Hidden behind a news cycle understandably dominated by the fallout of the Presidential election and the continued Coronavirus carnage was the revelation that the USA had experienced the ‘worst ever hack’ of its Government. Starting in July of this year more than 40 government agencies, thinktanks, nongovernmental organizations and IT companies were infiltrated by the hackers.
The attack, due to its nature, scale and sophistication has been strongly linked to Russian operatives and poses question as to the rules and norms of cyberwar in the modern age. In essence how does deterrence operate, if at all, when a nuclear armed state spends relatively small resource on a clandestine attack that is hard to prove origin of upon another nuclear armed state?
The scale of the attack and its objectives remain unclear. What is known is that whilst a lot of the cyber threats were associated with the US election itself, hackers managed to access a piece of software known as ‘SolarWinds’ which would then be updated throughout computers in the US Government. By attacking upstream, the hackers could then enter the systems unknowingly of huge parts of the US government.
Multiple office networks are reported to have been compromised including the treasury and commerce departments and Homeland Security. The subtle nature of the attack and the delay in detection means that the window for influence for the hackers is substantial. What were they trying to do? Steal information? Harvest compromising intelligence about individuals that would be used to bribe them. Or perhaps even more nefariously delete or change information.
The Office of Personnel Management was hacked, the private details of many government employees were potentially accessed. These details are reserved for those who have undergone security vetting and are incredibly sensitive. Indeed, the almost infinite options make it hard to narrow down and test. One digital expert speculated one scenario of what would happen if the hackers accessed the health records of Americans and changed the blood types of individuals held on record. Imagine the carnage and danger to life and livelihoods that would ensue.
Yet States who would never dream of a physical attack on the US feel that in the cyber domain they have both comparative advantage; compare the costs of running a hacking outfit versus maintaining an aircraft carrier battle group; and can exploit the lack of rules and regulations that govern this most modern method of conducting conflict through other means.
President Trump has been quiet when it comes to the hack, but President-elect Biden has already set out his stall on pushing back against cyberattacks. “Those who are responsible are going to face consequences for it,” said Biden chief of staff Ron Klain. “It’s not just sanctions. It’s also steps and things we could do to degrade the capacity of foreign actors to repeat this sort of attack or, worse still, engage in even more dangerous attacks.”
We could be entering an era in which the sensitivities and awareness around cyber offense and defensive moves could be considered hostile acts in ways that translate to more conventional actions such as sanctions or even conflict itself. The UK via its ‘Integrated Operating Concept’ have already set out how they believe that conflict is increasingly manifest through competition below the level of war. Cyberwar very much fits into this category and in a highly connected world where there are more smartphones per capita than toilets the chances of this escalating into the new normal of international relations are very real.
The New York Time’s David Sanger describes cyberattacks as ‘the perfect weapon’ explaining that “in less than a decade, they have displaced terrorism and nuclear missiles as the biggest immediate threat to international security and to democracy”. Perhaps the SolarWinds hack, considering the scale and the growing realisation as to the potential damage caused, will lead to a more global conversation around what the rules are around this threat.
Could a Biden administration whilst committing itself to pushing back on those who would attempt to infiltrate US networks, also push for a multilateral mechanism to agree on what the rules of this new game are? In the past years cyber-attacks have played a critical role in undermining the Iranian nuclear programme, so there should be no pretence that the US is an uninvolved party in this new era of warfare. Whilst it is a cliché there can be little doubt that the SolarWinds attack reveals a planet at a crossroads around an understanding and governance of this 21st century weapon system.
By : James Denseiow