The recent SolarWinds hack will prompt U.S. President-elect Joe Biden to increase Washington’s cyber resources and, potentially, its offensive capabilities in order to better deter against future cyberattacks by Russia, as well as other state actors. This intensified focus on state-backed cyber threats will likely include more U.S. investments into cyber defense over the next four years. The Biden White House will also continue to deploy sanctions against assailant countries, though such sanctions will likely be narrow in scope for fear of stoking aggressive retaliatory measures against U.S. entities and causing significant economic damage to countries like Russia and China that are essential to the global economy. 

U.S. Adversaries Take Their Fight Online

The SolarWinds breach has exposed the United States’ vulnerability to large-scale supply chain hacks. The suspected Russia-linked attack also highlights the escalation of state-sponsored cyber activities against U.S. interests. Top security officials and independent experts alike have indicated that Russia was involved in the attack, which used “trojanized” updates to SolarWinds’ Orion IT monitoring and management software that were posted on the company’s website. Once uploaded, the trojanized update would run code creating a backdoor into the compromised systems that hackers could then exploit for credential theft and other malicious activities. 

• The hackers also took multiple steps in trying to remain hidden, such as removing the backdoors once they had established legitimate remote access to servers.t. 
• In its initial study of the breach, Microsoft suggested that the use of a digitally signed file suggested that the hackers likely had entry to early builds of the software, as well as access to SolarWinds software development and/or distribution process. 
• This approach illustrates how a state actor, such as Russia, can leverage comprehensive technical expertise, along with intelligence collection and operation resources, to gain sustained access to systems employing compromised software. 

Like Russia, China, North Korea and Iran are all investing heavily in ramping up their cyber activity and capabilities. China also remains very active in cyber industrial espionage, as evidenced by the increase in cyber activity targeting COVID-19 vaccine research and the U.S. Department of Justice (DOJ)’s July indictment of two Chinese officials over that activity in July. Iranian-backed cyber activity showcased a leap in capabilities and intent this year as well, when it conducted an attack targeting Israeli water infrastructure. Iran has been trying to target industrial control systems for years, but the 2020 hack was the first publicly known successful attack linked to Iran that resulted in affecting industrial control systems.   

Biden’s Response to State-Backed Threats

The magnitude of the SolarWinds attack and President Donald Trump’s reticence to assign responsibility to Russia will probably prompt Biden to act swiftly upon taking office. In the wake of the SolarWinds hack, Trump posted a series of tweets between Dec. 18-19 in which he downplayed the threat posed by attack, as well as Russia’s involvement. The Biden administration, however, will likely at least sanction Russian entities and individuals involved in the planning and carrying out of the attack, if they can be identified and linked to it. Under Biden, the DOJ will also likely press legal charges against those involved. A retaliatory U.S. cyberattack against Russia could be reviewed as an additional option to signal a firm resolve against such activities. Such actions alone would not necessarily set a new precedent, as Trump has also signed off on several rounds of sanctions and retaliatory attacks in response to Russian cyberattacks during his term. But Biden will be more aggressive in publicly blaming Russia for such attacks, as well as swifter in his response.

• Under Trump, the U.S. Treasury Department has sanctioned more than 30 Russian entities and individuals involved in Russian cyber activity, interference in the 2016 election, the 2017 NotPetya attack and the global deployment of the Triton malware. 
• The New York Times reported in 2019 that the Trump administration had stepped up cyber activity against the Russian power grid. 
• On Dec. 17, Biden said there would be “financial repercussions” on “individuals as well as entities” involved in the SolarWinds attack. On Dec. 20, his incoming chief of staff Ron Klain said that the U.S. response would not involve “just sanctions.” 

Biden will likely review federal institutional capacity in search of ways to increase the defensive cyber capabilities, as well as inter-agency coordination. Biden will probably reverse decisions made by his predecessor’s administration, which included removing the cybersecurity coordinating position on the National Security Council. The original 2021 National Defense Authorization Act — which was vetoed by Trump on Dec. 23 — creates a Senate-confirmed position for coordinating U.S. cybersecurity policy. It is not clear whether Biden will consider any of the more aggressive and controversial proposals for reforms following the SolarWinds attack, which include splitting the United States Cyber Command from the National Security Agency. 

The Biden administration will probably funnel additional budget resources toward cyber programs, while also seeking to increase private-public coordination and detection. Budget requests are likely to have bipartisan funding support in the wake of the SolarWinds attack. Such support has already increased following concern over Russian interference in the 2016 election, resulting in actions such as the 2018 creation of the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security. Biden is likely to push for more bipartisan legislation to boost CISA funding, strengthen its independent status and possibly its statutory role. Bipartisan efforts will likely also be able to overcome gridlock in Congress that will otherwise limit most of Biden’s legislative agenda.

Washington will also likely review offensive cyber operations and an aggressive cyber strategy to build deterrence. But substantial reform surrounding the way that the U.S. treats cybersecurity akin to that in the wake of 9/11 is unlikely. While the SolarWinds attack has been a wake-up call for the need to boost cyber defenses, it does not appear, at least now, to have had enough of an impact to necessitate such reforms. Biden will probably walk back some of the cyber freedoms Trump gave the U.S. military and intelligence community, but stop short of reverting to the cumbersome policy review process overseen by former U.S. President Barack Obama.

