Blurred Lines: SolarWinds and the Private Sector in National Cyber Security
The evolving nature of technology and the advent of the Internet have challenged traditional modes of national security in the 21st century, forcing states to question their capacity to defend their intangible national borders in cyberspace. National security has traditionally been associated with the state’s core aspects of military and political power, tied to its interest in safeguarding its citizens from external threats and attacks upon its economy and institutions.
Between March and December of 2020, a cyber espionage attack was allegedly launched by Russia against the US. A national network management system called Orion was compromised by surveillance software installed through a supply chain hack. Orion is owned by a company called SolarWinds and was used by the White House, various branches of the US military, the US State Department, as well as numerous private institutions - including universities and transnational corporations based in the US and internationally.
The breach in network security occurred when government employees were prompted by Orion to unwittingly download software updates that contained surveillance software planted by hackers. Although the then-US Secretary of State, Mike Pompeo, publicly blamed Russia for the hacks against the US, the SolarWinds cyber-attack has exposed the US’ prevailing vulnerability to unorthodox methods of state-sanctioned espionage in cyberspace.
What is SolarWinds?
SolarWinds is a private US software company founded in 1999 that assists businesses in managing their IT infrastructure. Consequently, the ability for the Russian Intelligence Service (SRV) to conduct a sustained cyber-espionage attack against SolarWinds’ networks and access sensitive government communications has highlighted the increasingly blurred lines around who is ultimately responsible for national security in cyberspace. The infiltration of SolarWinds demonstrates the increasing overreliance states have upon the private sector to provide secure network services for the day-to-day operation of critical government functions and services and, by extension, to uphold national security in cyberspace.
Despite the implications of COVID-19 and growing domestic unrest, the US remains one of the most politically and economically powerful states in the world. Regardless, the SolarWinds infiltration demonstrates how overreliance upon the private sector for network infrastructure and cyber security makes the US vulnerable to attacks. The fact that the attack was not discovered by the US government but by FireEye - another company using the same software who noticed they had been hacked - emphasises the shocking inability of government agencies to manage national cyber security requirements, and highlights an absurd degree of unfettered dependence upon private cyber security companies.
Persisting Cyber Vulnerabilities
The question must be asked: why has the US not precluded this vulnerability by internalising its cyber networks and security? The answer in the simplest form is that this is not possible, and the reason is twofold. Firstly, the US government alone cannot access the same level of data as private corporations, compared with social media giants such as Google and Facebook. Data and information sharing is essential to maintaining cyber security, as it assists in monitoring potential threats and preventing security breaches in cyberspace. Secondly, the US government is unable to develop and innovate at the same rate as the private sector, and is reliant on private sector technologies to safeguard national IT networks and infrastructure.
The US government, like many governments around the world, is not in a position to offer the same financial reward the private sector can for similar skills. The global skills shortage in the technology sector was noted in the US 2018 National Cyber Strategy, emphasising the need to sponsor education programs in the cyber security industry. The fast-paced innovation and technological development within the industry also significantly impacts the ability for the US to internalise cyber security. When considered in conjunction with the skills shortage, the US government does not possess the capacity to keep up with developments in cyberspace without maintaining close links with the private sector.
The seriousness of the US government’s reliance on the private sector is highly visible when measured against major cyber threats from states such as China. The Chinese Communist Party (CCP) maintains complete economic control of, and access to developments made within, the Chinese technological sector. The US, by comparison, operates according to free-market and liberal principles, and this limited state control prevents the low-cost absorption of developments in cyber infrastructure and security. Additionally, China’s ability to ban social media platforms such as Facebook, despite the Chinese state endorsed platform ‘WeChat’ operating freely abroad, demonstrates clear differences in the ability of both states to monitor information and control civil society. This raises questions over whether Washington and other Western liberal democracies should enhance steps to mirror China’s tightly coupled relationship between the government and tech companies through contracts with private sector technology companies, despite the associated vulnerabilities that the SolarWinds attack has exposed.
Notably, in April 2014 the US Senate passed a bill that incentivised the private sector to share its cyber security data. This revealed how national cyber security is inherently dependent upon the maintenance of open relations with the private sector. Other states that pose persistent cyber threats to the US and its allies include Russia, Iran and North Korea - all of which are characterised by highly centralised governments and minimal domestic accountability for their actions in cyberspace, providing them with a greater degree of control and manoeuvrability than the US.
Whilst the reliance on the private sector remains a clear necessity for national security purposes, the SolarWinds attack should serve as a wake up call for policymakers concerning how an overreliance on private companies can impact national cyber resilience. Indeed, US national security is only as strong as its weakest link. It is clear that more emphasis must be placed by Washington upon ensuring that private sector partners are able and willing to provide the level of online safety and protection the US government promises its citizens.
Bronte Munro is a Masters student of Security and Strategic Studies at The University of Macquarie. She has a Bachelor of International and Global Studies with majors in International Business and European Studies from The University of Sydney. Bronte has interests in cyber security and was awarded the US Consul General Policy Report Award for analysis of the impact of COVID-19 on US cyber policy. Other interests include US and Russian foreign policy and Timor Leste - Australian relations.