21 March 2021

Retaliation Options: US Cyber Responses To SolarWinds, Exchange Hacks

By BRAD D. WILLIAMS

WASHINGTON: Less than two months in office, the Biden administration is grappling with how to respond to two large-scale, widespread cyberespionage campaigns conducted by nation-states against the U.S. public and private sectors. The Cybersecurity and Infrastructure Security Agency has said that critical infrastructure operators have also been affected by the SolarWinds and Microsoft Exchange server hacking campaigns.

The administration’s response to each incident will set the tone for and perhaps the trajectory of U.S. cybersecurity strategy, policy, and operations in response to adversarial national-state hacks over the next four years. The administration is said to be working on a multipronged response that will likely include a cybersecurity executive order, economic sanctions, and what National Security Advisor Jake Sullivan characterized as “tools seen and unseen.”

Any cyber operations response to each incident, whatever it might entail, is fraught with difficult questions on challenging issues, such as proportionality, the risk of escalation, and “cyber norms,” which the U.S. and many other nations advocate, but which some nations do not.

To understand the potential cyber operations “menu of options” before the administration, as well as the strategic and policy implications, Breaking Defense this week interviewed three experts with distinct insights into these matters:

Adam Roosevelt is CEO of Arlington, Va.-based cybersecurity and intelligence firm A.R. International Consulting, a U.S. Army combat veteran, and former Department of Defense official who served in multiple roles, which included supervising military cyber activities and engaging senior military officials in support of cyber operations and exercises.

Joe Billingsley is a Director at the National Defense University’s College of Information and Cyberspace, founder of the nonprofit Military Cyber Professionals Association, and a former U.S. Army Strategist and Cyber Operations Officer. His views expressed in this article are his own and do not represent those of the U.S. government, National Defense University, or any other government agency or entity.

Herbert Lin is Senior Research Scholar and Hank Holland Fellow at Stanford University. He co-edited, as well as co-authored essays in, the book Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations.

Each section of this article explores key strategic, policy, and operations issues that will likely factor into a U.S. response, with insights into each issue provided by these experts.

What’s In (And Who’s Behind) A Hack?

Certainly cyberespionage campaigns are not new, but the hacks of Texas-based SolarWinds Inc. and the ongoing exploitation of four zero-day vulnerabilities in Microsoft Exchange email servers are each remarkable in their own ways.

The SolarWinds hack, which has not been formally attributed by the U.S. government but is widely thought to be the work of Russian intelligence services, is remarkable for its technical sophistication and the number of organizations impacted. Notably, U.S. Cyber Command Executive Director Dave Frederick, speaking at a virtual event this week, said there is “no evidence” Defense Department networks were compromised in the SolarWinds hack.

This week the Russian government denied any involvement in the SolarWinds hack and warned the U.S. not to respond. Reuters reporter Chris Bing tweeted on Wednesday that CISA will release further evidence attributing the hack to Russia “soon.”

The Exchange hack, which Microsoft attributed to China-based HAFNIUM group as the original threat actor, is remarkable for how easy it is to exploit the four zero-day vulnerabilities, the prevalence of unpatched servers, and the reportedly high number of victims. Since Microsoft’s public disclosure of the four Exchange server zero days, the FBI, CISA, and several security companies have all said multiple threat actors, in additional to HAFNIUM, are now exploiting the vulnerabilities in the wild.

Both hacking campaigns, which appear to be originally motivated by cyberespionage, were discovered during a highly uncertain presidential transition — SolarWinds in December and the Exchange exploits in early January. The SolarWinds campaign dates back to at least October 2019, when threat actors conducted a “dry run” using harmless code in SolarWinds’ Orion Platform software, according to Feb. 23 Congressional testimony by FireEye CEO Kevin Mandia. FireEye first publicly disclosed the SolarWinds campaign after becoming a victim itself. While the Exchange campaign was first observed in January, it is unclear right now whether or not HAFNIUM or other threat actors had been active, yet undetected, before then.

The first question to answer in determining a response will be: Who is responsible for the hacks? Attributing hacks is notoriously difficult, especially with highly skilled threat actors such as nation-states, which is why attributions are often given along with the degree of “confidence” in the judgment. The matter is complicated by threat actors stealing and repurposing each others’ tools, techniques, and procedures (TTPs), which obscures attribution even more. So, before the U.S. can respond to either incident, the government must be highly confident in its attribution.

“Russian hacker group APT 29 ‘Cozy Bear’ is presumed to have been behind the recent SolarWinds hack,” Roosevelt told Breaking Defense. “For the Biden Administration to carry out an effective cyber and intelligence operation targeting Russia, or presumably other threat actors, the administration will need to prove attribution. Presumably, APT 29 ‘Cozy Bear’ adopts and utilizes highly competitive tradecraft in the digital domain, creating a challenge for attribution. Forensics and intelligence campaigns will provide insight on who is responsible and determine the level of force the government will use to respond to the adversary.”

