The White House has continued its response to what has become widely known as the ‘SolarWinds hack’ with an Executive Order primarily aimed at improving the cyber security of the US public sector. This followed last month’s formal attribution of a wide-ranging cyber espionage campaign against high-value businesses and government agencies in the US and other countries to Russia’s Foreign Intelligence Service (SVR).
The UK has supported the US’s stance regarding attribution. On 15 April, the Foreign, Commonwealth and Development Office and the National Cyber Security Centre (NCSC) joined the US government in formally attributing the SolarWinds campaign to the SVR. This signifies a continuation of London’s existing approach to ‘name and shame‘ Russian cyber operations.
However, despite the UK also having been a victim of the SolarWinds campaign, the UK government has not joined the Biden administration in using retaliatory financial sanctions and diplomatic expulsions to impose costs on Russia for its behaviour. There are a number of explanations for the UK’s different behaviour, but arguably the most significant is that the SolarWinds episode has not resonated as a political issue in the UK with the same intensity as it has in the US.
The SolarWinds campaign
The SolarWinds campaign was not one single operation, but employed a variety of infection vectors and tactics to collect intelligence on public and private sector targets in the US and other countries.
The central aspect of the campaign involved an operation against the customers of what was until recently a little-known software company called SolarWinds, which supplies tens of thousands of businesses and public sector organisations. The intrusion exploited weaknesses in the software supply chain that underpins the IT infrastructure of governments and businesses. A supply chain compromise involves a threat actor compromising an IT hardware or software supplier to gain access to their clients. This enables state actors and cyber-criminals to conduct operations at scale and facilitate follow-on activities, ranging from cyber espionage to sabotage.
The campaign unfolded over at least 12 months, reportedly beginning in January 2019 when the SVR gained access to SolarWinds through unknown methods. In January last year, it compiled and deployed a backdoor, dubbed SUNBURST, to SolarWinds’s Orion (a type of network management software) build process. The backdoor was then delivered to approximately 18,000 Orion customers via software updates. After selecting the most valuable targets, the threat actor then installed one of several additional malware variants to harvest information. Publicly available evidence suggests the SVR likely intended to gather political and economic intelligence.
This was discovered in December 2020 when the cyber security provider FireEye revealed that what was then an unnamed threat actor stole tools used by its ‘red team’ for penetration testing for clients. Further investigation revealed that the campaign compromised FireEye and other organisations, including US federal agencies such as the Department of Homeland Security and the Department of Energy.
Notably, the SVR also voluntarily sent a ‘kill switch‘ to the vast majority of Orion customers that it compromised. This meant that Russian intelligence voluntarily relinquished access to all but approximately 100 of the most high-value Orion customers, likely in order to maintain the stealth of its operation.
However, subsequent reporting has indicated that the Russian campaign also went beyond SolarWinds and its customers. In January, the Wall Street Journal suggested that roughly 30% of known victims did not use Orion. In one case, the SVR targeted several customers of Mimecast, a UK-headquartered email security provider, by compromising a certificate used to authenticate some of the company’s products with Office 365 email services.
US retaliatory measures
Since news of the SolarWinds campaign first broke, a fierce debate has raged in the US over the appropriate level of response required. As initial reporting identified Russia as the likely culprit, this debate also became entangled with existing partisan disputes around the Trump administration’s perceived soft touch on Russia, with pressure subsequently ramping up on the incoming Biden administration to take a firmer line. Amid this wider political context, cyber policymakers and the intelligence community primarily focused their debate around a single question: did the SolarWinds incident represent a damaging but ultimately acceptable intelligence-gathering operation by an adversary, or something more?
Last month, the US government took its first meaningful steps towards answering this question when it announced diplomatic expulsions and financial sanctions against several Russian entities – including private cyber security companies believed to support Russian cyber operations – in direct response to the SolarWinds campaign and other ‘harmful foreign activities’ by the Kremlin. The White House also formally attributed the SolarWinds campaign to the SVR based on a ‘high confidence’ assessment from the US intelligence community.
How did the US justify the response?
Although diplomatic expulsions are a well-worn response to espionage, in announcing punitive financial sanctions, the Biden administration signalled that while SolarWinds was an espionage operation, it nevertheless crossed a normative red line that placed it outside the scope of routine statecraft.
