Skip to main content

Sign up for our newsletter.

Quality journalism. Progressive values. Direct to your inbox.

The National Security Agency (NSA) logo is shown on a computer screen inside the Threat Operations Center at the NSA in Fort Meade. U.S. President George W. Bush visited the ultra-secret National Security Agency on Wednesday to underscore the importance of his controversial order authorizing domestic surveillance without warrants. (Photo: Brooks Kraft LLC/Corbis via Getty Images)

The National Security Agency (NSA) logo is shown on a computer screen inside the Threat Operations Center at the NSA in Fort Meade. U.S. President George W. Bush visited the ultra-secret National Security Agency on Wednesday to underscore the importance of his controversial order authorizing domestic surveillance without warrants. (Photo: Brooks Kraft LLC/Corbis via Getty Images)

SolarWinds Is Not the 'Hack of the Century.' It’s Blowback for the NSA's Longtime Dominance of Cyberspace

Breathless coverage of the SolarWinds hack functions to manufacture consent for NSA's internet hegemony and to divert us from considering alternative models of security.

Jesselyn RadackWilliam Neuheisel

Last month, the private security firm FireEye discovered a widespread breach of government and corporate computer networks through a so-called "supply chain" exploit of the network management firm SolarWinds, conducted by nation-state-level hackers, widely thought to be Russia. Most coverage of the breach featured ominous headlines and quotes from current and former government officials describing it as the biggest hack of modern times. Occasionally, buried in one of the closing paragraphs, there was an official quoted admitting that, so far, only "business networks" were known to be compromised—sensitive but unclassified email systems and data on job descriptions and HR functions.

"Like our nuclear policy before it, the stated goal is deterrence, but the actual goal is to create a cover for unchecked aggression and dominance."

These stories lack context of the true state of cyber espionage over the last few decades. The SolarWinds hack is certainly a large and very damaging breach, but one could almost pick at random any five or ten of the hundreds of codename programs revealed in the Snowden documents that would top it. The mother of all supply chain attacks (that we know of publicly) may have been the clandestine American role behind CryptoAG—which allowed the NSA to sell scores of foreign governments broken cryptographic systems through which it was possible to crack the encryption on their top-level government and military communications for decades. And of course the first, and one of the only, actual cyberattacks in history was the Stuxnet program conducted by Israeli and American services against Iranian nuclear centrifuges.

Yet the American public may be left with the impression that Russian hacking poses a uniquely aggressive and destabilizing threat to the international order, and therefore must be punished. News coverage has been leadened with apoplectic quotes from senior officials and lawmakers that the breach represents "virtually a declaration of war," that we need to "get the ball out of their hands and go on offense," that "we must reserve our right to unilateral self-defense," and even that "all elements of national power must be placed on the table" (All elements? Tanks? Nuclear weapons?). This kind of hyperbolic reaction cannot be driven by sincere shock at the idea of a government hacking into and spying on another government’s networks. More plausibly, it is driven by outrage at the idea of any other nation challenging the United States' overwhelming dominance to date in network espionage.

The Pentagon has so far responded to the breach by proposing a rearrangement of the organizational chart for our cyber army. And if history is any guide, Congress will respond as they have to past intelligence failures: by throwing more money at the bureaucracy to feed its legion of private contractors. In other words: more of what contributed to this breach in the first place. The ever-growing feeding frenzy for beltway bandits not only increases the attack surface for foreign hackers, it ensures that Congress does not have the capacity (even if it had the will) to understand and oversee increasingly complex supply chains to ensure basic security standards for the very companies who will be called on to fix these vulnerabilities. Few were even aware of the ubiquity of SolarWinds presence across so many of our government networks, and the lax security practices of this key software provider have only come under scrutiny retroactively. According to reports, the update server for SolarWinds’ software ⁠— an incredibly sensitive key piece of any software supply chain ⁠— was publicly accessible by a default password that had leaked to the internet in 2019, and the company had been warned both by its employees and by independent security researchers.

Here another tragic irony emerges: whatever internal channels were used to warn of these security lapses were clearly not effective, but if a whistleblower had taken this kind of sensitive national security information to the press ⁠— publication of which perhaps could have forced action and prevented a major act of espionage against our government ⁠— they would have put themselves at risk of prosecution under the Espionage Act.

