SolarWinds Attack: Lessons for the Philippines-US alliance
The recent SolarWinds breach of U.S. government networks constitutes one of the most extensive cyberattacks ever undertaken against a national government. By coopting the update download function of SolarWinds’ Orion platform, a popular systems administration program, Russia was able to use the update function to surreptitiously install malware on computers and covertly extract data. Upwards of 18,000 customers were attacked including the widespread breach of multiple U.S. government agencies including the Departments of Homeland Security, Treasury, Commerce, and Energy. While the U.S.-Philippine alliance was not the target of the attack it will nevertheless be affected by its aftermath. More than the individual consequences, SolarWinds highlights the evolution of security affairs in the 21st century and the difficulty that existing defense structures face in adapting to new forms of international conflict. In particular, while controversy has long swirled within the U.S.-Philippine Alliance over where the Mutual Defense Treaty (MDT) applies, the far more significant question may be when does the MDT apply, and especially, what constitutes “an armed attack” in an era increasingly defined by conflicts occurring below the threshold of armed attacks?
When the MDT was drafted, the nature of an armed attack was not in doubt. Less than a decade after the end of World War II and with the Korean War still raging, the idea of an external armed attack was firmly grounded in the conventional military offensives that still shaped world affairs. However, in the decades since the 1950s, the world has steadily moved away from these traditional understandings of war and conflict. Little Green Men in Ukraine, maritime militias, and the general emergence of hybrid forms of conflict that blur the lines between soldier and civilian have allowed countries like Russia to make significant strategic gains while pushing the level of competition below the threshold of armed conflict.
Nowhere has the growth of competition below the level of armed conflict and its ability to confound traditional military pacts been more pronounced than in cyberspace. In April 2007, amid an ongoing controversy over relocating a Soviet-era war memorial, Estonia became the victim of one of the largest cyber offensives in history. A sustained Distributed Denial of Service (DDoS) attack emanating from Russia targeted Estonia and effectively forced one of the world’s most wired countries offline. As a NATO member, Estonia appealed to the alliance amid this sustained digital assault under Article V of the North Atlantic Treaty. NATO demurred. Estonia was offered assistance, but Article V was not invoked. The lack of physical violence against Estonia did not meet the Alliance’s definition of “an armed attack.” NATO has since clarified this stance and established that cyberattacks can constitute an Article V violation. However, its limp response to the attack on Estonia did not go unnoticed and spurred further Russian cyber aggression against places like Georgia, Ukraine and eventually the United States.
SolarWinds shows how the U.S.-Philippine alliance could easily fall victim to the same cycle where uncertainty over the handling of a cyberattack undermines collective security and encourages further aggression. While Russia used the SolarWinds vulnerability to steal information, it just as easily could have dispersed malware to disrupt American computer networks like it did during the 2017 NotPetya attack on Ukraine. This would have crippled large swaths of the American government and economy. What then would have been Philippine obligations under the MDT to respond to such an attack? Moreover, what would be America’s responsibilities if a similar cyberattack struck the Philippines?
To prevent such ambiguity from hamstring the alliance, it is imperative that Washington and Manila jointly affirm that a cyberattacks can constitute an armed attack under the MDT - particularly if it results in the loss of life, physical damage or significant disruptions to critical infrastructure or essential government functions. This would bring the U.S.-Philippine alliance in line with NATO’s stance and ensure that mutual security cannot be undermined by cyber aggression. Such a clarification can be made through public policy pronouncements and the formal exchange of diplomatic notes. This policy can be implemented within the bilateral relationship but can also be made jointly with other allies in the region like Japan, Australia and South Korea. Such a step will bolster a common standard for defense alliances throughout the Indo-Pacific and extend the current security framework into cyberspace.
Even this necessary step to redress the most serious forms of cyber aggression will not resolve the routine types of cyber espionage and interference that occur below the threshold of an armed attack. Yet as the U.S.-Philippine alliance has evolved to address a host of nontraditional security issues such as terrorism, piracy and natural disasters so too, can it adapt to the challenge of cybersecurity. In 2006, the Security Engagement Board (SEB) was established to facilitate defense cooperation in nontraditional areas and its mandate should now be extended to include joint cooperation on cyber defense. Specifically, as with joint counterterrorism operations, the SEB should identify specific types of cooperative cybersecurity activities such as training programs, advising and response planning that are permissible under existing defense agreements. These proactive measures will not remedy the challenges of cyber insecurity but are critical first steps for capacity building and will aid effective incident response.
From weaponized disinformation to espionage and sabotage, adversarial actors have seized upon the ambiguities of cyber conflict to undermine the security of their rivals whilst eschewing the dangers of armed conflict. For the MDT to continue to uphold the mutual security of the Philippines and the U.S., it too must adapt. By affirming the MDT’s continued relevance in the digital domain and proactively developing the cooperative practices needed to support our common cybersecurity, it is possible to ensure the continued vitality of the U.S.-Philippine alliance amid an evolving security environment.
Gregory H. Winger is an Assistant Professor of Political Science and Fellow at the Center for Cyber Strategy and Policy at the University of Cincinnati. He is also a Fellow with the National Asia Research Program and former Fulbright Scholar to the Philippines.