To date, successive administrations have generally sought to put commercial and intellectual property theft, disruptive cyber operations and election interference out of bounds. However, the US government has traditionally accepted the legitimacy of foreign governmental spying in its networks. While cyber espionage can be strategically, operationally and tactically damaging, the US has historically prioritised its own freedom of action in conducting similar operations over attempts to curtail those of its adversaries. As a result, the official US response to past intrusions has been mild, and this has extended to supply chain compromises including China’s theft of millions of records from the US Office of Personnel Management.
What explains the apparent shift to a harsher line on Russia now? In announcing the imposition of sanctions, a US Treasury department statement and a White House ‘fact sheet’ outlined a combination of factors that have led the US government to believe the SolarWinds intrusion crossed a normative red line: the scale and scope of the campaign; the track record of the Russian government; the burden imposed on the private sector; and the nature of the attack vector.
However, as Robert Chesney, a Texas-based law academic, outlined, the US government has not defined a clear red line that SolarWinds crossed. The administration has yet to make a convincing case for how and why the SolarWinds campaign is distinct from previous cyber espionage operations that compromised software supply chains and went unpunished. This raises the question of whether the US will hold itself or its allies to the same standard. Given the US approach to cyber operations and some other tools of statecraft is perhaps best characterised as ‘do as I say rather than as I do’, this seems unlikely.
What does the UK’s response tell us?
At present, it appears unlikely that the US government’s retaliatory measures over SolarWinds will be replicated by its allies – many of which were also targeted by the campaign. As Ciaran Martin, the former head of the UK’s NCSC, suggested presciently in January: ‘Among US allies, even in very pro-US Britain, there is a sense that while the US (and, by extension, its allies) has been harmed by the SolarWinds intrusions, there is no sense the US has been wronged by them’.
The response of the UK may be telling. Although the government has been keen to emphasise that SolarWinds did not have a significant impact on the UK, we know that the SVR successfully targeted Mimecast and, according to the NCSC, at least a ‘low single digit number of public sector organisations’. Given that Orion is reportedly used by the Ministry of Defence and the Home Office, this could still represent a significant concern.
For now, while the UK has condemned Russia and joined the US in formally attributing the SolarWinds campaign and several other historical Russian cyber espionage operations to the SVR, it has declined to engage in retaliatory diplomatic or financial measures. This suggests the UK is unlikely – at least any time soon – to diverge from its policy of ‘naming and shaming’ Russian cyber operations and develop its own version of the comparatively more muscular approach favoured by the US. While ‘naming and shaming’ can have tactical effects – for instance, forcing operators to burn assets or develop new exploits – it is highly unlikely to force significant changes in Russian behaviour.
The UK’s comparatively limited response may also indicate a slight difference of opinion on what SolarWinds itself represents. Although the recent Integrated Review – the UK’s foreign and security policy agenda – highlighted the government’s aspirations to influence global cyber norms, London’s comparatively limited response to SolarWinds suggests it may be more circumspect when it comes to cyber espionage. This means that in contrast to the UK’s responses to the Salisbury and Navalny chemical weapons attacks or the NotPetya cyber attack, there is no clear indication that the UK government believes Russia has crossed a legal or normative red line. To date, the UK, alongside the US and other like-minded states, has been careful not to exclude cyber espionage when contributing to previous multilateral initiatives on international law and norms.
Most significantly, however, the UK’s response to SolarWinds emphasises the importance of domestic political pressure for cyber policy. SolarWinds’s salience in US political debates over the past six months has been remarkable: it has been front page news to an extent that dwarfs comparative media coverage in the UK. Policymakers in the UK have simply not been under the same kind of pressure to punish Russia. By contrast, SolarWinds is perceived by many US citizens as an embarrassing and frightening episode that strikes at the heart of their insecurities around the perceived fragility of the global technology supply chain and the increasing capabilities of their adversaries. The importance of domestic political salience for cyber policy is likely to be reiterated over the coming weeks, as the US federal government is finally forced to confront the ransomware epidemic in the aftermath of the Colonial Pipeline incident.
This also begs the question: what will the UK government do when a significant cyber operation by Russia does rile the public? Given the current state of UK–Russia relations and the reckless actions of Russian intelligence in the UK to date, it may have to answer this question sooner than it might hope.
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
BANNER IMAGE: Courtesy of khaled/Adobe Stock