Russia Is Making the Digital Weather and the U.S. Needs a Response

Photo: A SolarWinds logo is displayed on a post from the company as seen on a phone in Portland, Ore., on December 19, 2020, providing security information after a highly sophisticated cyber attack inserted a vulnerability in their Orion Platform products distributed via malware hidden in software updates to 18,000 customers including US government agencies and Fortune 500 companies. The attack was identified last week by cybersecurity firm FireEye who had a number of their hacking tools stolen during a likely state-sponsored espionage attempt. Credit: Alex Milan Tracy/Sipa USA via REUTERS
Photo: A SolarWinds logo is displayed on a post from the company as seen on a phone in Portland, Ore., on December 19, 2020, providing security information after a highly sophisticated cyber attack inserted a vulnerability in their Orion Platform products distributed via malware hidden in software updates to 18,000 customers including US government agencies and Fortune 500 companies. The attack was identified last week by cybersecurity firm FireEye who had a number of their hacking tools stolen during a likely state-sponsored espionage attempt. Credit: Alex Milan Tracy/Sipa USA via REUTERS

Russia’s SolarWinds digital hack, and a similarly huge and significant intrusion by China, has sent shockwaves through the U.S. and its Western allies.

But the seeming absence of clarity on a response — what is appropriate and what’s not — was met with a feeling of relief in Moscow. In the long run, the Kremlin’s cyber strategy seems to be working surprisingly well.

Judging an adequate response to a cyberattack from nuclear power has been an extremely fine judgment for years if not decades. How can you respond to something which is not military action i.e., an event that cannot usually justify a military response, but instead sits in a grey area bordering conventional espionage, psyops, and an attack on the country's crucial infrastructure?

For the last five years, the West has been torn apart between two diametrically different approaches to deter cyber offensives from state actors. The first is political and is meant to engage a potential adversary like Russia through mutual cyber confidence building measures, or CBMs. That approach was promoted for years by the veteran diplomats who learned their trade in strategic nuclear arms control negotiations, both Russians and Americans. It spectacularly failed in September 2016 when Michael Daniel, Obama’s cyber czar, used the direct line between Moscow and Washington — an element of CBMs inspired by the Cold War “Hotline” — to pass a message about Russian interference in the U.S. election to his Russian counterpart, a deputy head of Russia’s Security Council. The response, if it can be called that, was silence.

The second approach used law enforcement and became known as the naming and shaming policy, first applied to China’s hackers. The idea was to expose the identities and unit affiliation of hackers. The tactic was applied to Russian military intelligence hackers caught inside the Democratic National Committee servers, and simultaneously, for the first time in history, the officers of the FSB, Russia’s domestic security agency, found themselves on the FBI most wanted list.

This had some limited effect. The Chinese did come to an agreement with the Obama administration to stop industrial cyber espionage (the agreement lasted for two years). But Russia proved to be more difficult: while the FSB cyber unit was purged, nothing happened to military intelligence, and the Kremlin showed no enthusiasm for an agreement with the U.S.

And soon, Russia’s secret services felt that the tide was turning. While the U.S. imposed more and more sanctions on Russia, it inevitably followed that the West would lose trust, and indeed belief, in its traditional contact agency – Sergey Lavrov’s Foreign Ministry. What was the point in talking to Lavrov and his officials about the most sensitive issues, from Ukraine to Syria to cyber operations? The void was filled, paradoxically, by Russia’s secret services. If you cannot trust a country’s diplomats, you still talk to its spies because cooperation must continue in some areas like counterterrorism. Thus, the heads of all three of Russia’s spy agencies found themselves invited to Washington in early 2018. Russia’s top spies will also have registered that U.S. naming and shaming was applied in an arbitrary manner: it was widely accepted that in 2016 two Russian spy agencies hacked the DNC, but the Mueller report provided an expose on only one, military intelligence, and said nothing about a second — the FSB. This agency, coincidentally perhaps, is America’s main partner in counterterrorism cooperation.

In the meantime, more Russian attacks followed, both online and offline, and these became ever-more daring. With Russian activity proliferating, some Europeans started questioning the wisdom of the American approach. First were the French — in November 2019 Paris sent the French ambassador for digital affairs to Moscow to start bilateral talks. On the sidelines, the French diplomats were quite outspoken in questioning the effectiveness of naming and shaming and believed it had ceased to work. Moscow was perfectly happy, since it always favors bilateral rather than a unified Western strategy. Over the following months, more European countries tentatively sought a bilateral approach in cyber relations with Moscow, but then everything just stalled, with diplomats visibly confused over what to do next.

And just as before,  Moscow’s cyber teams busily continued their work. Last week, Andrei Krutskikh, Putin’s Special Representative on International Cooperation in Information Security, claimed to have scored an unprecedented success for the Kremlin. Krutskikh is a seasoned Russian diplomat, who previously helped to create the CBMs which failed so spectacularly in 2016.

Over many years, he had worked incessantly to make the U.S. and its allies sign a Russian-sponsored document under the auspices of the United Nations on cyber. The document could be meaningless and involve no obligations for its signatories — the Kremlin only sought a U.S. signature on a cyber agreement so that could change the widely repeated mantra that Russia is an international cyber offender. And this is exactly what happened on March 13, when 193 countries, including the U.S., approved a report by the UN Open-ended Working Group on Developments in the Field of Information and Telecommunications, established at Russia’s insistence.

In the meantime, the Kremlin relaunched its attack on American social media within Russia, first slowing Twitter to a crawl and now threatening to block it entirely within a month.

President Putin and his aides wait to see whether the Biden administration has any new strategy to counter its behavior. So far, every U.S. strategy has failed or was so languid that it was devoid of credibility, even for American allies.

March 24, 2021