President Trump should authorize cyber retaliation in response to Russia’s latest cyberoffensive against the United States. To tolerate what Vladimir Putin’s spies have just done would be to encourage their new acts of aggression. Moscow’s latest affront is serious.
As reported by Reuters, Russia manipulated software updates from the SolarWinds cybersecurity company’s Orion program. Introducing malware into the software, Russia covertly enabled SolarWinds to do its spying work for it. The intrusion is believed to have begun between March and June of this year.
It’s a big win for the Russians, apparently giving the Kremlin real-time, persistent access to information flows across thousands of American public and private entities. It has also granted Russia access to the FireEye security company’s “red team” protocols. Used to test client cyber vulnerabilities, those protocols will help the Russian intelligence services improve their targeting and tactics in anticipation of future offensives. Email systems within the Commerce and Treasury departments are said to have been affected especially seriously in the latest incident. We understand that the attack is believed to have been carried out by a skilled Russian intelligence service actor known as Advanced Persistent Threat actor 29. That unit operates under the auspices of the Russian SVR, Moscow’s primary civilian foreign intelligence service.
What has happened must not go unanswered. Two specific issues are posed here.
First, this creates a significant challenge to the private business interests of SolarWinds and its clients. As much as police forces have a responsibility to protect businesses from physical thieves, the U.S. government has a responsibility to protect businesses from cyber thieves. But in the great scale of this attack, we see a quite obvious thread of Russian disdain for America’s cyberdefenses. Not only did Russia accomplish this scaled-up intrusion, it did so with confidence that its attack would not carry outsize retaliatory consequences. Put simply, Moscow has looted a superstore with impunity and is now laughing at Washington’s complaints. Putin’s spokesman on Monday teased that Russia could not be responsible for this attack because Russia has pushed for a cybersecurity treaty. Dmitry Peskov neglected to mention that this treaty was a totally fake endeavor and was rightly rejected by the U.S. as such.
Russia must be taught a lesson.
Putin’s strategic impulse is to push and keep pushing until he meets pushback. Putin must not be allowed to believe that the U.S. will tolerate attacks such as this one. While Russia’s effort to access and monitor U.S. government communications can be seen as an extension of traditional intelligence activity, that principle cannot apply to the attack’s targeting of so many private civilian interests. Especially since Russia is targeting those civilian interests, not simply to steal proprietary information but to learn how better to disrupt our economy and society during any prospective future cyberconflict. If the U.S. responds to this attack simply with condemnation, attribution, and the leveling of criminal charges against certain SVR officers, Russia will absolutely believe the price of its attack was worth the benefits accrued.
It is for these reasons that Trump should authorize retaliation against Moscow. Such a response could involve, for example, the disruption of SVR mainframes and the communication networks of those Kremlin officials involved in coordinating Russian intelligence service activity. Regardless of the form the response takes, the National Security Agency and the Pentagon’s associated Cyber Command have ample means to impose proportionate cost on Russia. They should be directed to do so. If not, Russia will only pursue more aggressive attacks in the future.
