In December 2020, the cybersecurity company FireEye discovered a cyber espionage campaign, compromising dozens of government and private organisations in the US.
Orchestrated by subverting the supply-chain of the popular IT administration software-maker SolarWinds, the operation showcased remarkable ingenuity and precise tradecraft at every step of the “kill chain” to skirt around the phenomenal counterintelligence capabilities of the US. They had no plans to outmatch the strategic cyber offensive might of the US, so the spies tactically blended-in with the environment, exploited “transitive trust” of the computers, and used deception to look like routine processes.
Yet, beyond all the technical details, it was the palpable strategic calculus which strikes at the heart of US cyber policy. The SolarWinds hack could potentially upset many of the US’ cyber statecraft initiatives—bolstering national cyber defence in the aftermath of the 2016 electoral interference—which took years to mature.
Widely attributed to the discrete Russian foreign intelligence agency SVR, the intrusion may not be an act of aggression, but it exposes the structural fault-lines within US cyber policy.
Exposure of weaknesses in US cyber policy
The American initiatives were based on certain assumptive paradigms, largely driven by legal and political compulsions rather than the operational realities of the domain. Strategies like the US Cyber Command’s (USCYBERCOM) Defend Forward seek to execute pre-emptive, “extraterritorial” cyber operations in an adversary’s own information space— neutralising a potential threat even before it is initiated. The idea behind it is not to undertake such expeditionary manoeuvres in every hostile network, but to make a credible deterrence threat with the selective use of ‘force.’
Defend Forward aimed at establishing firm declaratory thresholds on one hand, while trying to strike a tacit bargain with the adversary in a contested territory on the other. The strategy was based on some broad, sweeping assumptions:
First, that the traditional structures of deterrence by denial and deterrence by punishment remain valid in cyberspace. Second, that cyberspace…