Relations with Russia: “Post-Solarwinds” & the Biden Administration
Portions excerpted from the CSPC Report, “Geotech in the Early Biden Administration.”
While previous Geotech reports have covered China in greater detail than Russia, the current cybersecurity challenge posed by Russia — revealed by the recent SolarWinds hack — is a key Geotech concern for the Biden administration. Beyond the cybersecurity implications, SolarWinds demonstrates that software and coding supply chains, not just physical supply chains, are vulnerable. It also is a manifestation of how Russia approaches Geotech, as well as the ramifications for the U.S. and allied policymakers. The monograph that follows focuses almost exclusively on the SolarWinds incident, its fallout, and the Biden administration’s policies thus far in response to Russia and the hack. It does not go into depth on Ukraine or Belarus, though these are both pressing issues which the administration will have to deal with, and which will affect the White House’s policy towards Moscow. The uncertainty over the situation in Ukraine, should it escalate, will undoubtedly affect the administration’s calculus. It is too early and there are too many variables to provide any clarity at the time of this paper’s writing, and it warrants detailed assessment to do justice to the complex and evolving situation. Joshua Huminski, Director of the CSPC Mike Rogers Center for Intelligence and Global Affairs, provides the in-depth analysis that follows:
The Biden Administration & Russia
After four years of what could best be described as a curious public policy towards Russia under the Trump administration, it appears that the newly elected Biden administration aims for a “return to normal” in style. What the substance is in practice is unclear.
Thus far, the White House has indicated an intention to focus on China and Russia as the top priorities and continue a shift begun under the Obama administration away from the Middle East. President Biden indicated as much, warning, “the days of the United States rolling over in the face of Russia’s aggressive actions — interfering with our election, cyber-attacks, poisoning its citizens — are over.” He added, “We will not hesitate to raise the cost on Russia and defend our vital interests and our people.” At the same time, President Biden expressed a measured approach toward Moscow, saying:
The Biden administration has been clear that the United States desires a relationship with Russia that is stable and predictable. We do not think that we need to continue on a negative trajectory. However, we have also been clear — publicly and privately — that we will defend our national interests and impose costs for Russian Government actions that seek to harm us.
The first 100 days of the Biden administration have forced it to confront Russian policy issues — perhaps earlier than expected or desired — not the least of which was a significant buildup of forces along Ukraine’s border and Crimea, uncertainty regarding the future of Belarus, the deteriorating health of dissident Alexei Navalny (currently in a Russian prison), and the release of an additional set of wide-ranging sanctions in response to electoral interference and the SolarWinds hack.
What this “return to normal” means in practice very much remains to be seen, even with the recent action. For one, it should be noted that on the ground, the Trump administration’s policies towards Russia were considerably more aggressive than that of the Obama presidency and well beyond that which was appreciated by the public or Congress at the time. The imposition of sanctions and the delivery of offensive weapons to Ukraine are two areas in which the Trump administration went beyond that of his predecessor and are in contrast with the public narrative of an administration kowtowing to Moscow.
As for the Biden administration, his appointees, thus far, are believers in multilateralism and engagement, both of which could potent well for the future of U.S.-Russia relations. In the case of the former, President Trump’s antagonism of NATO allies undermined a key tool in confronting Russia, playing into Moscow’s hands. In the case of the latter, smart engagement is critical; isolating and refusing to talk are not strategies. Even during the Cold War, the United States engaged with the Soviet Union while competing globally with Moscow. An early win for the Biden administration was, certainly, the extension of the New START agreement.
In a recent call between President Putin and President Biden, it was suggested that the two meet in a third country, even after President Biden’s comments that he believed his Russian counterpart was “a killer”. The recent sanctions may have jeopardized this development, but President Putin is expected to speak, virtually, at a climate change conference hosted by the United States.