The Biden administration will continue to use targeted sanctions and DOJ investigations as a diplomatic response tool. The U.S. Congress and previous presidents have a long-standing history of using travel bans, diplomatic expulsions, asset freezes and other forms of sanctions against Russian, Iranian, North Korean and Chinese hackers carrying out cyberattacks against the United States. Such targets typically include fronts being used to carry out attacks, as well as individuals and specific government agencies behind attacks. The Biden administration will likely continue such practices, starting first with a response to the SolarWInds attack. 

Limits to Deterring and Mitigating Cyberattacks 

The rapid evolution of cyber capabilities, along with Washington’s reluctance to accept collateral economic and political damage associated with stringent sanctions, will limit Biden’s policy options for eroding cyber threats. Many of the individuals and entities involved in carrying out attacks have limited assets in the United States and the West, making the impact of financial sanctions relatively small. In order to cause significant economic harm, U.S. sanctions would thus need to target the assailant country’s broader economy, like those the Trump administration has imposed against Iran’s oil exports. These sanctions, however, are typically only reserved for what the United States views as rogue states: Iran, Venezuela, Cuba and North Korea. Imposing such sweeping sanctions against China — the United States’ largest trading partner — would have catastrophic repercussions for the U.S. economy. And imposing such sanctions against Russia would have similarly severe political repercussions for U.S. foreign policy, given Moscow’s place as a permanent member of the U.N. Security Council. 

• For Iran and North Korea, there are few significant areas of economic activity that the United States hasn’t already sanctioned. Further sanctions on both countries would thus have a limited impact on their respective cyber strategies. 

Offensive cyber strategies also have yet to prove successful in actually deterring state-backed cyberattacks like the SolarWinds hack, which have only increased in scope, sophistication and frequency in recent years. The United States and other Western countries have been increasing their offensive cyber operations over the last five years. But this has yet to result in any noticeable decrease in cyber activities by their adversaries. It is possible that deterrence through or the displayed threat of offensive operations has been more effective in dissuading attacks against critical infrastructure and sensitive military targets like nuclear command and control. But it appears financially damaging attacks, as well as intrusive attacks targeting information theft, remain undeterred by the threats and retaliatory actions Western governments have so far deployed. 

• Beyond deterrence through cyber operations, other U.S. policy frameworks have only reinforced other states’ willingness to launch attacks against the United States. For China, in particular, Washington’s overall economic strategy of cutting off its access to U.S. technology has augmented Beijing’s need to carry out cyberattacks related to industrial espionage. 
• The United States is also more constrained in the types of cyber activity that it is willing to take due to legal norms at home and potential domestic blowback if such activity provokes a more significant response by Russia or China. This reduces the United States’ risk tolerance in any attacks that could be aimed at boosting deterrence. 

The growth of digitized industries in the world’s largest economies also increases the number of potential targets and vulnerabilities that state-backed hackers can exploit. Hardening certain infrastructure from cyberattacks will raise the cost of successfully penetrating them, but only certain systems can be hardened significantly. And most of the United States’ economically important potential targets, such as those related to internet services and technology, are also some of the most connected to cyberspace. New technologies on the horizon, such as the use of artificial intelligence to more swiftly and effectively penetrate systems, will provide yet more opportunities for state-backed hackers to exploit as well. 

The New Normal of Constant Cyberattacks 

The failure to deter or prevent future state-sponsored cyber threats will drive up the costs of mitigating and dealing with attacks, which is likely to increase global pressure for multilateral consensus to address such activity. The inability to deter state-backed cyber attacks will also increase Russia and China’s efforts to use such strategies to access intelligence and, increasingly, conduct industrial espionage. Trade secret theft through cyber means will, in turn, become a growing threat, particularly from China. Critical infrastructure and other strategic networks will also see significant intrusions, although it is unlikely that the most capable cyber actors (Russia and China) will attempt to inflict physical damage on such infrastructure.  

• According to a report released in November by cybercrime researcher Cybersecurity Ventures, the annual cost to the global economy of all cybercrime (including state-backed cyber activity) will grow 15 percent annually over the next five years, totaling $10.5 trillion by 2025. 

The growing prevalence of cyberattacks, as well as the increase in the number of countries capable of conducting them, will continue to drive the United States, Russia, Europe and China to establish norms governing the global cyber domain. Such cyber norms could limit escalation risks by more clearly delineating the different kinds of cyber activity and what qualifies as an appropriate response to each. Previous efforts to negotiate global cybersecurity standards, however, have failed to gain backing from the United States, Russia, Europe and China – the four biggest economies and cyber actors. The scope of current U.N.-led talks on cyber threats is not conducive to a deal as it includes aspects of cyberspace governance well beyond cyberattacks. But narrower talks may be possible in the future as attacks continue to mount. The prospect of an arms control-type treaty or pact around cyber activity, meanwhile, will continue to gain momentum outside Russia, China and the United States as well. But negotiations regarding such a treaty are unlikely unless a significant and economically damaging cyber attack occurs.