Hackers serving the interests of a hostile foreign government penetrate important U.S. government computer networks, compromise key nodes, and steal sensitive information. U.S investigators uncover the broad contours of the hacking operation but question whether they can ever determine its full scope. In the absence of good options or full information, the U.S. government must decide how to respond to a seemingly unprecedented situation.
A version of this story is unfolding now, as worrying new details emerge about Russia’s recent hack of the information technology company SolarWinds and many other U.S. public- and private-sector organizations. But other versions have played out in the past. Moscow gained access to White House computer systems during President Barack Obama’s administration; it penetrated the U.S. military’s classified networks in 2008 via malware known as Agent.BTZ; it stole reams of U.S. government data in the late 1990s through an extensive cyber-espionage campaign known as Moonlight Maze; and even before the collapse of the Soviet Union, it acquired valuable secrets pried from hundreds of hacked U.S. government computers as far back as 1986. Each intrusion was more ambitious and likely more damaging to the United States than the last—a one-way ratchet showing what hackers can do.
And Russia is not the only villain in this story. China has carried out bold cyber-espionage campaigns, including an enormous hacking effort just this year against companies running Microsoft Exchange, a widely popular email service. In recent decades, hackers aligned with Beijing have acquired sensitive information on U.S. government employees, valuable intellectual property from major U.S. companies, and vast troves of data—including medical, travel, and financial records—on many millions of U.S. citizens.
After each new breach, U.S. policymakers wonder how the United States fell victim once again. They devise new strategies to meet the threat of foreign hacking, each more ambitious than the last—but all of which inevitably fail. Yet these failures say less about the limitations of U.S. cybersecurity strategy than about the new cyber-reality. Nothing the United States (or any other country, for that matter) can do will prevent cyber-espionage entirely. Effective, deniable, and attractive to authoritarian and democratic leaders alike, this type of technological intrusion is now an integral part of statecraft. As a result, the United States should assume that the alarming drumbeat of hacking campaigns will only accelerate.
THE SECURITY TRIAD
Broadly speaking, the United States has three major overlapping strategies for securing U.S. computer networks from foreign spying: defense, deterrence, and disruption. The first has always been difficult to achieve. Sophisticated intruders can use an array of technical methods to evade defenses and gain unauthorized entry, often aided by unwitting users. Security-conscious engineering, well-crafted defensive tools, and high-quality threat intelligence can help protect networks, but there is no silver bullet. Cybersecurity measures themselves, such as software updates and centralized management of information technology (IT) infrastructure, can occasionally be exploited by intruders, as occurred in both the SolarWinds and Microsoft Exchange hacks. Defenders of even the most secure networks must therefore assume that intruders will sometimes break in.
In a world where defense is necessary but insufficient to the task of protecting sensitive networks, the second cybersecurity strategy, deterrence, holds a special allure. But deterrence depends on credibility, which is surprisingly elusive. While the United States can plausibly promise military retaliation for a cyberattack that plunges U.S. cities into darkness or causes planes to crash, it has a harder time meting out appropriate and meaningful punishments for cyber-espionage. It has responded with sanctions and indictments of foreign hackers and officials, including a raft of new punitive measures against Russian officials and entities announced this week. But there is little public evidence that these measures deter the ever-increasing and ever-expanding foreign hacking efforts that steal American secrets. On the contrary, the United States’ competitors have grown more aggressive, perhaps increasingly confident that the retaliation they once feared is not forthcoming.
The United States should assume that its secrets are harder to keep than ever before.
Disruption, the third cybersecurity strategy, has been the United States’ answer to increased aggression. General Paul Nakasone, head of United States Cyber Command, and Michael Sulmeyer, then an adviser to Nakasone and now a White House official, described this new approach in an article in Foreign Affairs last August: “We learned that we cannot afford to wait for cyberattacks to affect our military networks. We learned that defending our military networks requires executing operations outside our military networks.”
In other words, the United States has sought to counter cyber-espionage by actively interfering in competitors’ operations, degrading their hacking infrastructure and limiting their ability to execute attacks. To disrupt its competitors’ campaigns, the U.S. government relies on its own prodigious hacking capabilities, bolstered by billions of dollars of investment in the National Security Agency and United States Cyber Command. According to the latter, this strategy helped protect the U.S. elections in 2018 and 2020 and has stopped a range of other malicious hacking activities. However, it is too early to say how well the strategy works overall.
Notably, all three strategies failed to stop the SolarWinds and Microsoft Exchange breaches. As these two incidents demonstrate, competition in cyberspace is both fierce and routine—two conditions that make it hard to thwart cyber-intrusions. Fierce competition pushes up adversaries’ tolerance for risk, making defense and deterrence difficult. Routine competition, meanwhile, makes it nearly impossible to disrupt all of an adversary’s operations, since they can come from anywhere at any time.
THE BEAT GOES ON
The fact that large-scale cyber-espionage will inevitably continue does not mean that the United States should abandon its efforts to make such intrusions less frequent and costly. On the contrary, the United States should upgrade both public- and private-sector cyberdefenses, in particular by increasing centralization of IT infrastructure, replacing outdated systems, and recruiting more talented cybersecurity professionals. Meanwhile, Washington should bolster its deterrence by retaliating against perpetrators in ways that instill more fear in U.S. adversaries. The new sanctions against Russia are a step in the right direction, but the United States might also consider interfering in the systems that authoritarian countries use to surveil their own populations. Such measures would impose meaningful costs on offending governments without unduly risking escalation. And finally, where possible, the United States should continue to disrupt adversaries’ cyber-espionage operations.
But even an improved triad of defense, deterrence, and disruption will sometimes fall short. The United States must therefore shift its thinking about cyber-espionage from a problem to be solved to a condition to be forever managed. Some combination of the whack-a-mole approach of counterterrorism and the all-of-government scope of cold war military competition will likely be required. But so will humility. Although the United States is a leading cyberpower, it can expect adversaries to outsmart it from time to time.
Practically, this means the United States should assume that its secrets are harder to keep than ever before. While many sensitive corporate and government documents no doubt remain secure, too many do not. Even some of the United States’ most powerful and most secret hacking tools have ended up online as a result of a 2016 breach, known as the Shadow Brokers case, that remains shrouded in mystery. Foreign governments and criminals have since repurposed them.
While the United States will of course continue to have classified programs, policymakers should consider being more careful about which technologies, including cyber-capabilities, they invent and deploy. Jason Matheny, who previously directed the Intelligence Advanced Research Projects Activity and is now a White House official, has devised a series of questions to guide policymakers’ thinking in this area, including “If the technology is leaked, stolen, or copied, would we regret having developed it?” Questions such as this one are essential in a world in which cyber-competition is as fierce and routine as it is today.
Despite its history of major breaches, the United States remains an able competitor in the arena of cyber-espionage. Its agencies and military units benefit from ample investment and extraordinary amounts of talent. With such capabilities, the United States can and should do better to defend, deter, and disrupt the intrusive hacking efforts of other nations, pushing back on their increasingly aggressive behavior. But sooner or later—and probably sooner—the familiar story will play out once again: foreign intruders will compromise important U.S. computer networks, exposing government and corporate secrets and prompting an investigation. Calls for a response will follow, despite the lack of good options, as will calls for a strategic shift that enables greater cyber-competitiveness—even though such a shift is destined to sometimes fail. And so the drumbeat of cyber-espionage will continue, beating ever faster as it does.