There are, however, risks in both. NATO partners such as Germany have their own interests and relationships with Moscow, particularly on energy, which could and have been exploited by Moscow in the past. Engagement must not be an end in and of itself — as Winston Churchill said, “Meeting jaw to jaw is better than war”, but without a coherent arsenal of carrots and sticks, negotiations and engagement will be little more than a diplomatic salon session.
The Russian Geo-Technological Challenge
The ultimate threat Russia presents in terms of Geotech is not that it offers a competing model for governance as China does. While it is true that Russia has a form of authoritarian capitalism, perhaps better described as a kleptocracy more than anything else, it is not in the business of exporting that model as Beijing seeks to do. True, Putin is motivated by a set of “orthodox, illiberal, antidemocratic, anti-Western” ideas, in the words of former Ambassador Michael McFaul, and both gravitated towards and drew in supporters of this worldview but it is less a model for governance or geo-technology than an ideological motivation.
Russia does not aim to define a new international order so much as it seeks to reclaim its great power status and undermine the western liberal order led by or embodied by the United States. The more it can split Washington from its European allies, sow discord within the American democratic republic, and pursue its own interests in Europe and further afield, the better.
Moreover, international adventurism serves two concurrent purposes for President Putin and the Kremlin. First, there is the obvious direct benefit to Russia’s national security and foreign policy. A weakened and divided West is less a threat to Russia’s interest than a unified, coordinated NATO or European Union. Propping up Bashar al-Assad in Syria ensures that Moscow maintains its Mediterranean port at Tartus, allows Moscow to raise the temperature and drive refugees into southern Europe, and provides a proving and training ground for Russia’s military that it otherwise would not enjoy. Addressing the Munich Security Conference, President Biden rightly said:
Putin seeks to weaken the European project and our NATO Alliance. He wants to undermine the transatlantic unity and our resolve, because it’s so much easier for the Kremlin to bully and threaten individual states than it is to negotiate with a strong and closely united transatlantic community.
Second, foreign adventurism provides the Kremlin with a means to mobilize domestic support and undermine domestic opposition. By acting aggressively internationally, it provides President Putin and the Kremlin a reason for its domestic behavior and continuation of the regime. Whereas the original social contract between Putin and the Russian public was based upon improvements in living conditions, a growing economy, and certainly — but to a lesser degree — external threats, the current contract is all but wholly reliant on some foreign adventurism. Again, speaking virtually to the Munich Security Conference, President Biden said as much,
The Kremlin attacks our democracies and weaponizes corruption to try to undermine our system of governance. Russian leaders want people to think that our system is more corrupt or as corrupt as theirs.
Real wages are declining as a result of Covid, investment in domestic infrastructure has not yet materialized or provided the expected benefits, and the population is increasingly unhappy with the Putin regime. This was very much on display with the protests following the arrest and imprisonment of Alexei Navalny, the opposition figure poisoned with Novichok by the regime. The protests were ultimately less about Navalny and more about overall dissatisfaction with the state of affairs, the economy, and the Putin government. Yet, President Putin still enjoys a high degree of support.
Hacking, Disruption, and Geotech
Given the aforementioned interests and societal conditions, cyber warfare and cyber conflict represent, perhaps, the greatest tool for Moscow — comparably cheap (when set against conventional and nuclear forces), deniable (to a degree), and hugely impactful. The structure of Russia’s security services also encourages competition and infighting, which all but guarantees that each service is working to one-up the other, achieve a bigger and better breach, or demonstrate some success to appease Putin and undermine the Main Enemy (the United States and the West).
The last five years alone are replete with examples of Russia’s hacking efforts in terms of preparation of the battlefield, intelligence collection, misinformation and disinformation, and more. From the hack of the Democratic National Committee emails to the Internet Research Agency’s information operations against the United States (the success of which is debatable) to attempts to influence the UK’s 2019 general election to cyber-attacks against Georgia to the successful hack of Ukraine’s power grid, Russia has demonstrated a propensity and talent for cyber operations, a propensity for which was vividly on display with the SolarWinds breach.
