How the White House actually plans to respond to the SolarWinds campaign remains far from clear. In Comments to CNBC correspondent Eamon Javers, a White House official partially contradicted the Timesstory, in particular his description of a “cyberstrike” which was later removed from the title of the article. (The White House did not respond to WIRED’s request for comment.)
Part of this confusion may stem from an internal debate over potential answers, suggests Jacqueline Schneider, a Hoover cybersecurity researcher at Stanford University. If so, says Schneider, she hopes it’s not too late to steer the White House away from a punitive counter-strike. “My biggest criticism would be to call SolarWinds something unacceptable,” says Schneider. Biden, for example, described the operation as a “cyber assault” and vowed he would not “sit idly by” in its wake. “I think this standard is going to be almost impossible for them to build and really, really hard to enforce,” adds Schneider. “And it ties the hands of the United States where we might otherwise have advantages.”
Instead of retaliation to “report” something to Russia or set a rule the United States won’t want to abide by on its own, Schneider suggests that any counter-strike for the SolarWinds campaign should target hacker ability. to perform this type of operation again. . It would look less like an effort to punish the Kremlin – like an equivalent hack of Russian infrastructure or even economic sanctions – as much as a targeted disruption of the machines or networks used by the SolarWinds hackers themselves. Past examples of this kind of counterattack would be those of Cyber Command. Trickbot criminal botnet disruption, for example, or the destructive data attack on Russian Internet Research Agency network spewing disinformation. “You make their jobs harder to do, forcing them to invest more resources, which diverts resources from other harmful things,” says Schneider. “The hope is that this will lead them to focus on defense and that they will have fewer teams assigned to look for vulnerabilities in, for example, power grids.”
A former U.S. government cybersecurity official described a slightly different approach that he likened to a “pitchback,” baseball’s term for close, inside ground that requires the batter to back off the plate. “We’re going to make you dodge,” he said. “This bullet won’t hit you, but you’ll know we’re chasing you and stepping back.”
This backtracking tactic may in fact not differ from a “retaliatory” strike on the bottom. But presenting it as a direct warning or counterattack to the opposing hackers themselves rather than a normative “punishment” for their bosses in the Kremlin could make this action more effective. “What kind of words we use for these things can mean a lot,” the former official said.
There are also steps before a counterattack that could still prove effective, says J. Michael Daniel, the former cybersecurity coordinator for the Obama administration. The United States has the tools to send subtle and diplomatic signals to adversaries, he points out. “You can use the cybernetic phone line that has been established between the United States and Russia and send a message saying ‘hey, we know it’s you, stop,’” Daniel said. “You can attach some diplomatic things that the Russians maybe want at the UN that the US might not otherwise be able to object to, but decide to slow down. There are other ways to express your diplomatic dissatisfaction.
But at the end of the day, espionage, even at the scale of SolarWinds, is in the rules of the game, argues Silverado’s Alperovitch. He revisits the comments of Director of National Intelligence James Clapper in a 2015 Congress Hearing on China’s Violation of the Bureau of Personnel Management, which resulted in the theft of reams of highly sensitive personal data from officials. Clapper made it clear in this hearing that he did do not to see the OPM breach as an “attack” but rather an act of espionage of the kind that the United States could well have carried out on its own.
“This is a case of ‘good for them, shame for us’,” said Alperovich, vaguely paraphrasing Clapper’s remarks. “Let’s focus on making sure we make it really hard for them to do this to us again.”
More WIRED stories