Just how the White House actually plans to respond to the SolarWinds campaign remains far from clear. In comments to CNBC correspondent Eamon Javers, a White House official partially contradicted the Times‘ story, particularly its description of a “cyberstrike” that was later removed from the article’s headline. (The White House didn’t respond to WIRED’s request for comment.)
That confusion may partly stem from internal debate over potential responses, suggests Jacqueline Schneider, a cybersecurity-focused Hoover Fellow at Stanford University. If so, Schneider says, she hopes it’s not too late to steer the White House away from a punitive counterstrike. “My biggest critique would be their framing of SolarWinds as something that was ‘unacceptable,'” says Schneider. Biden, for instance, has described the operation as a “cyber assault” and vowed that he won’t “stand idly by” in its wake. “I think that norm is going to be almost impossible for them to actually build and really, really hard to enforce,” Schneider adds. “And it binds the US’s hands in places where we might otherwise have advantages.”
Instead of retaliation intended to “signal” something to Russia or define a rule that the US won’t want to abide by itself, Schneider suggests that any counterstrike for the SolarWinds campaign should target the hackers’ ability to carry out that sort of operation again. It would look less like an effort to punish the Kremlin—such as an equivalent hack of Russian infrastructure or even economic sanctions—so much as a targeted disruption of the machines or networks used by the SolarWinds hackers themselves. Past examples of that sort of counterstrike would be US Cyber Command’s disruption of the criminal Trickbot botnet, for instance, or the data-destructive attack on the network of Russia’s disinformation-spewing Internet Research Agency. “You make their job harder to do, which makes them invest more resources, which diverts resources from other nefarious things,” Schneider says. “The hope is that this gets them to focus on defense and they have fewer teams allocated towards finding vulnerabilities in, say, electric grids.”
One former US government cybersecurity official described a slightly different approach that he analogized to a “brushback pitch,” the baseball term for a close, inside pitch that forces the batter to back away from the plate. “We’re going to make you duck,” he says. “This ball won’t hit you, but you’re going to know that we’re coming after you and take a step back.”
That brushback tactic may not actually differ from a “retaliation” strike in substance. But framing it as a direct warning or counterstrike to the adversary hackers themselves rather than a norm-setting “punishment” for their bosses in the Kremlin could make that action more effective. “The kind of words that we’re using for these things can matter a great deal,” the former official says.
There are also steps short of a counterstrike that could still prove effective, says J. Michael Daniel, the former cybersecurity coordinator for the Obama administration. The US has tools to send subtle, diplomatic signals to adversaries, he points out. “You could use the cyber hotline that has been established between the United States and Russia and send a message that says ‘hey, we know this is you, knock it off,'” Daniel says. “You can tie up certain diplomatic things that maybe the Russians want at the UN that the US otherwise might not object to but decides to slow roll. There are other ways to express your diplomatic displeasure.”
But ultimately spying, even at the SolarWinds scale, is within the rules of the game, Silverado’s Alperovitch argues. He harkens back to the comments of director of national intelligence James Clapper in a 2015 congressional hearing about the Chinese breach of the Office of Personnel Management, which resulted in the theft of reams of highly sensitive personal data on government officials. Clapper made clear in that hearing that he did not see the OPM breach as an “attack” but rather an act of espionage of the kind the US might well have carried out itself.
“This is a case of ‘good on them, shame on us,'” Alperovitch says, loosely paraphrasing Clapper’s remarks. “Let’s focus on making sure that we make it really hard for them to do this to us again.”
More Great WIRED Stories