News

The SolarWinds Wake-Up Call

December 16th 2020 - 13:00
The SolarWinds Wake-Up Call

The SolarWinds hack shows precisely why we can't rely on a treaty to govern state behavior in cyberspace. Rather, governments must cooperate to uphold existing norms, argue Michael Chertoff, Latha Reddy & Alexander Klimburg in an article for Project Syndicate.

The recently discovered SolarWinds hack holds obvious lessons for governments around the world, particularly after a year in which cyber attacks on critical infrastructure have surged. International action is urgently needed, not to write new treaties or codes of conduct, but to enforce existing norms.

WASHINGTON, DC – The recent discovery of the devastating Sunburst hacking campaign against US and global targets is once again challenging the international community to respond to an increase in cyber attacks. Over the past year, cybersecurity personnel worldwide have faced a surge of hacks against critical infrastructure, including institutions fighting the COVID-19 pandemic. While governments have openly condemned some of this behavior, more collective action is clearly needed.

There is no international treaty for cyber matters, and the 11 non-binding norms of responsible state cyber behavior endorsed by the United Nations General Assembly are somewhat ambiguous. Additional norms are being put forward all the time, which is a good thing. But norms are not treaties and should not be treated that way. The better option is to concentrate on the spirit – not just the letter – of what the norms convey. Indeed, the latest hacking revelation shows precisely why an international cybersecurity treaty would likely fail.

SolarWinds, a leading US network-management company, produces a monitoring platform that grants IT support staff remote access to devices that have it installed. The recent supply-chain attack hijacked the software’s update function to install the so-called Sunburst malware. As the tech publication The Register reports, SolarWinds is deployed in more than 425 US Fortune 500 corporations, all major US telecoms companies, and most branches of the US government (with a similar presence in many other developed economies). And the cybersecurity company FireEye, whose reported breach early last week was instrumental in uncovering the campaign, said that institutions worldwide may have been compromised, even if the US government was the likely focus.

The US government itself suspects Russian intelligence actors of perpetrating the attack, and the cybersecurity expert Jeff Moss has argued that unmasking the campaign could even prompt the attackers to take further action.

Read the full aticle on Project Syndicate.

Dr. Alexander Klimburg is Director of the Global Commission on the Stability of Cyberspace Initiative and Secretariat and Director of the Cyber Policy and Resilience Program at The Hague Centre for Strategic Studies. Dr. Klimburg is an Affiliate at het Berkman Klein Center for Internet & Society at Harvard University, a nonresident senior fellow with the Atlantic Council, and an associate fellow at the Austrian Institute of European and Security Policy. He is a former associate and former research fellow of the Harvard Kennedy School’s Belfer Center.