What Might The Potential Menu Of Options Entail?

Once the U.S. government is confident in its technical attribution of the hacks, then U.S. cyber capabilities, strategy, and policy will be considered, along with the unique qualities of the nation implicated in the hack, the experts said.

From a U.S. cyber capabilities standpoint, Billingsley said, “The menu of response options is long and, to a certain extent, is only limited by creativity and the laws of physics. However, that assumes a symmetrical cyber-centric response to a cyber-centric action. All great geopolitical powers have many options at their disposal, whether cyber-centric or not.”

In response to the SolarWinds campaign specifically, Roosevelt noted, “A menu of options on the table for the U.S. government will be to leverage economic sanctions as their primary weapon. The secondary menu would consider cyber options aimed at disrupting agreed-upon strategic targets in the Kremlin that serve as proving ground that the U.S. can flex its digital muscle and enforce punishment for violations.”

Lin observed that the U.S. response will likely take into consideration two “constraints.” Lin said, “The menu of options is broad, but they have to satisfy two constraints. First, they cannot impose a cost that might plausibly be construed as a ‘use of force,’ which is prohibited by the UN charter. That puts off limits a number of high-end responses, such as actions to turn off electric grids in ways that cause civilian casualties or that seriously disrupt or even damage Russian military forces. Second, they must be sufficiently painful that Russian decision-makers take note but not so painful that they provoke further escalation for which the U.S. might not be prepared.”

As to the unique qualities of the nation-states formally implicated in the hacks, Billingsley said, “Many people have associated the SolarWinds hack with the Russian Federation and Exchange with the People’s Republic of China. With that context in mind, we should remember that these are two vastly different global powers with a wide range of interests, trajectories, and targetable assets. In population and economy alone, one is about the tenth of the size of the other. Without direct knowledge of the current state of analysis in these cases, one can reasonably assume these are relevant topics being considered.”

Lin highlighted the factors of the countries’ leaders and their interests, noting, “The major difference between the SolarWinds and Exchange campaigns is that the U.S. believes the Russians are behind the first and the Chinese are behind the second. Any response has to take into account the particular character of their respective leaderships and what they value most.”

Who Would Lead A U.S. Cyber Response?

If cyber operations were one of the items the administration selected from its menu of options, then the next consideration would be which entity should lead such operations and with what types of support from other entities.

Lin said, “A decision to conduct an operation of such significance should only be made at the highest levels — the White House — because of its potential for escalation. I would expect the intelligence community to be involved, including the CIA, and I suspect it would be undertaken as a covert operation rather than as a traditional military activity. I am unsure about the strategic and policy concerns being weighed in leadership, but bureaucratic and interagency concerns should also be added to that list.”

Roosevelt added, “The Federal Bureau of Investigation, ODNI [Office of the Director of National Intelligence], Central Intelligence Agency, CYBERCOM, NSA, DHS, and the Department of State will work jointly together, and all have predefined roles and responsibilities. Governed by U.S. law, each agency’s authorities are also outlined to ensure departments are operating within the guidelines as it pertains to investigations, countermeasures, and offensive activities. The National Policy Framework will be derived from a series of policy tools, such as the National Defense Strategy and the functional campaign plan for cyberspace operations. Given CYBERCOM’s direct mission and the current focus, it is my opinion that CYBERCOM will lead the cyber operations, as its core focus is to achieve and maintain cyberspace superiority. With this in account, partner agencies will be a part of a de-facto task force.”

How Do Proportionality And Cyber Norms Factor Into A U.S. Cyber Operations Response?

The principles of proportionality and cyber norms are often raised in questions of retaliatory cyber operations.

As to proportionality in cyber operations, Roosevelt said, “The functional campaign plan for cyberspace operations will be leveraged in planning and executing a ‘proportional offensive response.’ In-house options will be discussed that focus on the capabilities of CYBERCOM and partner agencies can jointly deploy to send a message, provided attribution can be proven. Retaliatory cyber offensive strategies must accomplish two goals: 1. send a message and 2. ensure deployed payloads are measured responses and mitigate ongoing risk to national and economic security. Considerations for measured responses will also include assessment of external factors that can lead to negative impacts on diplomatic and international security operations.”