The Lexicon of a Cyber Incident
It is important to recognize that the SolarWinds breach was not an attack per se. Rather, it was an intelligence-gathering effort, and a spectacularly successful one at that. Getting the lexicon correct is important if one is to understand what happened, why it matters, and what it means going forward. To confuse the incident with an act of “cyber warfare”, as some have suggested, is to imply that the attack crossed some as-of-yet undefined threshold and therefore necessitates some form of kinetic or destructive attack.
Could SolarWinds have led to a destructive attack? Based on available evidence it is certainly possible. Had the hackers wished to do so they could have left behind (and indeed may well have) destructive malware that could destroy data, change information, or attack key services. That they did not is likely indicative of the nature of the breach — intelligence collection versus destructive attack. Why did they not do so? For one, it was certainly restraint on the part of the hacker and the nature of the mission itself. Equally too, however, the ability of the United States to retaliate offered a measure of deterrence, encouraging the adversary to restrain their own behavior.
What would a destructive attack have looked like? For one, the Russians could have easily destroyed data, changed information in key databases, deleted emails, and generally sowed chaos within the networks of the federal government. At a time when the government is responding to a global pandemic, the immediate confusion would have been immeasurably damaging and the long-term remediation would have consumed vast amounts of time and resources. Simply locking down the federal government’s networks in a ransomware attack, given how deeply they burrowed, would have effectively paralyzed the federal government, leading to immeasurable second and third-order effects. This is well before actual destructive attacks, such as that which was launched againstSaudi Aramco by Iran.
Commenting on the SolarWinds breach, Anne Neuberger, the Deputy National Security Adviser said:
When there is a compromise of this scope and scale, both across government and across the U.S. technology sector… It’s more than a single incident of espionage. It’s fundamentally of concern for the ability for this to become disruptive.
At its core, this was a supply chain penetration that leveraged third-party service suppliers as opposed to a brute force penetration. Here, it is also important to note that SolarWinds was not the only vehicle for the breach. The Russians also compromised the email security firm, Mimecast, and a Microsoft corporate partner that provided cloud-management service for multiple firms.
In the end, the Russians achieved significant success, collecting information and data for nearly a year before being detected and exposed. The investigation and remediation of this breach will take a considerable amount of time. Nearly three months after the attack and the federal government is still unsure of just how widespread the breach was and how many users were affected.
How SolarWinds Happened
How did the Russians achieve such a spectacular intelligence success? There are three key components to this attack that are worth noting. First, the Russians piggy-backed on the SolarWinds regular network update software to get behind the security measures of the agencies and companies they targeted. This use of the supply chain as a trusted vector proved to be a novel mechanism to circumvent security protocols.
Such supply chain attacks are not a new threat. In one case, hackers attempted to make their malware appear as if it legitimately originated from Microsoft, in another, they attempted to mimic NetSarang, a company that makes server management software. The management software may well originate from a trusted vendor or supplier, but the updates pushed by that vendor could be compromised as evidenced by the SolarWinds breach.
Second, the breach used domestic, U.S. servers allowing the hackers to not only mask the hack’s origin but to use U.S. law against itself. Whereas an attack originating from a foreign source could be detected by U.S. Cyber Command or the National Security Agency, the remit stops at the water’s edge, becoming a Department of Homeland Security challenge. Given the size, scope, breadth, and depth of the attack surface, ensuring constant protection, even of the .gov domains from within the United States, proved to be too significant of a challenge. Homeland Security invested billions of dollars into “Einstein”, a cybersecurity surveillance tool for government networks, which the Russians simply bypassed.
Finally, once onto the networks, the Russians waited, first to see if their penetration had been detected, but then, and more importantly, to learn what cybersecurity protections and protocols existed. With this data, Moscow was able to devise follow-on measures, crafting bespoke software and exploits to ensure that they would be able to reside on the servers, hoovering up as much data and information as possible without being exposed.
