In its long-anticipated public response to the SolarWinds Orion incident, the Biden administration attributed the hacking campaign to Russia’s Foreign Intelligence Service (SVR), issued a new Executive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation, and imposed sanctions on “companies operating in the technology sector of the Russian Federation economy that support Russian Intelligence Services.” The administration took other actions related to Russia’s occupation of Crimea and election interference as well, but I’ll focus here on the SolarWinds-specific actions and especially on what they portend for the development of international law and norms on state behavior in cyberspace. In a January 5 statement, the FBI, CISA, ODNI, and the NSA characterized the SolarWinds incident as “an intelligence gathering effort” by “an Advanced Persistent Threat (APT) actor, likely Russian in origin.” Both before and after this statement, questions arose about whether the United States would respond to an intrusion that was “just espionage.” In a February 17 press briefing, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger seemed to say that it was not “just espionage”; rather, she said, “when there is a compromise of this scope and scale, both across government and across the U.S. technology sector to lead to follow-on intrusions, it is more than a single incident of espionage; it’s fundamentally of concern for the ability for this to become disruptive.” But the question remained, if the United States wanted to condemn the SolarWinds incident, what line could it draw that wouldn’t open the United States up to charges of hypocrisy?
Kristen Eichensehr, SolarWinds: Accountability, Attribution, and Advancing the Ball, Just Security (April 16, 2021).
UVA Law Faculty Affiliations