Artículo World Politics Review, 20.04.2021 Emily Taylor, CEO (Oxford Information Labs), académica (Chatham House) y editora (Journal of Cyber Policy)
Last week, the Biden administration took the bold step of imposing economic sanctions in response to an act of cyber espionage, namely the SolarWinds attack. It seems that the new U.S. administration is finally getting serious about standing up to Russian aggression in cyberspace. But from the perspective of international law, the move is controversial and could potentially come back to bite the U.S. in the future, given its own cyber capabilities.
The release of the Executive Order announcing the sanctions, which also respond to Russian meddling in the 2020 U.S. presidential elections and other actions, coincided with a call between President Joe Biden and his Russian counterpart, Vladimir Putin, in which the two leaders discussed the possibility of a summit on arms control. In this context, the sanctions can be understood as a symbolic show of strength amid parallel moves to deescalate tensions and rebuild trust and respect in the wider bilateral relationship.
Nevertheless, the reprisals represent a clear break from the Trump administration, during which a serving U.S. president cast doubt on his own intelligence services’ assessments regarding Russian disinformation, electoral interference and other cyberattacks. The measures announced last week include the imposition of economic sanctions barring U.S. financial institutions from purchasing Russian sovereign debt, as well as the expulsion of 10 Russian diplomats.
The SolarWinds compromise, in which hackers introduced malware to a wide range of networks through a security update to SolarWinds’ network-monitoring Orion platform, was uncovered in December 2020, after having been in operation for up to nine months. It was described at a U.S. Senate intelligence hearing last week as one of the largest and most sophisticated cybersecurity breaches in history. Known victims include the U.S. Department of Homeland Security, NATO, the European Parliament and a handful of U.K. targets, as well as many private-sector businesses and organizations using the Orion platform.
The inclusion of the SolarWinds attack as a cause for the announced sanctions is a new and creative attempt to raise the cost of Russia’s brazen and destructive activities in cyberspace, something Western democracies have struggled to do in recent years. Until now, they have resorted to “naming and shaming,” which has yielded mixed results. In October 2018, the U.S. and its allies coordinated among themselves to publicly denounce Russian attempts to hack into the networks of the Organization for the Prohibition of Chemical Weapons and various anti-doping agencies, as well as other cyberattacks they attributed to Russia. It was an impressive show of solidarity and combined intelligence capabilities, but whether it had the desired deterrent effect is less than clear. It may have perversely fed the harmful narrative of Russia’s strength at cyber dirty tricks. The embarrassing discovery of the SolarWinds breach highlights that for Russia, cyber business continued as usual.
The Biden administration’s announcements last week are significant for two reasons. First, they represent the first official public attribution by U.S. intelligence services of the SolarWinds compromise to the Russian Foreign Intelligence Service, or SVR. That’s in line with a growing trend in which states use such attribution strategically, to make sure bad actors know they are not evading scrutiny.
Second, the eye-catching inclusion of SolarWinds in the Executive Order is controversial from an international law perspective. The expulsion of diplomats and imposition of sanctions are classic examples of “retorsion,” located at the lower end of the lawful responses reserved by states that are victims of another state’s breach of international law. This is significant because despite its audacity and scale, SolarWinds was a classic case of espionage. The attackers did no damage. They just installed themselves in their victims’ systems and soaked up information. When discovered, they withdrew. For national security and international lawyers, the invocation of an act of espionage as a breach of international law is unconvincing at best.
There is no doubt that Russia’s reckless, almost anarchistic behavior in cyberspace merits a strong response from the U.S. and its allies. But last week’s Executive Order and accompanying documents are light on international law analysis, and that’s probably a deliberate choice. In the past, Russia’s other egregious acts—such as the use of the chemical nerve agent Novichok in the attempted assassinations of Alexei Navalny and Sergei Skripal, or its cyberattacks on critical infrastructure in Ukraine—have clearly crossed the international law threshold for retorsion.
But the U.S., alongside the U.K. and other states that have broad-spectrum capabilities in cyber, has until now been careful to carve out espionage from the scope of the sovereignty principle under international law, although this is often couched in such ambiguous and complex language that one could be forgiven for missing it. This explains why Michael Hayden, a former U.S. director of national intelligence, went so far as to describe China’s notorious hacking of a U.S. government personnel database, discovered in 2015, as “honourable espionage work.”
In an article published in October in the Journal of Cyber Policy, which I edit, Chatham House’s Harriet Moynihan explained that while several states, such as the Netherlands, France and Austria, consider that any unauthorized cyber incursion by one state into another, including cyber espionage, could in certain circumstances be a violation of the principle of state sovereignty, that has not been the consensus view. Moynihan told me more recently that, based on the current facts, she is doubtful the SolarWinds hack violated international law.
Last week’s Executive Order and the papers accompanying it announce that the U.S. will be working to incorporate like-minded allies, including the U.K., France, Denmark and Estonia, into joint cyber exercises to reinforce their shared commitment to collective security in cyberspace. But in order for these like-minded countries, particularly the U.S., to shape future norms for responsible state behavior in cyberspace, they will need to bring nonaligned swing states along with them. To do so, Ciaran Martin, former head of the U.K.’s National Cyber Security Centre, told me, “The U.S. will have to work harder to convince swing states that it is really committed to achieving fair and balanced rules of the road.”
Seen in this light, the inclusion of an act of cyber espionage, SolarWinds, as a justification for international law responses may do more harm than good, given Washington’s own cyber intelligence activities.
Another intriguing aspect of last week’s Executive Order is whether the economic sanctions it imposes will actually hit Russia where it hurts—in the wallet. Lord Peter Ricketts, a former U.K. national security adviser, praised the U.S. action as an “asymmetric” approach “to remind Russia of their econ[omic] weakness.” But, after causing a “brief wobble,” the sanctions don’t seem to have had much long-term impact on the markets, suggesting that they may be more symbolic in nature, rather than a real attempt to destabilize the Russian economy.
In the wider context, as the new U.S. administration sets out its Russia policy more clearly, last week brought us a show of strength and resolve on cyber, coupled with an olive branch in the area of traditional arms control: a proposed summit between the two leaders to “build a stable and predictable relationship consistent with US interests.” In a Trend Lines interview with WPR’s Elliot Waldman last week, Sarah Bidgood, the director of the Eurasia Nonproliferation Program at the James Martin Center for Nonproliferation Studies, described the risks to national and international security of today’s U.S.-Russia relationship, characterized as it is by “real acrimony ... a lack of respect for one another that permeates all aspects of the relationship.”
The proposed summit is an urgently needed attempt to restabilize the relationship with Russia and prevent the risk of escalation and mutual harm. That difficult, but positive engagement could be an opportunity for Russia to play a more responsible role in its future use of cyber technologies.