The months-long cyberattack on SolarWinds’ Orion software, used by most U.S. government agencies and hundreds of U.S. companies, is the latest proof that our efforts to deter such attacks have failed. We need a national policy to create, maintain and publicize an effective deterrent.
SolarWinds, a Texas company, makes the Orion software used to manage computer networks. Its administrative functions are many and varied. For example, it tests whether servers are functioning properly, controls passwords and troubleshoots the network. To do so, it necessarily has access to all data on the network and individual devices.
The cyberattack on SolarWinds’ Orion software package probably began in March 2020. It was months before the attack was acknowledged and its enormous penetration of government and industrial computer networks publicized. Cybernetworks in other nations, such as the United Kingdom, were reportedly also subjected to this attack.
Orion is ubiquitous in government agencies and large corporations. The attack can’t be countered by removing the Orion software because of its prevalence: removing the software would be like removing Microsoft Windows.
Let’s dispense with the misleading and inaccurate terms “hack” and “hackers” in connection with attacks such as these. Those terms evoke images of college kids in mom’s basement invading government or commercial computer networks to see how much they can get away with.
Cyberattacks such as the SolarWinds attack are perpetrated by professional cyberwarriors at the order of their nations and are intended to spy on our government and industry, to intimidate and, probably, to plant other malware that can be activated in time of war to kill and otherwise render key infrastructure, such as power grids, inoperable. Some equate cyberattacks such as the Orion one with acts of war. That’s not quite right either.
Acts of war take lives or cause major damage to national infrastructure. For example, the 2007 Russian cyberattack on Estonia, which effectively prevented Estonia’s government from functioning, was an act of war. The Orion attack was intended to intimidate, to conduct espionage, to steal intellectual property but not to kill or damage infrastructure upon which we depend.
The SolarWinds cyberattack was far more sophisticated than any amateur could perform. The attack used “malware” — the kind of computer software used for espionage and sabotage — to penetrate networks using Orion and gain access to everything they contained. At this point, experts do not believe that top-secret information, such as contained in the Joint Worldwide Intelligence Communications System, was compromised. But that, too, is uncertain.
Secretary of State Mike Pompeo said that the SolarWinds attack was perpetrated by the Russian government. He’s probably right. One cybersecurity expert I spoke with said that Chinese cyberattacks usually leave digital fingerprints that are traceable back to their origin. Russian cyberattacks are usually far more sophisticated. This one, he said, was so “elegant” that Russia, almost certainly, was the perpetrator.
In 2015, Adm. Mike Rogers, then-director of the National Security Agency and commander of U.S. Cyber Command, told the Senate Armed Services Committee that our level of deterrence of cyberattacks wasn’t deterring anything. He added that there was strong, direct, linkage between individual “hackers” and the nations that they worked for such as Russia, China and Iran.
Why, five years later, does our deterrent still fail to deter cyberattacks such as the SolarWinds attack? Tens of thousands of attacks on U.S. defense and industrial computer networks happen every day. For an enemy to be deterred from attacking us, it has to be convinced that it will suffer damage as great or greater than it inflicted on us. Because none of our enemies evidently believe that, we have to convince them otherwise.
To create an effective deterrent requires four types of action.
First, our cyberwarriors at U.S. Cyber Command, the NSA and the CIA need to begin a coordinated campaign of counterattacks against those who attack our defense and intelligence computer networks. We know how to identify and then devastate attackers’ computer networks and should do so in every instance as quickly as the attackers are identified. Those who attack our other government agencies should be dealt with similarly, though at a lower priority.
We need not always counterattack against the network the attacker used, but also against those which we can inflict proportional or greater harm on the attacker.
Second, we should extend our retaliation in behalf of essential commercial activities. We know, for example, that both Russia and China tried to infiltrate the computer networks used in developing our COVID-19 vaccines. They cannot be allowed to do so with impunity.
Third, it is essential for the president to state publicly our doctrine of retaliation. The Cold War doctrine of “mutually assured destruction” was effective because it was our national policy.
Fourth, our deterrence strategy should require that whichever government agencies and individual people are responsible for these attacks should be named publicly. Foreign government agencies that engage in these attacks should be added to the State Department’s list of Foreign Terrorist Organizations. Individuals who organize and perpetrate these cyberattacks should also be designated as terrorists.
It’s a massive understatement to say that the cyber world resembles the Wild West. It’s long past time for the cavalry to ride in and impose order.
• Jed Babbin, a deputy undersecretary of Defense in the George H.W. Bush administration, is the author of “In the Words of Our Enemies.”