For the second time in four months, the vulnerability of the US digital ecosystem has been brutally laid bare. In December, a sweeping espionage operation, allegedly by Russian hackers, was found to have used software from SolarWinds to infiltrate US government bodies and corporations. Now, hackers have exploited vulnerabilities in Microsoft Exchange email servers to penetrate a similar range of targets including, the White House says, US think-tanks and defence industrial groups. Microsoft has blamed a Chinese state-backed group. Once again the US, and its allies, are grappling for a response.
Two of the biggest digital security breaches the US has suffered constitute a wake-up call and an embarrassment. Perspective is still needed. For all its brazenness, the Russian hack was an extension, on a vast scale, of the kind of covert intelligence-gathering many countries — not least the US and its allies — have engaged in for decades. There is, as yet, no evidence the breach was used for offensive purposes.
The Chinese operation also began as a clandestine espionage campaign. But it has escalated this week into a global hacking free-for-all with tens of thousands of targets. Multiple groups, including criminal actors, took advantage of the vulnerabilities just before and after they were disclosed, before victims could patch their systems. It is unclear how and why this digital “pile-on” occurred, but it amounts to a provocative and damaging act.
Both incidents highlight, nonetheless, the vast risks of cyber attacks and sabotage in an era when everything from jet engines to elevators to fridges is becoming web-connected. The most urgent, and potentially most effective, response must be to harden the west’s digital defences. When even government systems rely on commercial software and cloud computing, all are only as secure as their weakest link.
Third-party contractors cannot be policed as government or military departments are. But the necessary legal, regulatory and financial incentives need to be put in place for suppliers to critical networks to meet the highest standards of security, with penalties for falling short. Contracts must be rigorously drawn up and enforced.
Both the Russian and Chinese hacks, moreover, were apparently launched via US-based servers, enabling them to evade defences until commercial groups raised the alarm. That is reason to review the law preventing US intelligence agencies from probing domestic systems — though this raises complex issues of privacy and civil liberties.
Governments feel a natural compulsion to “impose costs” on perpetrators of cyber assaults. Whatever their scale, retaliation against acts of espionage must be weighed against the risk of raising the costs and difficulties of western governments’ own intelligence-gathering. Against more offensive acts, economic and diplomatic tools should be the first resort. Cyber retaliation must be carefully calibrated given the dangers of an escalatory spiral. There can be a case, however, for asymmetric actions that signal a readiness to respond if red lines are crossed, and the capabilities that are available.
International initiatives have struggled to agree “rules of the game” for a cyber world where actions are covert, deniable and often carried out by proxies. Yet the potential for mutually assured digital destruction is expanding. As with nuclear arms in the cold war, public and back-channel contacts — between generals and security chiefs, diplomats and academics — are vital to debate norms and limits, and ensure all those with the capabilities understand just what is at stake.