Cyber Norms: An International Response to the SolarWinds Hacking
A hacking campaign that breached U.S. government agencies’ and corporations’ networks came to light in December 2020[1] and has been called “one of the biggest failures of American intelligence since Pearl Harbor”[2] and the September 11 terrorist attacks.[3] The hackers, allegedly the SVR, a main Russian intelligence agency, exploited SolarWinds Orion, a network management product from the U.S. software company, SolarWinds, in as early as fall 2019.[4] The product was used by “tens of thousands of corporations and government agencies.”[5] So far, more than 18,000 organizations, mostly located in the U.S., have been affected,[6] including the Treasury Department, the Energy Department, and parts of the Pentagon.[7] The total scope of the hacking is still unclear and recovery can take as long as 18 months.[8]
A critical question, and one that Senator Marco Rubio has brought up in a Senate Select Committee on Intelligence hearing, is, “What does the U.S. government need to do to respond to this operation?” [9] This question is particularly important because sanctions and indictments have not worked in deterring the SVR,[10] and hacks that allow for unauthorized information collection can often lead to the destruction of that information as well.[11]
The types of responses the U.S. could employ depend on the characterization of the hack. Characterizations are difficult because cyberspace operations lack universally agreed upon definitions.[12] This lack of uniformity, plus the proximity between the act of gathering unauthorized information and disrupting or degrading that information have led many to refer to the former process as “cyber warfare” or “cyber attacks.”[13] The gravity of cyber attacks has made some government officials hesitant to use the verbiage for the SolarWinds hack.[14] In certain circumstances, such attacks allow states to use force against the “responsible state” as an exercise of their right to self-defense.[15] However, all of the conditions that must be met for a use-of-force response, even when the response is merely immobilizing the aggressive computer system, [16] indicate that force is likely not a practical option.
Instead, a potential area of focus could be the establishment of international norms in cyber operations. Experts testifying at the Senate Select Committee on Intelligence hearing on the SolarWinds hack focused on public and private sector collaboration, as well as a federal breach disclosure program, within the U.S.[17] However, international cyber norms would also be helpful here, considering the hacking was allegedly conducted by the Russian government. Norms, or “shared expectations of appropriate behavior” can somewhat constrain the behavior of international actors.[18] We have seen this happen with norms pertaining to nuclear, chemical, and biological weapons.[19] Some cyber norms have begun to emerge and deliberate efforts for their creation are ongoing, with the UN and NATO acting as two of the main intergovernmental bodies seeking to establish cyber norms.[20]
With regard to the SolarWinds hack, some cyber norms that would have been helpful to have in place are a norm against indiscriminate hacking and a norm that limits targets of cyber espionage to “explicitly military targets or objectives.”[21] The Biden administration said the SolarWinds hack, in affecting many governmental agencies and corporations, was indiscriminate in order to differentiate it from the U.S.’s own cyber espionage activities.[22] This characterization would be especially powerful with a norm against indiscriminate hacking. Some may argue that indiscriminate cyber attacks are already prohibited by the Law of Armed Conflict,[23] which has a distinction requirement. However, the international community has not agreed that the Law of Armed Conflict applies to any cyber activities,[24] especially those activities that merely access unauthorized information, rather than destroying that information. These disagreements further complicate the norm creation process.
Despite these challenges, efforts towards cyber norm establishment must continue, as cyber capabilities continue to play an important role in state conflicts and military planning.[25] There has been much discussion about using technology to improve the cyber security of U.S. governmental agencies and private organizations. While this is an extremely important effort, it is not hard to imagine that vulnerabilities will continue to exist and that they will be exploited by state and non-state actors. Thus, it is also important to establish shared expectations of cyber behavior around the world.
Aleksandra Ryshina is a staff member of Fordham International Law Journal Volume XLIV.
This is a student blog post and in no way represents the views of the Fordham International Law Journal.
—
[1] See Patrick Howell O'Neill, Recovering from the SolarWinds Hack Could Take 18 Months, MIT Tech. Rev. (Mar. 2, 2021), https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/.
[2] David E. Sanger, After Russian Cyberattack, Looking for Answers and Debating Retaliation, N.Y. Times (Feb. 23, 2021), https://www.nytimes.com/2021/02/23/us/politics/solarwinds-hack-senate-intelligence-russia.html.
[3] See id.
[4] See O’Neill, supra note 1; see also Sanger, supra note 2.
[5] O’Neill, supra note 1.
[6] See Sanger, supra note 2.
[7] See David E. Singer et al., As Understanding of Russian Hacking Grows, So Does Alarm, N.Y. Times (Jan. 5, 2021), https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html.
[8] See O’Neill, supra note 1.
[9] Hearing on the Hack of U.S. Networks by a Foreign Adversary Before the S. Select Comm. on Intel., 117th Cong. (2021) [hereinafter Hearing] (statement of Sen. Marco Rubio, Vice Chairman, S. Select Comm. on Intel.), https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary.
[10] See Singer et al., supra note 7 (“Sanctions, indictments and other measures, he added, have failed to deter the S.V.R., which has shown it can adapt quickly.”); see also Ellen Nakashima, Biden Administration Preparing to Sanction Russia for SolarWinds Hacks and the Poisoning of an Opposition Leader, Wash. Post (Feb. 23, 2021), https://www.washingtonpost.com/national-security/biden-russia-sanctions-solarwinds-hacks/2021/02/23/b77039d6-71fa-11eb-85fa-e0ccb3660358_story.html (“I’m hard-pressed to find a single act that we’ve sanctioned Russia for that’s actually changed its behavior.”). Sanctions have also been used in response to North Korea’s attack on Sony Pictures Entertainment and attacks by Iran on American banks and a dam in New York. See id.
[11] See Brian M. Mazanec, The Evolution of Cyber War: International Norms for Emerging-Technology Weapons, app. at 221 (2015).
[12] See id.
[13] Id. Others use “cyber warfare” or “cyber attacks” to categorize only cyber activities that actually damage information, computer networks, or physical persons or property. See id.
[14] See Hearing, supra note 9 (statement of Sen. Marco Rubio, Vice Chairman, S. Select Comm. on Intel.).
[15] See David E. Graham, Cyber Threats and the Law of War, 4 J. Nat’l Sec. L. & Pol’y 87, 92 (2010).
[16] See id.
[17] See, e.g., Hearing, supra note 9 (statement of Kevin Mandia, CEO, FireEye, Inc.).
[18] Mazanec, supra note 11, at 1.
[19] See id. at 1-2.
[20] See id. at 165.
[21] Id. at 163.
[22] See Nakashima, supra note 10.
[23] See Mazanec, supra note 11, at 162.
[24] See id. at 167 (“NATO, led by the United States, has approached cyber warfare from a perspective that seeks to apply the existing Law of Armed Conflict to cyber attacks rather than pursue more comprehensive and new restrictions like those proposed by Russia in the UN.”).
[25] See id. at 176 (stating that over thirty countries have begun incorporating “cyber warfare capabilities” into their military plans).