U.S. President Donald Trump’s reaction to the recent SolarWinds attack suggests that his administration will deflect any overt political response or significant retaliation to President-elect Joe Biden’s administration. Between Dec. 18-19, Trump posted a series of tweets in which he downplayed the threat posed by the SolarWinds hack, while contradicting top security officials and independent experts’ assertions of Russia’s involvement in the incident. Secretary of State Mike Pompeo, Senate Select Committee on Intelligence Acting Chairman Marco Rubio and House Intelligence Committee Chairman Adam Schiff — along with scores of outside cybersecurity experts — have all indicated that Russia was behind the attack and emphasized the expansive scope of the incident. 

• FireEye, the cybersecurity company that initially discovered the campaign, suggested that of the 18,000 customers who used the specific SolarWinds Orion platform that was targeted, only about 50 suffered major breaches. And of those 50, most (but not all) were located in the United States.  
• That lower number is consistent with reports that the malicious code contained a “kill switch” that disabled the attack under certain conditions. Companies including General Electric, Equifax and Reuters have all noted that they used SolarWinds’ Orion but were not adversely affected by the attack. Microsoft and Cisco appear to have also been targeted in either the same or parallel campaigns, but both downplayed the impact of the attacks. 
• There is also evidence that around 1,700 other organizations’, including Belkin, Nvidia, the Hewlett Foundation and numerous universities were accessed via the SolarWinds vulnerability, although there are no indications that they were the primary targets. 

While it limited the scope of the breach, the “kill switch” used by the hackers likely allowed them to be more discrete in their attack, which afforded them more time to monitor the networks they did target. This “quality over quantity” approach indicates a disciplined and deliberate espionage operation by a state-backed-actor. Judging by the focus on government targets so far, the campaign may have had government intelligence as its primary target rather than private companies. 

Trump’s tweets, the imminent transition of power to Biden and the fact that far fewer organizations were targeted than originally feared suggest the United States is unlikely to overtly pursue immediate and severe retaliation. Given the complexity of the attack and the fact that it was discovered in the middle of a power transition between U.S. administrations, Washington’s response will likely come after the Biden administration takes over in 2021. Officials have also noted that it could take months to investigate and determine the full extent of the attack, which may further delay any governmental response.

The lack of a significant political response from the White House in the coming weeks will likely result in a substantial, even if delayed, retaliatory effort from the Biden administration. The supply chain attack exposed U.S. vulnerabilities that will require significant network, software and hardware replacements to resolve. And even then, it remains an open question as to whether other systems were also compromised. At the very least Biden, will likely be pushed toward a diplomatic or sanctions response similar to U.S. responses to previous Russian cyber campaigns in the United States. Retaliation through cyber means is an additional possibility — one that Biden’s incoming Chief of Staff Ron Klain hinted at earlier this week. But such a decision early on in Biden’s term may set a precedent for how his administration will handle such cyberattacks targeting the U.S. government in the future and it is possible that a response could be delayed to better formalize a policy before taking such a significant response.