Responding to Solar Winds: A talk with KnowBe4’s Rosa Smothers

The Biden administration faces an exquisite dilemma over the SolarWinds attack. As with most nation state cyberattacks on the United States government, it is impossible to prove who did it. US intelligence agencies appear certain that it was the work of Russian hackers, who likely carried out the attack with the knowledge and blessing, if not the direct instruction of Russian intelligence services. For sure, an attack of this sophistication and duration was no casual hacking effort done for laughs. It has to have been a work of serious state-sponsored sabotage.

The question, yet again, is what to do about it? As Politico and other outlets have noted, Biden faces few good options. The US is more vulnerable to digital disruption than Russia, so an overreaction invites an escalation in Russian cyberattacks that could destabilize the country. This could be disastrous. Other retaliatory options like “hacking back” risk revealing the USA’s (theoretically) secret knowledge of Russian networks and vulnerabilities—shutting off these avenues of espionage forever. So, what should be done?

A discussion of retaliation should begin with a different question, however, which is why Russia felt it could carry off such a massive, brazen attack in the first place? That would be a good starting point for today’s response and future deterrence. For insights into this issue, I turned to Rosa Smothers, a former CIA analyst and technical intelligence officer who now serves SVP of cyber operations at KnowBe4.

Rosa Smothers, SVP of cyber operations at KnowBe4

As Smothers explained, Putin was emboldened to permit such an audacious operation because he was minimally concerned about retribution by the previous administration. In her experience, as she put it, “The global scale of this intrusion lacked subtlety to say the least. When conducting espionage, the idea is to not make international headlines.” According to Smothers, the Biden administration requested an intelligence review of several alleged Russian actions early on. These included the SolarWinds hack and the targeting of American soldiers in Afghanistan. Based on that assessment, the administration can take advantage of an array of public and classified capabilities.

The past provides some examples of what may be in the works. For instance, in December 2016, in response to Russia’s meddling in US elections, President Obama issued an Executive Order that expelled 35 Russian diplomats and shuttered two Russian government-owned properties. Obama also sanctioned nine entities and individuals: the GRU and the FSB, four individual officers of the GRU and three companies that provided material support to the GRU’s cyber operations.

Biden may follow a similar path in responding to SolarWinds. The Treasury Department can designate additional companies and individual operatives associated with support to Putin’s government. The US can work with its allies to freeze Russian government and Putin’s oligarch’s assets.

As Smother’s suggests, “It is important that we take a global approach, because oligarchs’ billions are not limited to the United States. For instance, Oleg Deripaska was sanctioned by the Treasury Department, but maintains an ostentatious presence in London. And, there is so much Russian oligarch money in the Miami area that it is often referred to as the ‘Russian Riviera.’ The international community needs to hit them where it truly hurts—their bank accounts.”

She added, “The Intelligence Community (IC) provides several Concept of Operations, or ‘conops’ from which our leadership can select based upon the risk/gain analysis. Since the discovery of the SolarWinds operation, there has likely been a debate within the IC about how we should respond. I have been at the table when some DoD elements advocate for a very public cyberattack, while CIA and FBI recommend a more collection-oriented response.”

In her view, cyber operations against Russia’s networks should be targeted and focused to provide intelligence for US policy makers or as a means to deny, degrade and disrupt Russian capabilities. She warned, however, “Unless there is an immediate, kinetic threat to our national security, there should be no expectation of a headline-grabbing hack, but rather a methodical, ongoing operation. We do not want to disclose our network access or current tools and capabilities — the undetected cyber operation is the most effective.”