Winds of Change: What the SolarWinds cyberattack reveals about the United States’ contemporary cybersecurity policy, and what needs to change moving forward

By: Josh Asabor, YLS ‘23

Richard Boscovich, Assistant General Counsel for the Microsoft Corporation’s Digital Crimes Unit, has described the SolarWinds intrusion as a primary driver in changing the landscape of cybercrime forever. As part of the Yale Cyber Leadership Forum in 2021, Boscovich spoke on a panel focused on “Criminal Law Enforcement Across National Borders.” The post-SolarWinds world was shaken to its foundations, because as Boscovich put it, the attacks compromised the very backbone of both private and governmental cyber infrastructure. When analyzing such an attack in the context of broader national security policy, and considering the increasing potential for cybercrime and cyberattacks - both state-sanctioned and independent in nature - to cripple a sovereign nation’s public infrastructure, it raises questions as to how a world power like the United States should respond to and deter technology-based aggression moving forward.

This paper begins by providing an overview of the SolarWinds attack and highlighting the factors that made it unique and groundbreaking. Then, the paper outlines U.S. response to the attacks and the perceptible revelations about its broader policy with respect to cyberwarfare. Finally, the paper concludes by briefly exploring a path forward for the United States’ cybersecurity policy, referencing Germany’s contemporary approach, and the decades-old Cold War framework of mitigating risk and deterrence in the context of nuclear warfare.

The SolarWinds Intrusion

In the spring of 2020, SolarWinds, a Texas-based company, released a routine update to users of its software offering known as Orion, which serves as a “watchdog” for an organization’s network. The program was intended to provide “bug fixes, increased stability and performance improvements,” and all customers needed to do was log-in and wait for the update to upload to their servers. However, independent hackers, now believed to be working at the behest of the SVR, Russia’s intelligence service and CIA equivalent, coopted the update to infiltrate Orion’s software with a malicious code that helped orchestrate what Microsoft’s president called the “largest and most sophisticated attack” in history.

According to SolarWinds president and CEO Sudhakar Ramakrishna, nearly twenty thousand customers downloaded the corrupted code between March and June of 2020. However, the hack only functioned properly under specific prerequisite circumstances, which helped limit the damage. In order for the virus to work as designed, customers needed to download the update and deploy it while their compromised networks were connected to the internet. With that being said, the hack successfully infected the networks of hundreds of private companies and government agencies, including Microsoft, Intel, Cisco, the National Institute of Health, the Departments of State, Homeland Security, Justice, the Treasury, Commerce and Energy, and perhaps most alarmingly for U.S. officials, the Pentagon itself.

While Russia’s full intentions behind the attack are still contested by global experts, it is clear breach was intended to target and potentially cripple the United States’ vulnerable public infrastructure and national defense apparatus. SolarWinds is unique because it displayed the ability of cyberwarfare to analogize the destructive potential of more traditional and dangerous forms of warfare. The attack also unearthed several important questions about the United States’ ability to defend against such intrusions and the nation’s current priorities. As The New York Times pointed out, a likely impetus in the hack’s success was the government’s emphasis on defending the integrity of the 2020 presidential elections. Did policymakers mistakenly deprioritize important supply chain protections in its agency’s networks in order to avoid the embarrassment of foreign involvement in yet another presidential election cycle? Additionally, we also know that because the hackers successfully managed the attack from servers based in the U.S., legal prohibitions intended to protect the Constitutional rights of Americans disenabled the National Security Agency from leveraging domestic surveillance structures to identify the foreign actors. How can concerns around due process coexist with the need for the government to anticipate threats of a new kind in the future?

These unknowns will likely serve as the foundation for several books and articles moving forward, and United States officials will need to engage with such considerations for several years to come. Another key question, though, that this paper will begin to grapple with is, how did the United States respond to the breach and what does this signal about its policy moving forward?

