Lots of DC folks are substituting really muscular language ("Act of War") for an understanding of all of the hard complexities raised by the SVR operation, and it's not helping. https://www.axios.com/solarflares-russia-hack-agencies-0a21d7e4-9fcf-4f6d-b86c-f903d155dd9d.html

Let's not forget how good the United States is with supply-chain attacks tied to espionage, and the lack of evidence tying SolarWinds to any election interference or destructive acts is possibly a partial win for deterrence and norms. https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/

There is a long history of "trickle down" effects in cyber, where a technique honed by a major player becomes commonplace. China's 2000s APTs -> Iran/DPRK/teenagers in the 2010s. Stuxnet ->smart ransomware.

If supply-chain attacks become common, deterrence is less effective.

As I discussed with @matthew_d_green elsewhere, I don't think we can realistically stop these attacks. We need to raise the difficulty of each step, improve our monitoring, tighten up response, and focus on shortening the Victims*Days these go uncaught.

Our starting metric is something like 18,000 potential victims * 300 or so days (5.4M), so we have a lot of room for improvement without promising complete prevention or deterrence!

A good thread from Dr. Buchanan. https://twitter.com/buchananben/status/1340016979961327616