The SolarWinds and Microsoft Exchange hacks highlight serious problems with cybersecurity in the United States. The hacks also expose geopolitical and ideological challenges for US approaches to cybersecurity and cyberspace. These challenges, combined with the failure of past policies, require the US to reorient its cyber strategy toward democracy protection.
Once again, foreign cyber espionage has US policymakers scrambling. In late 2020, the United States acknowledged that Russia hacked SolarWinds, Inc., a software vendor, and compromised government and corporate networks. In early 2021, news broke that China exploited software bugs in Microsoft Exchange and accessed US public and private systems. These incidents renewed policy and legal debates about countering cyber espionage. What’s more, the hacks exposed even bigger cyber problems for the United States created by the geopolitical and ideological challenges that Russia and China present. The US response to these hacks requires a reorientation of cyber strategy towards protecting democracy in cyberspace.
The SolarWinds and Microsoft Hacks In the SolarWinds hack, Russia inserted malware into software updates and gained potential access to around 18,000 government and company networks using the software. Russia then conducted targeted espionage against federal government agencies and companies, but did not exploit the vast majority of compromised networks. In the Microsoft hack, China exploited vulnerabilities unknown to Microsoft in software on Exchange email servers to engage in espionage on a limited number of targets. As Microsoft moved to fix the vulnerabilities, China installed malware on thousands of unpatched servers to create “backdoors” exploitable after patching was completed.
These hacks rang depressingly familiar cybersecurity alarm bells. The US government again failed to detect foreign cyber operations. The hacks exposed weaknesses in public and private cyber defenses and problems with information sharing between the government and companies. US sanctions and criminal indictments imposed after previous acts of cyber espionage had not deterred Russia and China from spying on the United States.
In response to the incidents, US officials, corporate officers, and cybersecurity experts argued that both hacks were disproportionate and indiscriminate. Anne Neuberger, US deputy national security advisor, asserted that the scale of the SolarWinds hack meant that it constituted more than espionage. Russia manipulated the software-update process to compromise thousands of networks, undermining confidence in supply chains. Brad Smith, president of Microsoft, urged the United States to declare that “indiscriminate and disproportionate supply chain attacks . . . are out of bounds for state actors.” Cybersecurity experts called China’s rush to install malware on unpatched servers a “reckless and dangerous tactic” that weakened cybersecurity for thousands of networks and a “pillage everything” approach showing no regard for consequences.
The Hacks, International Law, and Cyber Norms Accusations that the hacks were disproportionate and indiscriminate imply that they violated international law or were illegitimate under non-binding cyber norms. Most international lawyers recognize that international law does not prohibit espionage but does regulate the means and methods states use to gather intelligence. Thus, the principles of sovereignty and non-intervention and the prohibition on the use of force apply to how states conduct espionage.
Even so, espionage proves challenging for international legal analysis. States shroud intelligence operations in secrecy and resist clarifying how they apply international law to espionage. Despite its concerns, the US government has not, to date, argued that the SolarWinds and Microsoft hacks breached international law. Michael Schmitt, perhaps the world’s leading international lawyer on cyber operations, concluded that the SolarWinds hack did not violate international law on sovereignty, non-intervention, or the use of force. China’s exploitation of software vulnerabilities to spy on specific targets similarly did not infringe these rules.
The “reckless” insertion of backdoor malware also does not obviously violate international law. This action was not a use of force or an intervention into any state’s domestic affairs, and—based on what is known—it has not caused the type and scale of damage that would clearly violate sovereignty. China or another country could exploit the malware in other cyber operations that violate international law on sovereignty, non-intervention, or the use of force; but, so far, no evidence of such operations exists. Non-state actors, such as cybercriminals, might use the backdoor, but China would not be responsible under international law for such acts unless it instructed or directed them.
UN efforts on cyber norms have not specifically addressed espionage. The UN’s Open-Ended Working Group (OEWG) reaffirmed that states should ensure supply-chain integrity and prevent proliferation of malicious tools and harmful hidden functions. However, the OEWG noted that norms do not prohibit or restrict actions that comply with international law. The “reckless” part of the Microsoft incident implicates the norm protecting critical infrastructure to the extent that embedding the backdoors intentionally damaged or otherwise impaired such infrastructure—of which, at present, there is no evidence. No UN-consensus norm directly addresses a state’s insertion of backdoors into thousands of networks not operating critical infrastructure.