The Cyber Exploit Ecosystem & Supply Chain Attacks
This breach, a spectacular success from Moscow’s point of view, undoubtedly provided them with massive amounts of emails, documents, and other U.S. government information and data, with which Moscow would be better equipped to understand Washington’s intentions and policies. More importantly than just that information is user credentials and passwords. With that information, Moscow would be able to access additional systems — spreading their reach and thereby repeating the cycle. While it does not appear that the Russians were able to penetrate classified or secured networks, the damage done is nonetheless significant.
The mechanism and process by which the SolarWinds breach occurred are unlikely to stay in the proverbial box. Given the previous attempts at mimicking trusted vendors and supply chain attacks, and the success of the SolarWinds breach, this type of hack is likely to be replicated by other actors — Russian or otherwise. Indeed, this was the case with ransomware and other malware that may have started at the nation-state level but spread to criminal enterprises and vice-versa. The ecosystem of zero-days, malware, and breaches is constantly evolving and where success is found, it is quickly replicated by other actors.
Supply chain attacks are not restricted to just regular update mechanisms and it is here that the positive effects of globalization are proving to be vulnerable. Given the decrease in economic barriers to entry and the resulting increase in global competitiveness, software and coding can be done from virtually anywhere with an Internet connection. While this may prove to be a boon for the bottom-line of any company, it concomitantly increases the risk that a nation-state or criminal enterprise could penetrate the software supply chain. With sub-contracting and outsourcing, the true provenance of any code becomes increasingly difficult to guarantee.
Moreover, given the linkages and connections between varying software systems and often unforeseen interactions, just because one system is fully vetted does not mean it could not be corrupted or co-opted by another. This was graphically illustrated by the 2014 Target breach in which hackers managed to get into the company’s payment system via an HVAC subcontractor. In that incident alone, nearly 110 million customers’ credit card and personal data information were stolen, resulting in an $18.5 million settlement with 47 states and the District of Columbia (the incident cost Target at least $202 million in legal fees and other costs).
The U.S. Response to SolarWinds & Election Interference
On Thursday, the White House announced a new wide-ranging set of sanctions against Russia, targeting 38 entities, individuals, and companies for election interference and recent cyber hacks (32 for election interference and six for supporting the cyber activities of Russian intelligence). Ten intelligence officers operating under diplomatic cover were also expelled. The United States formally alleged that Russian foreign intelligence, the SVR, was responsible for the SolarWinds hack, stating that it had “high confidence in its assessment of attribution.” The White House also rolled back its confidence level about the alleged Russian bounty program, rumors of which circulated last year, with a senior official saying there was low-to-moderate confidence because it was partly based on information from detainees.
The sanctions also targeted a Pakistani company, Second Eye Solutions, and its owners, which the United States alleges helped the Internet Research Agency (IRA) conceal its identity. Along with the European Union, United Kingdom, Canada, and Australia, the U.S. also sanctioned five individuals and three entities associated with the occupation of Crimea.
Russian debt was also targeted, with the Department of the Treasury prohibiting U.S. financial institutions from buying any government bonds issued from the Russian Central Bank, Russian National Wealth Fund, and the Ministry of Finance after 14 June. Long seen as a “nuclear option”, this is the first time that sanctions have directly targeted Russian debt. The efficacy of this measure will be limited as it only pertains to U.S. institutions — European and other countries’ financial institutions are unaffected and will still be able to buy this debt.
The ban does not affect secondary markets — only those directly purchased from the Russian government. This measure is certainly a shot across the bow and the White House retains the ability to expand these sanctions. According to the White House, “This directive provides authority for the U.S. government to expand sovereign debt sanctions on Russia as appropriate.”
A statement from Secretary of State Blinken also expressed concern for the health of dissident figure, Alexei Navalny, who is currently in prison outside Moscow for parole violations. According to Secretary Blinken:
In addition, together with partners and allies, on March 2 the U.S. responded to Russia’s attempt to poison Aleksey Navalny using a chemical weapon and his subsequent arrest and imprisonment. We remain concerned about Navalny’s health and treatment in prison, and call for his unconditional release.
