Putting Hackers on Notice
The United States needs a stronger deterrence message to fend off a changing array of cyber enemies.
U.S. adversaries know they can exploit cyber vulnerabilities and are getting away with it with ease and on the cheap. This reality is as befuddling to officials as it is enraging, and it has some experts calling on the federal government to embrace a new defense approach: Put up or shut up.
The deftness with which hackers access critical U.S. assets has ushered in a realization that national network defense is a job for government as much as for private businesses and citizens, panelists agreed at a recent cyber summit. The panel, part of the Cyber Disrupt 2017 event hosted by the Center for Strategic and International Studies (CSIS), explored the effects of high-profile breach after high-profile breach on national assets. Countless breaches confirm that traditional defenses alone are failing to keep out attackers. “It is only likely to get worse before it gets better,” offered Michael Daniel, president of the Cyber Threat Alliance and former White House cybersecurity coordinator.
Chinese cyber theft has already caused billions of dollars in losses. In 2015, the U.S. government unleashed a naming and shaming strategy and imposed sanctions when China failed to curtail cyber crime. The high-profile agreement between then-President Barack Obama and Chinese President Xi Jinping resulted in fewer Chinese cyber intrusions, said Dmitri Alperovitch, co-founder and chief technology officer at U.S. cybersecurity firm CrowdStrike. “It’s not zero … but it’s a huge success,” he said. “We’ll see what happens. It’s too early to declare victory. The Chinese may decide to change tactics, and certainly, if our relationship with them on trade and other issues starts to disintegrate, we may very well see increased activity.”
Still, leaders today underappreciate the nexus between cyber and foreign policies and how important deterrence is, said Eric Rosenbach, former chief of staff at the Office of the Secretary of Defense.
The reported Russian interference leading up to November’s U.S. presidential election sends a troubling message that extends well beyond a single transgression carried out by a single nation, Rosenbach said. “I am very nervous about the message that that sends to other adversaries around the world about how they may use ... information and cyber to impact core values and core national interests. I’m just as nervous about our inability to articulate deterrence in a way that impacts the perception of bad guys around the world who want to do bad things to the United States,” he said.
That perception aspect of deterrence is vital, and failing to act swiftly, strongly and purposely makes the United States appear weak, panelists agreed.
The China agreement is a start, but much more finger-pointing is needed, Alperovitch said. “It strikes me as completely inappropriate for us to hide behind protecting sources and methods when discussing attribution,” he noted. When the Russians bomb a convoy in Syria, for example, the Defense Department is quick to identify the culprit without undermining intelligence: “I’m confident we can do the same with cyber without compromising any sources and methods. We need to be much quicker at calling a spade a spade and figuring out response options.
“We don’t have a cyber problem,” Alperovitch continued. “We have a Russia problem. We have a China problem. We have an Iran problem. And cyber is a component of that problem.”
It is unlikely, however, that a single uniform deterrence policy will be successful, Daniel submitted. “We are going to need multiple deterrence options and policies to deal with the different adversaries that we face,” he said. “Even just taking the nation-states: Deterring North Korea is very different from deterring China or Russia. Then you throw in that you have to be talking about deterring criminal organizations that are motivated by completely different things than the nation-states … hacktivists or the potential terrorists.”
Constant and escalating cyber attacks have plunged the United States into a perpetual state of low-intensity conflict, wearing down defenses and draining billions from government coffers, the experts agreed. “Our adversaries are taking great advantage of that, understanding how much they can do without poking us too much and causing a retaliation,” Alperovitch said.
Consequently, they have no need to invest great time or resources to carry out a monumental cyber attack, or what many often refer to as a cyber Pearl Harbor or September 11, 2001. “Those attacks are very unlikely,” he said. “The reality is, we’re facing attacks every single day that are way below that threshold that we’re struggling to respond to. And that is what we need to focus on.”
The complex mosaic is compounded by an undefined and shifting battlefield. Gone are the days when nations waged war against nations and when armies battled armies. Today, commercial infrastructure and private entities increasingly are caught in the crosshairs. When North Korea attacked the United States, it did so by targeting a private company: Sony Pictures Entertainment. The 2014 attack highlighted a gap in protecting private businesses from cyber attacks. If businesses are not expected to defend themselves against intercontinental ballistic missiles, then how are government-sponsored cyber attacks any different, asked panel moderator Clete Johnson, a nonresident senior fellow with the CSIS Technology Policy Program.
Operating in this new domain requires partnerships between the government and the private sector and more clearly defined responsibilities for both, Daniel noted. “This is a new area for us. This is the fundamental policy question in cyber defense that we will have to wrestle with probably over the next five to 10 years,” he said.
While the private sector has internalized protections and is held accountable by normal market mechanisms for its own cybersecurity, it cannot be expected to safeguard against attacks carried out by the Federal Security Service (FSB) of the Russian Federation, for example, Rosenbach opined. “That’s the role of government—to protect the private sector from nation-state actors, no matter what the domain,” he stated. Such protection should be just as important to the government as it is to businesses, Rosenbach continued: “Our tech sector is like the last great center of gravity for the American economy.”
But the issue has created a double-edged sword, Alperovitch shared. It should not be the case that business operators throw up their hands and do nothing. “You can’t necessarily create a situation where companies feel like this is hopeless,” he said. “The reality is, you can defend yourself against the FSB. They’re not 10 feet tall either. They’ve got some good capabilities, but frankly, there are some criminal groups that have as good or better capabilities as well.
“Let’s not create a boogeyman where one doesn’t exist,” Alperovitch conceded. “It is defendable.”