U.S. Responses to Russia’s Purported Aggression

The United States’ initial response to the attacks was underwhelming, “muted and bureaucratic” in nature. While the Cybersecurity and Infrastructure Security Agency (CISA) issued warnings to agencies to prevent further damage from the hack, the Whitehouse remained conspicuously and deafeningly silent in the immediate aftermath. The refusal to engage with the attack by former President Trump may have been driven by a hesitation to criticize an act of espionage that resembles the National Security Agency’s actions abroad. However, as Kristen Eichensehr notes, the SolarWinds attack was so game-changing, because of the “serious risk” that the intrusions could have gone beyond espionage and into the realm of disruption and destruction.

United States policy under the Biden Administration seems to have a clearer understanding of the distinction between the SolarWinds attack and previous attempts at cyber-based espionage. In April of 2021, the Whitehouse announced it was dispelling 10 Russian diplomats from American soil, and imposing a host of new sanctions on Russian individuals and assets. The order also places significant restrictions on Russian debt sovereignty, making it harder for their government to raise money and find external support for its currency. This signals that the United States views the breach as an action that exceeds corporate espionage, and instead, an attack that constitutes a legitimate threat to U.S. sovereignty just as a strategically deployed warhead might.

U.S. Policy Moving Forward

The responses outlined above, however, do not represent a sufficiently radical departure from the United States’ recent posture towards cyber threats. Under the Obama Administration, the Department of Defense was very defensive and reactive in response to cyberattacks. Recently, largely due to President Trump’s efforts, the United States has invested billions of dollars in offensive cyber activity. Yet, the new apparatus intended to make the U.S. more proactive and offensively minded in the realm of cyberwarfare failed to prevent or mitigate the SolarWinds attack. Even the United States’ longstanding “incursions into Russia’s electric power grid” failed to scare the Russians into inactivity. This begs the question - do these business-as-usual policies adequately meet the risks posed in a post-SolarWinds world, or is a more dramatic shift in U.S. posture required?

As cyberattacks become more sophisticated, with a greater potential for destruction that rivals and even surpasses more traditional means of warfare, the status quo U.S. response is likely inadequate and unsustainable moving forward. In the near-term, the U.S. might be well served to follow the lead of Germany in its attempts to apply existing international humanitarian law in assessing potential forms of engagement with respect to responding to cyberattacks. In a position paper penned by Germany’s Foreign Office, Ministry of Defense and Interior Ministry, Germany explores several response options to a destructive cyberattack, which threatens the sovereignty of a state, such as election interference or an intrusion into vital infrastructure systems. Three key options explored include retorsion, countermeasures, and the plea of necessity. Retorsion involves denying access to the cyber infrastructure in a state’s territory. Countermeasures are more contentious as these would be illegal if not for the fact that they are designed to respond to another state’s unlawful actions. According to Germany, states must be careful to ensure any countermeasure complies with international limits and standards. Finally, the plea of necessity allows for an otherwise unlawful response with fewer limits than countermeasures, if it might prevent a “grave and imminent” danger. What Germany’s paper does not conclusively answer is whether such measures may be non-cyber in nature. This is less of a failure in Germany’s thinking, and more attributable to a gap in traditional international law with respect to issues of cybersecurity.

While a sophisticated application of preexisting law to a new form of warfare, all of Germany’s considerations are inherently responsive in nature. How might the U.S. borrow from the Cold War framework in order to more effectively deter and mitigate risk of attack? In Spring 2019, Congress commissioned The Cyberspace Solarium, inspired by Eisenhower’s 1953 Solarium, in which a major point of discussion was the nation’s strategy around cyber deterrence. In its March 2020 report, the commission recommended diplomacy-centered deterrence initiatives, such as collaborating with other states to build international cyber standards and streamlining bureaucracies to allow for easier collaboration in responding to attacks. Much of the discourse around deterrence still focuses heavily responses and leveraging the threat of retribution to lessen the incentives for cyberattacks. This is a potentially problematic approach, though, as cyberattack capabilities grow more potent in their destructive potential.

Applying current international law as Germany has, and looking backwards to learn from Cold War policy are helpful in beginning the conversation. However, the limits to both of these schools of thought, as well as the questions they leave unanswered, are evidence that a new framework of conflict law, in the context of cyberwarfare, is likely required. Such a codified standard would empower states like the U.S. to effectively defend themselves from attack, without violating universal standards of human rights and conduct in the context of conflict, and risking a never-ending cascade of escalations.