At the beginning of April, large numbers of Russian troops began to gather along the borders of eastern Ukraine. Stretches of the troubled region have been under the control of pro-Russian separatists since 2014, the year so-called “little green men” – special Russian military operatives working without the insignia of the Russian armed forces – appeared all over Crimea, annexing the Ukrainian peninsula.
While this time, Russia withdrew its troops, just over a week after they arrived, the episode had sparked fears of a full-scale land war, one in which the breakaway republics in eastern Ukraine could be invaded and integrated into a “Novorossiya”, or “New Russia”.
A physical confrontation between Russia and Ukraine did not come to pass (the troop build-up could have been initiated in response to Nato exercises in the Baltic, or as a ruse to push President Biden into attending a summit with Putin). But in cyberspace, breaches of countries’ virtual “borders” by state actors – including Russia – are far more common.
Late last year, the SolarWinds attack was uncovered in the US. Microsoft president Brad Smith described this enormous operation as the “largest and most sophisticated cyberattack the world has ever seen”. Although Moscow has denied any involvement, the US and the UK governments have both been emphatic that the attack had all the hallmarks of state-sponsored “Cozy Bear” hackers, believed to work under the auspices of the Russian Foreign Intelligence Service.
Democratic Senator Dick Durbin described the hack, named after the Texan network monitoring software company through which the security breaches occurred, as “a virtual invasion” of the US. “We are dealing with new weapons of war,” said Durbin, “and the Russians continually test the limits.”
In all, 18,000 SolarWinds users are known to have been compromised, including US government agencies like the Commerce and Treasury departments, the Department of Homeland Security, and the National Nuclear Security Administration. The hack went undetected for at least nine months, leading Biden to accuse the Trump administration of “failing to prioritise cyber security”.
The full depth and breadth of this penetration into US government systems is still unknown, as are the purposes for which Russia was possibly using this hack. “We still don’t actually know what the intent was,” says Juliet Skingsley, a military legal expert, “and that’s probably one of the most unnerving aspects of SolarWinds.” Was this simple cyber espionage, a case of information harvesting through spyware? Or was this a more malicious cyberattack, designed to create glitches and disable defence systems or critical national infrastructure?
“This could take months, if not years, to completely remove the intruder’s back doors into the systems and establish whether any data has been stolen, altered, deleted or damaged in any way,” Skingsley tells Spotlight. But the combative language employed by some US officials and elected representatives has been unhelpful, she adds. “When you have people referring to this as an act of war,” says Skingsley, “or akin to an invasion, it’s just not true – it’s espionage, and in international law espionage is perfectly accepted by all states as a necessary part of statecraft.”
The US and its allies are almost certainly engaging in similar activities. In 2010, a sophisticated piece of malware technology, the so-called “Stuxnet” worm, was discovered in Iran. It had been successfully targeted at the country’s nuclear facilities, setting its enrichment capabilities back years. An incident like this qualifies as a cyberattack, as opposed to espionage, and the malware is widely believed to have been developed by US intelligence agencies.
“The Americans are annoyed [about SolarWinds] precisely because it was such a good job,” says Mark Galeotti, a Russia specialist at think tank the Royal United Services Institute. “But, to be blunt, if that’s not what the [US] National Security Agency or, indeed, [the UK’s] GCHQ are trying to do in Russia, I would be amazed. And frankly, if GCHQ isn’t doing it, I want some of my tax money back.”
In any case, the newly installed Biden administration has reacted to SolarWinds with fury, expelling ten diplomatic officials and imposing stringent new sanctions. “In some ways, Biden has to,” says Galeotti, “because it has been such a hot-button issue for the Democrats since 2016.” Trump’s surprise victory in the election of that year led to accusations of collusion with Russia. Many Democrats thought that online campaigns by anti-Hillary Clinton Russian “troll farms”, based at shadowy state-affiliated organisations, had affected the result in key states. A crackdown, then, in the wake of SolarWinds was politically expedient for the new Democratic regime.
As well as impositions on Russian individuals and companies, the sanctions attempt to limit Russian access to international credit markets by banning US companies from trading in roubles or rouble-denominated bonds, and prohibiting them from lending to Russia’s state financial institutions. In a break with the Trump era, when cyber security roles were abolished and cyber operations in the State Department were scaled back, Biden has also appointed a string of cyber security experts to senior positions in his administration.
“Biden is not actually working for Russia, unlike Trump,” Keir Giles, a Russia expert at Chatham House, tells Spotlight. “Therefore, he will be taking more of an interest in protecting the US against threats that come from Russia in particular.” He qualifies his depiction of Trump as a Kremlin stooge by conceding that his pro-Russian biases could have been “consciously remunerated or not”, but that in any case he had presided over a White House that had seen to pro-Russian strategic goals being accomplished (he cites the weakening of Transatlantic defence partnerships as an example). In a recent research paper, Assessing Russian Success and Failure, Giles referred to Trump’s period in the White House as “the greatest prize of all” for a malign state focused on “subversion of democracy”.
This view is far from universal. Galeotti is keen to stress that despite the Russians enjoying the fallout of Trumpism as a disruptive force in Western democracy, the chaotic Republican populist was no stooge – by the time Trump left office, the US was taking a harder line against Moscow than at any other period since the fall of the Soviet Union. He believes the origins of Trump’s victory lie closer to home: “It’s so much nicer to be able to feel that some sort of Machiavellian foreign power has done this, rather than thinking, and accepting, that ‘OK, my own fellow citizens have voted this way’”, he says.
Giles, for his part, is keen to stress that whatever the origins of Trump’s victory, information extraction and dissemination are key to Russia’s geopolitical thinking. For the Putin regime, he writes that “overt or covert armed force [is] only one of the many tools… for resolving foreign policy challenges” – conventional warfare is combined with cyberattacks, disinformation campaigns, fake news, cyber espionage akin to SolarWinds, and the use of irregular troops and proxies in a strategy that has come to be known as hybrid, or “non-linear”, warfare. (The term is “a misnomer” according to Giles, but it was popularised after the annexation of Crimea.)
For Russia, Giles adds, cyber in particular is “bound up in the broader concept of information warfare, which covers not only technical aspects of how you work in cyberspace, like hacking or cracking… but also activities in cognitive space”. There is, he contends, “a long-standing Russian tradition of using information far more effectively than Western nations have traditionally done”.
As Biden begins his presidency and sharpens the US’s focus on cyber security issues, it’s clear, says Galeotti, that “cyber is the big, looming security challenge”. The SolarWinds hack has demonstrated the strength of rival state actors in the field, and has provoked a strong response. “No one quite knows what to do with [the cyber threat], or quite what it looks like,” says Galeotti, “but everyone agrees that it’s there.” The Biden administration may have to learn fast.
This article originally appeared in the Spotlight supplement on cyber security. You can download the full edition here.