What is perhaps most impressive about this suite of sanctions is the comprehensive nature and cross-departmental coordination of the effort — to include international partners — and the level of detail in identifying and attributing Russian intelligence operations, something to which much has been alluded and inferred but few direct and detailed statements have been made publicly.
These sanctions and actions appear to be indicative of a Biden administration that seeks to find a fine balance in dealing with Russia. On the one hand, in a recent call between President Biden and President Putin, there appeared to be an agreement on a bilateral summit in a third country, and it is clear from the language that the administration would prefer to avoid a continued deterioration in relations. Only a few months ago an extension to New START was reached, so there are areas of potential cooperation.
On the other hand, the White House is trying to strike, at least publicly, a more assertive posture toward Moscow than that of President Biden’s predecessor, President Trump. Here, of course, the administration is imposing costs for Russia’s behavior, such as election interference and the SolarWinds hack. These actions are not mutually exclusive. The administration is looking to appear, in the words of Gordon Corera of the BBC, “resolute but proportionate.” This sentiment was expressed by a senior official who said, “We’re not looking for escalation. We’re providing a proportionate and tailored response.”
For his part, President Biden said as much in a speech shortly after the sanctions were announced:
I was clear with President Putin that we could have gone further, but I chose not to do so. I chose to be proportionate. The United States is not looking to kick off a cycle of escalation and conflict with Russia. We want a stable, predictable relationship. If Russia continues to interfere with our democracy, I’m prepared to take further actions to respond. It is my responsibility as President of the United States to do so.
Yet, the sanctions and expulsions are unlikely to affect Russian behavior, something the White House acknowledges. Jonathan Finer, principal deputy national security adviser, said, “Our view is that no single action that we will take or could take in and of itself could directly alter Russia’s malign behavior.” He added, “But this is going to be a process that is going to take place over time, and it will involve a mix of significant pressure and finding ways to work together.”
While there have been suggestions that the sanctions will disrupt Russian activities, such as those of the Prigozhin-related operations, and deter future actions, the reality is that previous rounds of sanctions and expulsions have neither disrupted nor deterred Moscow’s ability or intention to act. While the targeting of Russia’s national debt is interesting, it did not really result in significant financial disruption and, unless it is more wide-ranging such as the Iran sanctions (a significant escalation), it is unlikely to have a significant effect.
In reality, sanctions are a measure to show displeasure at actions or to threaten to dissuade potential actions. With regard to Russia, they are more of the former than the latter. The continued imposition of sanctions has become almost background noise for the Russian elite, a cost of doing business. Sanctions and indictments, naming and shaming, all have done very little to change Moscow’s behavior and nothing suggests that they will do so now.
If the administration wanted to go further, it absolutely could have and will retain the ability to do so. Targeting oligarchs and their second and third-order connections would severely affect Putin’s inner circle and likely have immediate effects. Perhaps most significantly, the new nuclear option could be the president sanctioning companies doing business with the Nord Stream 2 pipeline — something mandated by Congress but which the administration has thus far refrained from doing. In his speech following the sanctions, President Biden demurred on sanctioning the pipeline, saying:
Nord Stream 2 is a complicated issue affecting our allies in Europe. I’ve been opposed to Nord Stream 2 for a long time from the beginning even when I was out of office and even before office, before I left office as vice president. But that’s still an issue that is in play.
Sanctions alone are a necessary, but not sufficient, policy tool. What is needed is a comprehensive policy towards Russia and this is not yet forthcoming. What sanctions offramps are there? What incentives can Washington and the West offer to bring Putin to the table or change his behavior? Thus far there have only been sticks and few carrots. A bilateral in a third country is less an incentive and more something that occurs in the course of normal business. If anything, the potential for real action rests much more in Putin’s hands with the mobilization of forces near Ukraine’s border and Crimea. While the likelihood remains low that those activities are a prelude to an invasion, it is still a possibility.
