. roles, responsibilities and authorities in cyberspace. SolarWinds, in fact, raises the prospect that the current doctrine of persistent engagement is too circumscribed and should be broadened through partnering and adoption across federal government agencies. Persistent engagement is not simply a military approach but should anchor a whole-of-nation-plus orientation in which synergy in the pursuit of cybersecurity exists across four core elements: intergovernmental coordination, alignment between the public and private sectors, and the engagement of ones’ citizenry in actively contributing to securing the digital space through their behavior. The “plus” in this model is that the United States must coordinate similar synergy among its allies because the interconnected nature of cyberspace ties the U.S. closely to them. The United States remains exposed if its allies remain vulnerable to exploitation and vice versa.
While this bureaucratic issue is critical, broader implications must also be considered.
The New Paradigm in Cyber Strategy
The SolarWinds breach helps to highlight certain realities that U.S. cyber strategy must address.
Let’s accept the current public rendering of this case for discussion purposes. Reporting suggests that Russian cyber capabilities were directed at seizing control of a system administration software update download widely used by U.S. federal agencies and private companies. The goal? To use software updates as the entry point to U.S. government networks. This form of attack was seen in the spring 2017 Russian NotPetya attack in Ukraine, in a war context. Thus, SolarWinds can be understood as the result of the operational success achieved three and a half years ago. Thus, it exemplifies the fluidity of cyber capabilities development in which cyber activity developed in one context can open possibilities in a completely different context. While the code is different, the tactical and operational modality of NotPetya created the possibility to seek a new target against a different adversary for an entirely different end—the U.S. is not Ukraine, and U.S. government systems are different from Ukrainian infrastructure. This pattern—same modality, different target, different end—is not unusual but flows from the very nature of cyberspace and is a key reason why operational persistence is necessary for security
It’s helpful here to consider the possible Russian objectives behind SolarWinds. This is where the case can be an enlightening example of the possible, regardless of what future reporting reveals. Achieving the technical ability to exploit is a simple capabilities development. It does not mean a state will or must deploy that capability. So, while immediate technical mitigation of the consequences of SolarWinds must be the priority, it is the Russian calculation to plan and execute the operation that should be the focus of strategists.
And this is the core extrapolation—the Russians could see this operation as a two-level game. There were strategic gains that the Russians achieved as the operation was taking place, and then the Kremlin also made a major strategic gain when the exploit was discovered. Why would you not pursue such an operation in which both operational success and failure produce gains in an overall strategic competition to leverage cyberspace to undermine the advantages the United States might hold relative to Russia?
The First-Level Game
The reported cluster of agencies breached—Treasury, Commerce, State and Homeland Security—point to a potential first-level objective (among others) of critical importance to Russia: the United States’s sanctions policies that continue to hamper Russian economic activity and the financial access and physical movement of Russian leaders. The first three agencies play a major role in U.S. sanctions policy planning and implementation. If Russia could gain direct insight on U.S. sanctions policies, it would enable Russian leaders to anticipate U.S. reaction to policies they might pursue—they might have a window into where the sanctions might have been weakening or redlines for them to avoid. Why the Department of Homeland Security? Getting into Homeland Security systems would help anticipate whether the operation was being discovered.
At one level, this is traditional espionage activity, but its scale and scope make it something qualitatively different. This is exactly the sort of campaign—leveraging espionage—that historian Michael Warner (now at U.S. Cyber Command) has been arguing is likely to occur due to the access and scale of operations that cyberspace now permits. In a noncyber context, placing a mole in each of these agencies would have been quite a feat. And even if a state could achieve that, the single person would exfiltrate just so much information (even the best-placed human spies of the 20th century, such as Britain’s infamous Cambridge Five, could hardly match what cyber exploitation now makes possible).
But the type of system administration control that the Russian government appears to have achieved through the SolarWinds breach goes well beyond simply extracting information. It means real-time constant monitoring across networks of these agencies and the potential to manipulate data and information traveling across them. Not your simple diversionary tactic of inserting a false paper folder on someone’s desk, but subtly shaping information flow at scale and speed consonant with decision-making processes. Imagine having the potential to subtly change an analysis document of potential sanctions targets and going into a document and dropping a particular sanction from a proposed new list. This means that an otherwise effective policy might get eliminated by Russian actors before it moves up through the bureaucracy to U.S. senior leadership. While there is no indication this has occurred, it is the potential that U.S. strategists must ponder now. There is a comprehensivenes
[…]
Read the original article: SolarWinds: The Need for Persistent Engagement