|2020, a year rich in alarming and unwelcome developments, held back one final surprise for December: the revelation of a vast cyberattack on US infrastructure, dubbed SolarWinds after the software company used as a conduit for access.
Over the course of nine months, hackers used malware to gain access to a range of critical systems and institutions—from Microsoft to the US Treasury, departments of Homeland Security, State, Defense, and Commerce. The fact of the hack itself is hardly remarkable—such incidents are becoming much more common—but the scale took many by surprise. How should we interpret it?
What is interesting about any attack like this is what it reveals and confirms. This one revealed, rather paradoxically, the strength of US defenses—by providing insight into the level of intrusion necessary to overcome them. It also confirmed both the strengths and weaknesses of a digital infrastructure largely managed by private sector actors. On the one hand, it was a company, FireEye, that discovered the attack—a clear demonstration of the expertise that exists in the private sector. On the other hand, the techniques it used to discover it—a complex process of “reverse engineering”—are beyond the capacity of most of the companies affected by the breach; who also likely lack the resources for the ‘scorched earth’ tactics necessary to remove the malware used. Due to the different resource levels among all the actors affected, a more patchy response is inevitable—leaving fragments of malware possibly scattered for many years to come in systems operated by companies that only have the resources to carry out basic patches. Even more worryingly, attacks like this could disincentivise the implementation of security updates (one of the key vectors for malware distribution), making the whole ecosystem more vulnerable.
SolarWinds also makes vivid the huge range of activities in cyberspace which are technically deemed permissible, because they exist in the legal grey zone known as “espionage”. As the scale of the attack unfolded, international lawyers turned to analyse it—exposing the many unanswered questions and unclear nature of the application of international law in cyberspace, and generally concluding that “the attack did not violate international law”, simply because it didn’t cross certain thresholds. And even if US intelligence agencies and a lone private actor have pointed fingers at Russia, there’s no unequivocal evidence (and no institutional authority, like an international attribution organisation to provide it).
Notably, no government has yet called out the attack as a violation of cyber norms—even though the attack concerns public utilities and services, and there are dedicated norms on the protection of supply chains and critical infrastructure. But in a sense this isn’t surprising: there is no common or agreed definition of critical infrastructure—revealing yet another gap in understanding that makes it difficult to implement agreed cyber norms.
Where does this leave us? An attack that causes widespread damage, but is acceptable because it’s “just espionage”—even though it affected scores of ordinary people, NGOs and businesses. From the point of view of a state, it’s certainly concerning. Unfortunately, it may end up providing fresh impetus and rationale for investing in offensive cyber capabilities, including the exploitation of vulnerabilities (see the UK’s launch of its new “Cyber Force” last year) that ultimately make cyberspace less secure.
We enter 2021 in the wake of an attack that revealed the nature of the challenge, and confirmed the gaps we already knew existed: a lack of conclusive attribution for cyber attacks, a multifaceted supply chain that requires greater collaboration between different actors, and a grey zone of “espionage” that governments will continue to exploit. Amid all this, it’s clear that some actors think this kind of behaviour is unacceptable (Microsoft President Brad Smith recently called on fellow industry leaders to call it out as such); others—namely, certain states—don’t. The likely result? An ever less secure cyberspace, and a continued state of heightened tension and contestation between states—with unknown, possibly catastrophic, consequences.
To avert this, we need a collective agreement and shared understanding of what is acceptable in cyberspace, including when it comes to espionage. The human-centric implementation of agreed cyber norms and the rest of the GGE framework needs to be front and centre. And the question of whether new institutions and rules are also needed—including ones to limit cyber-espionage activities and address accountability gaps—remains an open, contested, but urgent one.
- The multistakeholder dialogue series we helped organise —“Let’s Talk Cyber”—wrapped up last month. Its final report is now up on the OEWG portal
- The OEWG’s zero-draft is out. We’re glad to see a few references to the need for a human-centric and rights based approach, as well as reference to the role of civil society, but there are areas where it could be strengthened. We plan to share perspectives on it soon, along with other stakeholders.
- Under the premise of protecting “national security”, the Ugandan government shut down internet access in the country for five days this month, against the backdrop of an election marred by reports of state violence. Access to social media sites still remains restricted there.