Paul Kolbe is entirely correct in reminding us that there is a great deal we still do not know about the SolarWinds hack. Russian official responsibility does seem probable, but it is not absolutely proven. The strongest statement that the U.S. agencies concerned have come up with is that the hack was “likely Russian in origin.”
Kolbe’s article and Erica Borghard’s response are also very valuable for their warning of the need to distinguish between cyber espionage and cyber sabotage or terrorism, as this crucial distinction has been blurred by the loose and lazy term “cyber attack,” as well as by the hysterical response to the SolarWinds hack by some U.S. politicians, with their very dangerous talk of an “act of war” (on which I have written previously here and here).
I would however like to point out in response to Borghard that Russia’s denial of responsibility is absolutely normal in espionage operations, even when these have been unquestionably revealed. In 2006, the British government denied Russian allegations of a British spying operation in Moscow using a device hidden in a fake rock, though after a few years a former British official admitted that the story was entirely true. The difference in the case of cyber operations is that (with all due allowance for freelances and double agents) conventional espionage has been the monopoly of states. On the internet, there are vastly more opportunities for independent actors, seeking personal gain or mere amusement. Most teenage hackers in the U.S. are not working for the CIA.
Kolbe is right to say that, given the nature of the hack, strengthening U.S. cyber defenses is a much better response than offense or retaliation. As in response to previous successful espionage operations against the U.S., a thorough review of practices and reforms of institutions are required. As after 9/11 (not that I wish to compare SolarWinds in any way to the criminality and the horror of that attack), a chaotic mixture of separate, overlapping and mutually antagonistic U.S. agencies must be pulled together into a coordinated and effective system.
Read the full article in Russia Matters.