"If reports are true that Russia was behind SolarWinds, and was using its access to case physical infrastructure networks in the U.S., their motivation may have been to gain a small measure of deterrence against the overwhelming superiority of American offensive capabilities."

So while the pundits clamor for retaliation and Washington bickers about rearranging the desks at Fort Meade, we still do not get a debate on alternatives that might better serve the American people. In secret, and without public consultation, the NSA long ago decided to use our privileged position sitting atop the internet backbone not to secure it; to level up the safety of key systems for all its users (but to poke more holes in it); and to stockpile exploits and hoard vulnerabilities in order to dip its hands into nearly every network, communications protocol, and computer system of consequence on the planet, both foes and allies alike.

Even our defensive strategy has become a policy of aggression. Dubbed "defend forward," it has us maintaining backdoors and software implants on key infrastructure systems around the world, as a way of keeping a loaded gun pointed at any real or potential adversary. Like our nuclear policy before it, the stated goal is deterrence, but the actual goal is to create a cover for unchecked aggression and dominance. If reports are true that Russia was behind SolarWinds, and was using its access to case physical infrastructure networks in the U.S., their motivation may have been to gain a small measure of deterrence against the overwhelming superiority of American offensive capabilities.

The wisdom of such an aggressive posture towards the global internet was one of the key questions Edward Snowden posed to the public after his disclosures. We should not fail to consider it as we increasingly get a taste of what the rest of the world has been subjected to by American spies for decades.


Our work is licensed under Creative Commons (CC BY-NC-ND 3.0). Feel free to republish and share widely.
Jesselyn Radack

Jesselyn Radack

Jesselyn Radack is a national security and human rights attorney who heads the 'Whistleblower & Source Protection' project at ExposeFacts. Follow her on Twitter: @JesselynRadack

William Neuheisel is a human rights and civil liberties analyst at WHISPeR. Follow him on Twitter: @wneuheisel

William Neuheisel

William Neuheisel is a human rights and civil liberties analyst at WHISPeR. Follow him on Twitter: @wneuheisel

We've had enough. The 1% own and operate the corporate media. They are doing everything they can to defend the status quo, squash dissent and protect the wealthy and the powerful. The Common Dreams media model is different. We cover the news that matters to the 99%. Our mission? To inform. To inspire. To ignite change for the common good. How? Nonprofit. Independent. Reader-supported. Free to read. Free to republish. Free to share. With no advertising. No paywalls. No selling of your data. Thousands of small donations fund our newsroom and allow us to continue publishing. Can you chip in? We can't do it without you. Thank you.

Biden Urged to Sign Executive Order Guaranteeing Rail Workers Paid Sick Leave

After the president brokered a compulsory contract without a single paid day off for illness, one labor advocate implored him to "put up or shut up about how you really want them to have sick leave!"

Brett Wilkins ·


Campaigners Demand Deep Cuts to Plastic Production as Global Treaty Negotiations Ramp Up

"The scale of the problem is mind-boggling," said one advocate. "Plastic is in our blood. It's in fetuses. It's really encroaching on every aspect of human existence."

Julia Conley ·


Putting 'Profits Over People', Senate Rejects Paid Sick Leave for Rail Workers

"Senate Republicans and Joe Manchin have yet AGAIN failed working Americans by voting down seven days of paid sick leave for rail workers," lamented Rep. Jamaal Bowman.

Brett Wilkins ·


'We Must Cancel Student Debt,' Activists Argue as SCOTUS Agrees to Hear Case in February

"The right-tilted Supreme Court now holds in the balance relief for millions of hardworking Americans," said one campaigner. "It would be a giant loss for the economy if justices rule in favor of the special interests."

Jessica Corbett ·


A Labor Revolt Is Brewing... Inside the National Labor Relations Board

"From Congress, we demand funds, not furloughs," says the NLRB union. "From NLRB General Counsel Jennifer Abruzzo, we demand collaboration, not coercion."

Kenny Stancil ·

Common Dreams Logo