Thus, claims that the SolarWinds and Microsoft hacks were illegal or illegitimate prove difficult to make under existing international law and cyber norms. Given government and corporate consternation about the hacks, this outcome raises the question of whether the regulation of cyber espionage should be strengthened. In discussing how international law applies in cyberspace, the UN’s Group of Governmental Experts (GGE) described proportionality and distinction as “established international legal principles.” These principles are closely associated with international law on the use of force and armed conflict, but the GGE presented them as general principles. As a result, these principles could inform new international law or norms requiring means and methods of cyber espionage to be proportionate and discriminate.
Cybersecurity’s Geopolitical Dilemma Improving cybersecurity through a new international regulation of cyber espionage will be difficult in the current environment. As President Biden’s Interim Strategic National Security Guidance observed, the distribution of power in the world has changed, increasing Chinese and Russian threats to the United States. This geopolitical transformation escalates great-power competition and expands the need for forward-leaning espionage. In this cauldron of power politics, the United States, China, and Russia have no shared interests in stronger regulation of espionage. Indeed, after the OEWG’s negotiations ended, the US government repeated its opposition to new international legal obligations concerning cyberspace.
In addition, as the Cold War demonstrated, geopolitical rivals weave espionage and other competitive, coercive, and hostile activities into a form of conflict short-of-war. The return of the balance of power over the past decade coincided with the proliferation of malicious cyber operations below the use of force—a cyber conflict—in which, as James Lewis argued, China and Russia seek “to damage the United States and restructure the global order to better serve their own interests.” In cyber conflict, cyber espionage is about more than gathering intelligence—it is a multipurpose weapon that plays a growing role in the strategic geopolitical struggle.
The Ideological Crisis of Cyber Conflict Geopolitics are not the only problem that efforts to improve cybersecurity confront. President Biden’s interim guidance recognized that digital authoritarianism is spreading while “democracies across the globe, including our own, are increasingly under siege.” This ideological transformation signals that authoritarian countries have outflanked “internet freedom”—long the cyberspace policy lodestar for democracies—by strengthening cyber sovereignty, pursuing technological autocracy, exporting digital authoritarianism, and waging cyber conflict to weaken democratic nations. The interests and values that governments and companies in democracies believe software security and supply-chain integrity support, such as an open and global internet, are not important in Beijing and Moscow. In another echo of the Cold War, cyber conflict increasingly reflects that the ideological ends justify the cyber means.
Towards Democracy Protection in Cyberspace The SolarWinds and Microsoft hacks expose persistent problems with US cyber policies, including defense and deterrence failures against cyber espionage. These incidents also highlight challenges with international law and cyber norms, the geopolitical weaponization of espionage, and the ideological crisis that cyber conflict represents for democracies. The implications of the hacks suggest that the United States should reorient its cyber policies towards democracy protection.
At the level of grand strategy, US officials and experts are grappling with the need to shift from democracy promotion in foreign policy to democracy protection across domestic and foreign policies. The Biden administration’s emphasis on renewing democracy at home and abroad, including the proposed Summit for Democracy, taps into this thinking. In cyber terms, this change means shifting from promoting internet freedom to protecting democratic cyberspace against the technological, geopolitical, and ideological threats that cyber conflict with authoritarian adversaries creates.
To protect democracy in cyberspace, democracies must cooperate more effectively than they did as authoritarian states challenged internet freedom, as suggested in the proposal for “uniting techno-democracies” in a mechanism to “coordinate a unified response to a chief threat to global order.” Such collaboration should develop common positions on managing cyber conflict, including how democracies apply proportionality and discrimination as principles in their defensive and offensive activities in this conflict.
Domestically, democracies should rethink the relationship between cybersecurity and democracy as part of democracy renewal efforts. The promotion of internet freedom abroad proved blind to cyber threats to democracy at home, which produced the panic in recent years to protect election infrastructure. As the SolarWinds and Microsoft hacks show, protecting democracy in cyberspace requires actions beyond election cybersecurity, especially strengthening public and private cyber defenses from the range of threats that cyber conflict presents.
The track record of the United States and other democracies in answering cybersecurity “wake up calls” is not good. Responses to the SolarWinds and Microsoft hacks must occur in a context where protecting democracy has become imperative—and perhaps this sobering convergence can make all the difference.
. . .
David P. Fidler is an adjunct senior fellow for cybersecurity at the Council on Foreign Relations.
COVID-19 is just one of many factors animating the Biden administration’s climate agenda. Through the fulcrum of climate action, the Biden administration wants to satisfy its political base, re-industrialize America,…