The Biden administration took an unusual and aggressive step last week when it formally blamed Russia’s Foreign Intelligence Service for the SolarWinds cyberattack and imposed new Russian sanctions. Given the bold nature of the breach, coupled with Moscow’s interference in last year’s presidential election, the White House issued an order to expel 10 Russian diplomats, placed new restrictions on Russia’s sovereign debt and imposed new sanctions on a handful of Russian IT security firms for helping enable both that attack and other malicious cyber activities over the years.
The new measures, part of an Executive Order signed by President Joe Biden, impose sanctions on 32 entities and individuals, from Russian intelligence officials to companies that assist in the Russian government’s hacking operations.
“Treasury will target Russian leaders, officials, intelligence services and their proxies that attempt to interfere in the U.S. electoral process or subvert U.S. democracy,” said U.S. Treasury Secretary Janet Yellen in response to the new measures. “This is the start of a new U.S. campaign against Russian malign behavior.”
Uncovered in December 2020 and carried out by a state-sponsored actor, the SolarWinds attack compromised the systems of more than 250 federal agencies and businesses. This breach was unusual in that it was a supply chain attack, meaning the hackers infiltrated one private company, network security firm SolarWinds, in order to gain access to hundreds of others that used its software.
The Russian sanctions were not entirely unprecedented, as the U.S. has put economic sanctions on Russia, Iran and North Korea in the past. Following the cyberattacks on the 2018 Winter Olympics, the U.S. Department of Justice charged Russian agents with allegedly trying to attack the Olympics, as well as causing the 2017 disruption of French elections and the release of the hugely destructive NotPetya malware, which caused more than $1 billion in damages worldwide.
What makes this situation different, according to Wayne Dorris, a Certified Information Systems Security Professional (CISSP) and business development manager for cybersecurity with Axis Communications, is that sanctions are typically tied to human rights or ethical violations. These new Russian sanctions are based purely on the role the government played in nation-state cyberattacks, particularly against the U.S.
So what does this mean for U.S. cybersecurity operations moving forward?
“Though simply naming a nation-state attacker may not seem like a big deal, it really is,” said Sam May, CISSP and senior compliance advisor with cybersecurity firm Steel Root. “For one thing, it forces the U.S. to demonstrate what our intelligence-gathering capabilities are, something intelligence agencies always loathe. Second, it forces the broader government to take action by highlighting that a foreign power attacked critical domestic infrastructure. It would be easier to shrug off a cyberattack by unknown attackers; it becomes much more difficult for elected officials to sit back when the attackers are named and evidence of the attack is made public.
“Since there isn’t an internationally agreed-upon response to the use of cyberattacks by nations against nations, every time such an attack is directly attributed to an attacking nation and an action is taken, we get closer to defining what is a reasonable and proportionate response to such an attack.”
Of course, it takes time to determine if economic sanctions are having any impact. If the sanctions do have an effect, it will likely lead to more companies being named, according to Dorris. The ultimate goal is to limit the cash flow from these technology companies to known bad actors. But because these hackers are mostly funded through their cyberattacks – such as ransomware or being hired by entities that oppose U.S. interests – the true impact on cash flow will likely be minimal.
“The secondary aspect of this is to stifle the role of technological advances these companies share with the bad actors,” Dorris said. “For example, the use of quantum computing, quantum cryptography, artificial intelligence (AI), machine learning (ML), deep learning (DL) advancements being weaponized by these actors and then attacking U.S. infrastructure.”
In the short term, Dorris said, the likely impact is that there will be more Russian nation-state attacks on U.S. companies and critical infrastructure, so manufacturers need to be prepared.
“Manufacturers that produce devices and solutions into this space have to step up and improve the core cybersecurity baseline on products as much as possible,” he said. “Understand that the device you manufacture is a small part of the larger cybersecurity ecosystem and how can you improve information sharing or integrations into other systems that monitor the state of device health.”
In response to ongoing nation-state attacks, May expects there will be a much greater domestic emphasis on supply chain security and due diligence by not only the U.S. government, but also by industry. The Department of Defense (DOD) is already rolling out the Cybersecurity Maturity Model Certification (CMMC) to attempt to standardize cybersecurity best practices in the defense industrial base, but the government likely won’t stop there.
“For years, members of the defense industrial base have been allowed to self-attest to being secure against cyberattack, which is basically like a professor asking the students to grade their own assignments,” May said. “Nobody in their right mind would give themselves an F even if it were obviously warranted. This is a primary motivator for the DOD to roll out CMMC as quickly as possible and why, given attacks like SolarWinds, it is ineluctable that self-attestations will go away for all government contractors, not just the DOD, and programs like CMMC will become applicable to all government contracts.”
Since the Biden administration took over in January, they have made it clear that cybersecurity and securing federal and critical infrastructure are going to be major priorities. This shift comes in the wake of several high-profile cyberattacks, such as the one at the Oldsmar water treatment facility in Florida, where hackers attempted to raise the levels of lye in the water by a factor of more than 100. While that attack was relatively unsophisticated and quickly defused, it shined a bright light on the kind of havoc a motivated bad actor can wreak on U.S. critical infrastructure.
When announcing the Russian sanctions, the White House said they would respond to the SolarWinds attack and other threats in both “seen and unseen ways.” Though it’s impossible to know exactly what that is going to entail, it could mean some sort of cyber reprisal or an escalation of the ongoing cyber war. The long-term goal is to create more stable and predictable relations with Russia, but these moves also help define what future U.S. reactions to cyberattacks might look like.
“What this comes down to is, from a cyberattack [perspective], what is really an ‘act of war’?” asked Dorris. “The U.S. hasn’t really defined what constitutes a cyber Pearl Harbor or 9/11. I mean, if the SolarWinds breach or the NotPetya attack in 2017 aren’t going to get it done, I’m not sure what they are waiting to have happen.”