Russia's Hack Wasn't Cyberwar. That Complicates US Strategy
The list of US government agencies compromised in the SolarWinds hack continues to expand, with reports of infiltrations at Treasury, Commerce, Homeland Security, and potentially State, Defense, and the CDC. This is a big deal for national security: It is the largest known data breach of US government information since the Office of Personnel Management hack in 2014, and could give hackers a trove of inside information.
Though the scope of this hack is still being determined, such an extraordinary breach begs a fairly obvious question: Is US cyber strategy working? The US has historically relied on, first, a deterrence strategy and, more recently, the idea of “defend forward” to prevent and respond to malicious behavior in cyberspace. Is a failure of these strategies to blame? The answer (like all things political) is complicated.
First off, it’s important to establish what this hack was. The fact that a purportedly nation-state actor (likely Russia) was able to compromise a third party (SolarWinds) to gain access to an as-yet-unknown number of US government networks and exfiltrate data is a significant espionage achievement. And it illustrates how third-party vendors can provide an avenue for threat actors to conduct espionage campaigns at a scope and scale typically not seen outside of cyberspace.