President Biden today issued executive orders (EO) that blame, shame, and sanction the Russian government for perpetrating the SolarWinds Orion supply chain cyber attacks, and interfering with U.S. elections, among other transgressions.
The order declares a “national emergency” under the International Emergency Economic Powers Act regarding the “unusual and extraordinary threat” that harmful activity by the Russian government poses to United States national security, foreign policy, and the economy.
Along with culpability in the SolarWinds hack and attempts to influence U.S. elections, the order also cites Russian interference with elections of U.S. allies, corruption of foreign governments, targeting of journalists and dissidents, and violations of territorial integrity.
“This EO sends a signal that the United States will impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions” including election interference and cyber attacks, the White House said.
Whether the contents of the executive order represents the full range of U.S. actions against the Russian government remains to be seen, and may never be known. White House Press Secretary Jen Psaki has said several times this year that the White House reserved the right to respond to the SolarWinds hack and other issues “at a time and in a manner of our choosing,” and through methods that may be “seen and unseen.”
What the executive order does do is place blame squarely on the Russian government for the SolarWinds attack and for election meddling. On both counts, the Russian government had already been flagged as the likely culprit, but sometimes with less than 100 percent certainty.
“Today the United States is formally naming the Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures,” the order states. “The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR.”
“The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide,” the order states. “The scope of this compromise is a national security and public safety concern. Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident.”
In a related move, the White House said that the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the FBI will issue a cybersecurity advisory that details software vulnerabilities exploited by the Russian SVR, and steps that network defenders can take to identify and defend against Russian attacks.
While immediate financial sanctions on Russian assets are the headline grabbers, the executive order states that the United States is evaluating whether to take actions under Executive Order 13873 “to better protect” information and communications technology and services (ICTS) supply chains “from further exploitation by Russia.”
EO 13873 was issued by President Trump in 2019 to declare a national emergency regarding threats to ICT technologies and services from “foreign adversaries.” In practical effect since then, the order has been used to ban the use of network equipment made by a variety of China-based suppliers that are considered threats to U.S. national security.
Elsewhere on the sanctions front, today’s executive order includes:
- The Treasury Department issuing a ban on U.S. financial institutions from participating in primary markets for bonds issued by several Russian financial institutions including the Central Bank of the Russian Federation, and providing authority “for the United States to expand sovereign debt sanctions on Russia as appropriate”;
- Designating six Russian tech companies that provide support to Russian Intelligence Services cyber programs;
- Sanctioning 32 entities and individuals for “carrying out Russian government-directed attempts to influence the 2020 U.S. presidential election, and other acts of disinformation and intelligence; and
- Expelling ten people from the Russian diplomatic mission in Washington, including Russian intelligence service personnel.
The executive order also lays out steps the United States is taking in a bid to shore up international support to improve cybersecurity and internet freedoms.
Those include plans later this year for a “first-of-its-kind” course for policy-makers on “the policy and technical aspects of publicly attributing cyber incidents,” to be based out of the George C. Marshall Center in Germany.
The White House said it is also taking steps to wrap additional allies into planning for the Cyber Flag 21-1 cybersecurity exercise planned for later this year. Additional allies that may participate include the United Kingdom, France, Denmark, and Estonia.
“The United States is committed to the security of our allies and partners; these efforts are intended to reinforce again our commitment to that bedrock principle,” the White House said.