by Matt Wyckhouse, Founder and CEO of Finite State
Senator Dick Durbin recently stated, “[The SolarWinds attack and follow-on campaign] is virtually a declaration of war by Russia.” Does this supply chain compromise constitute an act of war? To answer that question, I believe it’s important to first agree upon terminology, understand what we do and do not know about the incident at this point in time, and look to the established norms for cyber warfare for guidance.
First, we should clarify the differences between a cyber intrusion and a cyber attack. A cyber intrusion is a compromise of the security of a system or network, which is often coupled with an actor gaining unauthorized access to those systems or networks. A cyber attack, as defined by NIST, is “an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.” Unfortunately, the NIST definition of “attack” actually covers both destructive operations (e.g. disrupt, disable, destroy, etc.) and espionage operations (e.g. stealing controlled information). Luckily, the DOD defined Computer Network Attack (CNA) in 2005 with better precision: “Operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.”
The distinction between an attack and espionage is further complicated by the gray areas that exist when we’re in the cyber domain. As described by Martin Libicki in The Coming of Cyber Espionage Norms, the US Government only views certain types of cyber espionage as acceptable state behavior. Cyber attacks (specifically, those defined as CNA) are always unacceptable, but we’ve also been adding classes of cyber espionage to the list of unacceptable behavior. Those classes include economically-motivated cyber espionage, providing intelligence data to criminal organizations, doxing (making private data public), and other acts that could be construed as targeted information warfare (e.g. manipulating public perceptions to influence an election).
Why do these definitions and norms matter? Well, we have rules of engagement, established global norms, and years of precedent that define how we respond to an attack versus an espionage operation. Espionage for the purposes of national security decision making is acceptable, while cyber attacks and influence operations are not. The response that we can and should levy is dependent upon the amount of damage done, the actors behind the operation, and the intent of the actors.
So, what happened here? It appears that SolarWinds suffered a supply chain attack. They were deliberately targeted by malicious actors, at this point in time believed to be the Russian SVR (their civilian intelligence organization). Those actors intentionally manipulated the SolarWinds Orion software at some point in the development lifecycle. It is not yet publicly known whether they compromised the code base in their source control repository, compromised a build server, or covertly added a backdoor to the software after it was placed on the update server (which would have required access to the SolarWinds private code-signing key). In any respect, the actors manipulated SolarWinds’ code and information systems, which destroyed the integrity of their data. That makes this a “cyber attack” against SolarWinds. The reason we call this a “supply chain attack” rather than just a “cyber attack” is the motivation—they attacked SolarWinds by implanting malicious code in SolarWinds’ software for the purpose of gaining access to SolarWinds’ customers who are downstream in their supply chain. This supply chain attack was step one in an overall espionage campaign.
Step two of the campaign started after the maliciously compromised SolarWinds Orion software updates (containing the SUNBURST backdoor) made their way to SolarWinds’ customers—approximately 18,000 of them. Every user who installed the update provided an initial access vector to their network for the actors (again, likely Russia’s SVR). For what appears to be a very small subset of those customers (including FireEye, Microsoft, NSA, DHS, DOE, etc.), the actors initiated further espionage activity designed to collect intelligence on those organizations. At this point, there has been no public acknowledgement that the actors escalated these campaigns into Computer Network Attacks against these victims. In other words, we have not yet seen evidence that the goal of these actors was to disrupt, degrade, destroy, or manipulate the systems or networks of these victims; rather, it appears that the motivation was to collect intelligence. Of course, it is very important to note that all of this is still under investigation — the incident response efforts related to these intrusions could take many months.
That brings us back to the original question. How do we classify this campaign? There are two distinct stages, which have different classifications. First, we have a (likely) Russian civilian intelligence organization who deliberately targeted a US company in a supply chain attack that resulted in manipulation of their data and systems, with permanent, damaging effects to SolarWinds, including damaged reputation, economic costs, and potentially losses of some of their customer base. The intent of the attack was to gain access to their customers’ networks, but the damage is real. If they wanted to, the US Government could escalate their response based upon the fact that this fits the definition of an attack.
However, the issue that seems to have policymakers and stakeholders the most upset is the fact that the second stage of the campaign was so effective and targeted so many critical Federal and private sector networks. It is certainly a devastating and possibly unprecedented cyber intrusion, but at this time, there is no evidence that this second stage was an “attack.” By all of the norms and definitions we have, it appears that this was a highly effective intelligence collection operation by the SVR that was designed to inform their national security decision making. Does that excuse this brazen intrusion into the US private sector and national security apparatus? Absolutely not, but at this point, it is hard to argue that it was an act of war. It appears to be a highly effective intelligence operation conducted by an adversarial organization tasked with conducting intelligence operations. As Dmitri Alperovitch pointed out, if we believed this operation was conducted by the GRU rather than the SVR, that would dramatically inform our analysis and response—we would be expecting that we’d find signs of a disruptive or destructive attack.
I expect that the incident responders around the world who are working tirelessly to understand the impacts of this intrusion will find more concrete data on the intent of these actions over the coming weeks and months. It is possible we will find that the actors stepped into our critical infrastructure networks or attempted to gain access to systems we deem critical enough to meet the definition of an attack. We may also find that they intend to use the stolen information for information warfare or economic purposes. Of course, the most likely outcome is that this is one of the most effective and devastating intelligence collection operations waged against the US Government. These findings will inform our classification of the actions and our response.
The lines between cyber attacks and cyber espionage are blurry. You can see that clearly in the NIST definition of a cyber attack, which includes elements of both attacks and espionage. Precedent and norms provide that certain types of cyber espionage may require a response that looks more like the response to an attack. This gets even messier when it comes to supply chain attacks, as the second order consequences and oftentimes significant collateral damage can factor into the response much more than the intent of the actors.
Regardless of what we find in these investigations, we need to hold the actors accountable to deter future actions like this, and we desperately need to invest in measures to protect our digital supply chains to mitigate the risks of this happening again. One thing is clear: despite the years of investments into layered cyber defenses, expert personnel, and new technologies, malicious actors were able to gain access to the most sensitive networks in the world by adding a simple, easy-to-spot backdoor into software used and trusted by all of these organizations. Why was this so effective? Because nobody bothered to look into the contents of the software update.