The SolarWinds hack pokes holes in Defend Forward – Observer Research Foundation9 minutes read

My article for the Observer Research Foundation: https://www.orfonline.org/expert-speak/the-solarwinds-hack-pokes-holes-in-defend-forward/

In December 2020, the cybersecurity company FireEye discovered a cyber espionage campaign, compromising dozens of government and private organisations in the US.

Orchestrated by subverting the supply-chain of the popular IT administration software-maker SolarWinds, the operation showcased remarkable ingenuity and precise tradecraft at every step of the “kill chain” to skirt around the phenomenal counterintelligence capabilities of the US. They had no plans to outmatch the strategic cyber offensive might of the US, so the spies tactically blended-in with the environment, exploited “transitive trust” of the computers, and used deception to look like routine processes.

Yet, beyond all the technical details, it was the palpable strategic calculus which strikes at the heart of US cyber policy. The SolarWinds hack could potentially upset many of the US’ cyber statecraft initiatives—bolstering national cyber defence in the aftermath of the 2016 electoral interference—which took years to mature.

Widely attributed to the discrete Russian foreign intelligence agency SVR, the intrusion may not be an act of aggression, but it exposes the structural fault-lines within US cyber policy.

Exposure of weaknesses in US cyber policy

The American initiatives were based on certain assumptive paradigms, largely driven by legal and political compulsions rather than the operational realities of the domain. Strategies like the US Cyber Command’s (USCYBERCOM) Defend Forward seek to execute pre-emptive“extraterritorial” cyber operations in an adversary’s own information space— neutralising a potential threat even before it is initiated. The idea behind it is not to undertake such expeditionary manoeuvres in every hostile network, but to make a credible deterrence threat with the selective use of ‘force.’

Defend Forward aimed at establishing firm declaratory thresholds on one hand, while trying to strike a tacit bargain with the adversary in a contested territory on the other. The strategy was based on some broad, sweeping assumptions:

First, that the traditional structures of deterrence by denial and deterrence by punishment remain valid in cyberspace. Second, that cyberspace is a “domain” allowing militaristic power projection “at a place and time of choosing.” There was also a retroactive implication that cyber operations more or less adhered to the law of armed conflict, thus, bestowing legitimacy upon Western offensive counteractions. Third, that on a broader scale, pre-emptive cyber operations legitimised by the West would trigger a kind of creative destruction, thus calcifying a rules-based order in cyberspace. The overall theory seems to adhere to the ‘neoliberal institutionalist’ concept of security cooperation, seeking the establishment of a global cyber normative regime premised upon international law.

Yet, without any measurable indicators of success, a sizeable majority of policymakers in the government, as well as researchers in think tanks and academia, rushed to elevate Defend Forward to the hallowed pedestal of Layered Cyber Deterrence, as is evident from the whole-of-government approach proposed by the Cyber Solarium Commission.

Cyber Solarium Commission

Solarium was an ambitious taskforce, instituted by the US government to formulate a grand strategy for cyberspace, which released its report in March 2020. Proposed in the aforesaid report, Layered Cyber Deterrence was a bold plan to make Defend Forward a “key element” of “a larger, whole-of-nation framework that uses multiple instruments of power” to impose costs, limit adversarial behaviour, establish declaratory thresholds with calibrated signalling, and project power by prepositioning the USCYBERCOM’s “forward-deployed forces.”

The groupthink was obvious as overnight, the still fledgling Defend Forward became a crucial building block for the strategic instruments of American power. All that belied the ground truths of the cyber domain.

There is no doubt that Defend Forward carries a certain appeal to it. However, like any good cyber initiative, it mostly thrived within a microcosm, which the US cyber establishment has been afforded with. It evolved from its unique subcultural mores and was divorced from the greater power structures. Defend Forward came into being only because it was seeded within the epistemic boundaries (not to be confused with secrecy) of that subculture. An expeditionary manoeuvre, however, cannot become the cornerstone of statecraft.

Cyber operations cannot be strictly delineated around preliminary exploitation, prepositioning for defence, espionage or attack. Exploitability and attack in cyberspace are the cognitive outcomes of an operator exhibiting wilfulness and intent to undermine the adversary. And the intent does not reside in the code; code is just semantics. Such ambiguous interpretation, within and outside the system, gave some space to General Paul Nakasone and his team at USCYBERCOM to carve a new philosophical framework relying on piecemeal, incremental policy innovations. While the premise for the new operational innovations introduced in the 2018 Command Vision of USCYBERCOM sounded new, the challenges it tried to solve were contemporary. It assumed that compulsion and coercion would work within the parameters of 5Ds: Deny, degrade, disrupt, deceive, or destroy. The system was also ham-fisted by rather obtuse and illogical interpretations of international law’s applicability to cyber operations – aggravated by a US information operations doctrine that seemed paradoxically disjointed from its cyber counterpart.

