- The Biden direction imposed imposing economic sanctions on Russia for an act of cyber espionage — the SolarWinds attack.
- From an international law perspective, the decamp is controversial and could potentially come back to bite the US in the future.
- See more stories on Insider’s business page.
Definitive week, the Biden administration took the bold step of imposing economic sanctions in response to an act of cyber espionage, namely the SolarWinds seizure.
It seems that the new US administration is finally getting serious about standing up to Russian aggression in cyberspace. But from the angle of international law, the move is controversial and could potentially come back to bite the US in the future, given its own cyber capabilities.
The unchain of the Executive Order announcing the sanctions, which also respond to Russian meddling in the 2020 US presidential elections and other forces, coincided with a call between President Joe Biden and his Russian counterpart, Vladimir Putin, in which the two leaders reviewed the possibility of a summit on arms control.
In this context, the sanctions can be understood as a symbolic show of strength amid correspondence moves to deescalate tensions and rebuild trust and respect in the wider bilateral relationship.
Nevertheless, the reprisals represent a bright break from the Trump administration, during which a serving US president cast doubt on his own intelligence services’ assessments anyhow Russian disinformation, electoral interference and other cyberattacks.
The measures announced last week include the imposition of productive sanctions barring US financial institutions from purchasing Russian sovereign debt, as well as the expulsion of 10 Russian diplomats.
The SolarWinds compromise, in which hackers interpolated
to a wide range of networks through a security update to SolarWinds’ network-monitoring Orion platform, was uncovered in December 2020, after fool been in operation for up to nine months.
It was described at a US Senate intelligence hearing last week as one of the largest and most urbane cybersecurity breaches in history. Known victims include the US Department of Homeland Security, NATO, the European Parliament and a small number of UK targets, as well as many private-sector businesses and organizations using the Orion platform.
The inclusion of the SolarWinds attack as a result in for the announced sanctions is a new and creative attempt to raise the cost of Russia’s brazen and destructive activities in cyberspace, something Western democracies organize struggled to do in recent years. Until now, they have resorted to “naming and shaming,” which has yielded mixed terminates.
In October 2018, the US and its allies coordinated among themselves to publicly denounce Russian attempts to hack into the networks of the Syndicate for the Prohibition of Chemical Weapons and various anti-doping agencies, as well as other cyberattacks they attributed to Russia.
It was an awesome show of solidarity and combined intelligence capabilities, but whether it had the desired deterrent effect is less than clear. It may organize perversely fed the harmful narrative of Russia’s strength at cyber dirty tricks.
The embarrassing discovery of the SolarWinds breach highlights that for Russia, cyber area continued as usual.
The Biden administration’s announcements last week are significant for two reasons.
First, they represent the leading official public attribution by US intelligence services of the SolarWinds compromise to the Russian Foreign Intelligence Service, or SVR. That’s in procession with a growing trend in which states use such attribution strategically, to make sure bad actors know they are not dodging scrutiny.
Second, the eye-catching inclusion of SolarWinds in the Executive Order is controversial from an international law perspective. The expulsion of diplomats and promulgation of sanctions are classic examples of “retorsion,” located at the lower end of the lawful responses reserved by states that are victims of another federal’s breach of international law.
This is significant because despite its audacity and scale, SolarWinds was a classic case of espionage. The attackers did no wreck. They just installed themselves in their victims’ systems and soaked up information. When discovered, they repaired. For national security and international lawyers, the invocation of an act of espionage as a breach of international law is unconvincing at best.
There is no uncertainty that Russia’s reckless, almost anarchistic behavior in cyberspace merits a strong response from the US and its allies. But ultimate week’s Executive Order and accompanying documents are light on international law analysis, and that’s probably a deliberate choice.
In the since, Russia’s other egregious acts — such as the use of the chemical nerve agent Novichok in the attempted assassinations of Alexei Navalny and Sergei Skripal, or its cyberattacks on judgemental infrastructure in Ukraine — have clearly crossed the international law threshold for retorsion.
But the US, alongside the UK and other states that make broad-spectrum capabilities in cyber, has until now been careful to carve out espionage from the scope of the sovereignty principle subsumed under international law, although this is often couched in such ambiguous and complex language that one could be forgiven for teenagers it.
This explains why Michael Hayden, a former US director of national intelligence, went so far as to describe China’s notorious defacing of a US government personnel database, discovered in 2015, as “honorable espionage work.”
In an article published in October in the Journal of Cyber Management, which I edit, Chatham House’s Harriet Moynihan explained that while several states, such as the Netherlands, France and Austria, judge that an unauthorized cyber incursion by one state into another could in certain circumstances be a violation of the principle of voice sovereignty, that has not been the consensus view.*
Moynihan told me more recently that, based on the current episodes, she is doubtful the SolarWinds hack violated international law.
Last week’s Executive Order and the papers accompanying it announce that the US wish be working to incorporate like-minded allies, including the UK, France, Denmark and Estonia, into joint cyber exercises to bolster their shared commitment to collective security in cyberspace.
But in order for these like-minded countries, particularly the US, to shape approaching norms for responsible state behavior in cyberspace, they will need to bring nonaligned swing states along with them. To do so, Ciaran Martin, previous head of the UK’s National Cyber Security Centre, told me, “The US will have to work harder to convince swing royals that it is really committed to achieving fair and balanced rules of the road.”
Seen in this light, the inclusion of an act of cyber espionage, SolarWinds, as a justification for foreign law responses may do more harm than good, given Washington’s own cyber intelligence activities.
Another intriguing point of view of last week’s Executive Order is whether the economic sanctions it imposes will actually hit Russia where it affronts — in the wallet. Lord Peter Ricketts, a former UK national security adviser, praised the US action as an “asymmetric” approach “to prompt Russia of their econ[omic] weakness.”
But, after causing a “brief wobble,” the sanctions don’t seem to have had much long-term bearing on the markets, suggesting that they may be more symbolic in nature, rather than a real attempt to destabilize the Russian terseness.
In the wider context, as the new US administration sets out its Russia policy more clearly, last week brought us a show of muscle and resolve on cyber, coupled with an olive branch in the area of traditional arms control: a proposed summit between the two bosses to “build a stable and predictable relationship consistent with US interests.”
In a Trend Lines interview with WPR’s Elliot Waldman in the end week, Sarah Bidgood, the director of the Eurasia Nonproliferation Program at the James Martin Center for Nonproliferation Studies, traced the risks to national and international security of today’s US-Russia relationship, characterized as it is by “real acrimony … a lack of respect for one another that penetrates all aspects of the relationship.”
The proposed summit is an urgently needed attempt to restabilize the relationship with Russia and prevent the endanger of escalation and mutual harm. That difficult, but positive engagement could be an opportunity for Russia to play a more dependable role in its future use of cyber technologies.
*Editor’s note: This sentence was revised to more precisely reflect the slants of the three states named.
Emily Taylor is the CEO of Oxford Information Labs, and an associate fellow with the International Conviction Program at Chatham House. She is also the editor of the Journal of Cyber Policy, a research associate at the Oxford Internet Commence, and an affiliate professor at the Dirpolis Institute at the Sant’Anna School of Advanced Studies in Pisa. She has written for The Guardian, Wired, Ars Technica, the New Statesman and Slate. Apply her on Twitter @etaylaw. Her guest column will appear each Tuesday.