The unprecedented hack that appears to have first hit software company SolarWinds before spreading to some of the highest levels of the U.S. government is testing the definition of what constitutes cyber espionage and what the Pentagon defines as an actual attack on the nation.
If it is determined to be an attack, experts warn it would open the way for retaliation, including in the physical realm. But defining exactly what constitutes an attack in cyberspace, even in the 21st century, remains a murky issue.
One cybersecurity expert familiar with this case argued that the SolarWinds incident was a proper attack, because the perpetrators didn't just sneak in, they broke in and covered their tracks by manipulating code.
Accessing the system was unauthorized and illegal, changing the code with malicious intent was an attack," the expert, who asked to remain anonymous because the individual was not authorized to speak with the media, told Newsweek.
The U.S. military has two terms to define what constitutes an act of cyberwarfare against the country by an adversary.
The first is a "cyber attack," which is a "hostile act using computer or related networks or systems, and intended to disrupt and/ or destroy an adversary's critical cyber systems, assets, or functions."
The second is a "Computer Network Attack (CNA)," defined as a "category of fires employed for offensive purposes in which actions are taken through the use of computer networks to disrupt, deny, degrade, manipulate, or destroy information resident in the target information system or computer networks, or the systems/ networks themselves."
The cybersecurity expert with whom Newsweek spoke said what happened in the case of the SolarWinds breach and then the subsequent malign activities would fit both categories.
"CNA is the ability to access systems, can be considered initial access," the expert said. "Once a target is acquired then you can move laterally and continue accessing more and discovering additional vulnerabilities or pivoting. Once you modify, disrupt, deny, destroy, or exfil, then you're executing a cyber attack."
U.S. agencies have yet to use the term, referring simply to a "cyber incident."
Such an incident "is likely to cause, or is causing, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity, or availability of electronic information, information systems, services, or networks; and/ or threaten public health or safety, undermine public confidence, have a negative effect on the national economy, or diminish the security posture of the Nation," according to the Pentagon.
Despite the Pentagon's own networks utilizing SolarWinds, defense officials have said they found no evidence of illicit intrusions as a result of what it too referred to as a "cyber incident."
"To date, we have no evidence of compromise of the DODIN," Vice Admiral Nancy Norton, director of the Defense Information Systems Agency commander of Joint Force Headquarters - Department of Defense Information Network (DODIN), said in a statement sent to Newsweek. "We will continue to work with the whole-of-government effort to mitigate cyber threats to the nation."
A U.S. Cyber Command spokesperson clarified the definition of what a compromise would entail.
"A network compromise is a known or suspected exposure of the DOD Network to an unauthorized person," the spokesperson said. "Our software supply chain source has experienced a cyber incident to their systems, but we have no indication that the DoD network has been compromised. We continue to assess our DoD Information Network for indicators of compromise."
Contacted by Newsweek, the Office of the Director of National Intelligence (ODNI) referred to its most recent statement alongside the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).
ODNI "is helping to marshal all of the Intelligence Community's relevant resources to support this effort and share information across the United States Government," the statement read.
It said that the FBI "is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors," while also "engaging with known and suspected victims, and information gained through FBI's efforts will provide indicators to network defenders and intelligence to our government partners to enable further action."
CISA, which first issued an emergency directive on Sunday in response to the hack's detection, "is engaging with our public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises," according to the statement.
Though no culprit has been conclusively identified, unnamed U.S. officials speaking to major media outlets have identified Russia as the most likely suspect.
The Russian embassy in Washington has dismissed what it considered to be "unfounded attempts of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies."
"We declare responsibly: malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations," the embassy said in a statement reiterated to Newsweek. "Russia does not conduct offensive operations in the cyber domain."
But as the cyber realm increasingly appears to be the battlefield not simply of tomorrow, but of today, the debate of how to respond to such invisible threats continues to play out.
Raj Shah, a cybersecurity entrepreneur who previously was a managing partner of the Pentagon's Defense Innovation Unit (DIU), calls it a "thorny question."
You have to have a proportional response, or I think an adversary has to know you can't do that," Shah told Newsweek.
Though cyberwarfare has been around in some form or another for decades now, he said the true understanding of its capabilities and consequences were nascent.
"This is just the maturation of society's understanding of it," Shah said. "Cyber and information technology is just core to all of our lives. And it can't be treated as something aside national security. We have to be clear about what our red lines are, we have to communicate those lines, and then enforce those lines. That's how deterrence works."
The need for a red line to enforce deterrence was echoed by Jamil Jaffer, senior vice president of IronNet Cybersecurity and founder and executive director of George Mason University's National Security Institute.
"In my view, what this merits really is a very strong response of the traditional kind paired with very clear red lines on what we might do if we are held at risk, threatened, or actually subjected to an attack where information is manipulated or destroyed," Jaffer told Newsweek. "And then we have to be willing to actually execute on a response if that happens."
Jaffer, who formerly served as senior counsel to the House Intelligence Committee and chief counsel to the Senate Foreign Relations Committee, believed that execution did not necessarily have to be limited to the cyber realm, depending on what sort of damage investigations into the breach might identify.
"If we are significantly threatened or attacked in cyberspace, we should feel comfortable responding in real space," he said, "whether that's through sanctions, or something more aggressive, and that may go all the way to an actual physical attack if the underlying threat or attack justifies such a response."
But Jaffer emphasized that the U.S. is not at that point yet, and a host of options employed in prior instances of more traditional espionage remain available.
He also cautioned that the level of penetration and staying power of those behind the massive hack remain unknown, and the potential for the perpetrator to have or still be able to somehow engage in nefarious activities with some of the nation's most valued data is similarly unclear at this point.
"I'm not sure some massive offensive response would be warranted on what we know today," Jaffer told Newsweek. "But depending on how at-risk we perceive ourselves to be, you might see some argue that we need to engage in preemptive self-defense."
He added a chilling analogy.
"It's the cyber equivalent of holding a knife in your throat, potentially," Jaffer said.