In a way, it was a perfect storm in the making. While the operators patted themselves on the backs, the breach of the decade was underway. The adversary was neither deterred, compelled, or coerced; nor did it opt for an explicit or tacit bargain.

Asymmetric Operations

From the US standpoint, the SolarWinds hack is state-to-state espionage. But from Russia’s end, it neatly fits into an asymmetric operation. All its operational elements were invoked – surprise, system warfare, disorganisation and indirect operations – which seem to have neutralised Defend Forward. It wasn’t the first time that cyber deterrence, which remains a function of perception, has floundered for the US. Fundamentally, it exposes a structural fault-line so deep that no extant international relations or geo-strategic framework relying on the current interpretations of international law could be used to expound.

If one were to visualise (refer to the graph in the link) the Gerasimov Doctrine (named after the famed Russian general Valery Gerasimov), a direct military threat warrants a crisis reaction that falls very much at the intersection of nonmilitary and military measures, with the former dominating the latter by a proportion of 4:1. To catalyse a resolution by the localisation and eventual neutralisation of the threat, the doctrine anticipates the deployment of informational measures. Ironically, such measures would be deemed as an afterthought by the Western militaries in similar stages of the conflict. Gerasimov, on the other hand, feels that “the information space opens wide asymmetrical possibilities for reducing the fighting potential of the enemy.” The Russian military thought on asymmetric operations remains consistent through the decades, but its swift and decisive embrace of new stratagems in a world affected by colour revolutions requires a fresh appraisal.

As per Selmer Bringsjord of the Rensselaer Polytechnic Institute, any effort to derive a normative framework for cyberspace must burrow deep into its structures of power, which have no precedents in our shared physical realities. Major contradictions and policy gaps have arisen from the teleologic nature of laws governing cyberspace, driven by reasoning by analogy. And as a result, customary law governing conventional conflict, too, hangs in a balance when it comes to cyberspace.

General-Major VD Ryabchuk, who laid the foundation of the Russian “strategy” of Reflexive Control, alluded that “thought is the first to enter battle.” Timothy L Thomas of the Foreign Military Studies Office, who deconstructs Russian military philosophy, explains how the Russian commanders have laid a great emphasis on fostering contrarian, disruptive military thought among its young officers. It is an intrinsic component of its military operations, military leadership and military art. Keir Giles, an expert on Russia, feels that the Russian strategists “see no distinction between information stored in a computer or in the human mind, just as there is no distinction between the way information is transferred between those storage spaces.”

The Russians had divested its information operations capabilities from the overall integration function, and it happened much before the US started contemplating it. While the US may still be seeing it as a set of capabilities like Military Information Support Operations (MISO) and Military Deception (MILDEC), Russia has greatly expanded the scope of what could comprise information operations. It is an altogether different assumptive paradigm, which interprets the same domain from a purely cognitive standpoint, devoid of the legal picket-fencing to circumscribe cyber operations within international law.

It is a dichotomy which would never, ever emerge in other domains like land, sea, or air as their underlying physics cannot be decoded subjectively.

One could also make an argument that Russia has more deftly imposed normative frameworks in cyberspace than the West. The international policy paralysis around cyber norms never really stymied norm-creation; it is just that its fulcrum has shifted from the status quo imposed by neoliberal institutionalism to political regimes based on “information security.” One could cite quite a few precedents where the North Koreans, Russians and Chinese carved new behaviour bordering on customary law (self-censorship by Euro Atlantic nations, app bans and trade wars of the West, the recalibration of cyber operations to imbibe more cognitive qualities when it comes to effects/hack-and-leak, etc.).

What now?

The choices in front of the U.S. are stark and complicated. It cannot fully absolve itself from the global rules-based order which it helped foster. And it should gear up for the long haul, brace itself for the disruptions and attrition, while steadfastly leading global cyber resilience efforts. The cost-benefit analysis of its cyber apparatus need to be recalibrated to create a “cult of the defensive” rather than offensive. As Ciaran Martin, the founder of the UK’s National Cyber Security Centre, expounds, “[We] must be unambiguously in favour of safer technology… even if that sometimes makes deploying our own offensive cyber capabilities harder because a rising tide of security will, to some extent, lift all boats, including adversarial ones.”

The failure of the Western policy community in shaping practical, technically viable, applicable and – most importantly – equitable customary law (that would thus form the foundation of emerging cyber normative frameworks) needs an honest appraisal as well.