In terms of strategic and policy factors, the matter of proportionality is “a very hard question to answer,” Lin observed. In regards to the SolarWinds hack specifically, Lin said, “The [New York] Times indicates that the U.S. is trying to make the argument that the Russian action was indiscriminate, whereas comparable U.S. actions are targeted. That may well be true, but if so, it rules out a U.S. response that is indiscriminate. That means any U.S. response must be targeted, and it must impose a ‘proportional’ cost on the target. But since there’s no good analytical meaning for comparing the collective cost incurred by an indiscriminate attack to the individual cost incurred by a specifically targeted attack, in the end it will be entirely a judgment call that we will identify with the label ‘proportionate’ after policymakers make that judgment.”

The U.S. and other countries have publicly advocated for cyber norms, including the restriction of cyberattacks against private sector entities (i.e., companies), certain public sector entities (e.g., hospitals, academic institutions, etc.), and critical infrastructure. Yet, both the SolarWinds and Microsoft Exchange server cyberespionage campaigns have affected the private sector, parts of the public sector, and critical infrastructure operators, according to the FBI, CISA, and Microsoft.

But Lin notes cyber norms may not be a factor at play here, at least based on what we know now about the SolarWinds campaign. Lin said, “To the best of anyone’s knowledge to date, what has happened in SolarWinds has involved espionage — exfiltration of information from protected systems — and not attack. That is, nothing has been damaged or destroyed or disrupted. Since the norms involve attack rather than espionage, no norms were violated at all.”

What About The Risk Of Escalation?

In addition to proportionality and cyber norms, a key consideration likely at play in the administration’s decision-making process is the risk of escalation.

To address this, Roosevelt said, “Wargaming each scenario will include a risk assessment and map out likely outcomes of each decision. Defending forward will demand that the U.S. has a program in place to dynamically pursue leads using advanced TTPs [tools, tactics, and procedures]. The level of force is determined by assessing a series of factors that evaluate intent, capability, and outcome to deploy a measured response.”

As to what a potential escalation could look like, Lin noted recent media reporting on backdoors into compromised systems that could be leveraged for more “destructive” attacks. Wednesday’s FBI-CISA joint advisory also warned of this possibility.

Lin provided the following hypothetical scenario for what such an escalation could look like: “The power goes out again in Austin, Texas, during a cold-weather snap. Authorities in Texas announce that the outage is similar to the one in February, but privately through diplomatic channels to the U.S. government, the Russians claim credit for the outage and provide evidence that they have compromised the power delivery to Austin. They also provide similar evidence that they have placed similar implants in the power grids that supply five other cities in the U.S. And then they politely ask the U.S. to please refrain from sending its messages any further.”

Can The U.S. Deter Future Cyberespionage And Cyberattacks?

The impossibility of “cyber deterrence” has been discussed at length in previous years, and the impossibility was accounted for and incorporated into the 2018 Command Vision for U.S. Cyber Command as the doctrine of “persistent engagement,” which is related to CYBERCOM’s “defend forward” concept.

Last week, CYBERCOM and NSA chief Gen. Paul Nakasone talked about “defend forward,” which acknowledges the limitations of cyber deterrence and involves, he said, “executing operations outside U.S. military networks.” Nakasone said “persistent engagement” is “focused on an aggressor’s confidence and capabilities by countering and contesting campaigns short of armed conflict.”

In light of the seeming futility of “cyber deterrence,” Lin pointed to the CYBERCOM vision, which states that “Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks.”

Lin said, “This is the only thing that [CYBERCOM] has said that may actually make a difference to Russian and/or Chinese activity. But, of course, that means constantly conducting offensive activity in their networks – which means they aren’t responding to specific Russian or Chinese actions.”

Roosevelt added that “[T]he U.S. Congress can enact laws that expand powers of CYBERCOM and intelligence agencies, allowing for streamlined decisions to disrupt adversaries following a major cyberattack.”

What Else Can Be Done?

Billingsley said that Americans are “increasingly impatient” with these types of cyber campaigns carried out by nation-states against U.S. civilian targets. He added, “While there may be actions in the short-term that send messages which force adversaries to reconsider their risk appetite for a time, without wiser investments, the U.S. and its people are poised to continue being the subjects of increasingly costly cyber-related victimization at the hands of foreign entities for the foreseeable future.”

Billingsley advocated long-term investment in education from K-12 through college, noting the complexities involved in understanding the current environment in cyberspace. “Despite what many may say, there is no quick fix, and we simply do not have enough Americans who understand cyberspace sufficiently,” he said.

However, Billingsley does see some bright spots. “Fortunately, the U.S. is heading in a more strategically sustainable direction with efforts like the U.S. Cyberspace Solarium Commission, but a greater sense of urgency is needed across the nation to hasten the progress. Instead of waiting for taxpayer-funded programs to incentivize limited pockets of excellence, more American parents should independently prioritize STEM studies and degrees with their kids. Without such grassroots action, don’t be surprised if things continue to get worse.”

No comments: