In a coordinated show of force last month, the State Department and the Department of Defense joined more than 20 other nations in attributing and condemning a 2019 cyberattack on the country of Georgia to Russia’s military intelligence wing.
The move was part of a broader “name and shame” strategy aimed at slowing cyberattacks from foreign adversaries, part of a deterrence policy that also includes indictments and sanctions.
But during the one of the cybersecurity community’s biggest trade shows, just days after the State Department announcement, U.S. policymakers repeatedly acknowledged their strategies for discouraging state-backed cyberattacks aren’t working. And, in that vacuum, what’s re-emerging is a debate over what the federal government should do now — especially given the expanding threat several nation-state actors pose to the 2020 presidential election.
While some officials hope sanctions and indictments will eventually force hackers to think twice before attacking American networks, other experts suggested that the federal government should lower the bar for a military strike in response to a digital attack.
“We should be very explicit about how low the threshold is for a kinetic response to an attack on our infrastructure,” said Tom Corcoran, a former senior staffer on the House and Senate intelligence oversight committees from 2001 to 2014 and the current head of cybersecurity at Farmers Insurance Group. “It doesn’t necessarily need to cause a loss of life or even a significant economic impact.”
Some current officials are more optimistic.
“We think that the diplomatic aspect of the public attribution and public statements may not work today … but it is setting the expectation, operationalizing this framework that we’ve all agreed to and will have an effect over time,” said Liesyl Franz, senior policy adviser in the Office of the Coordinator for Cyber Issues at the U.S. Department of State. She was referring to a framework agreed to at the United Nations about responsible state behavior in cyberspace.
She added, “what’s the next step? Well, at some point we’ll figure out how to impose additional types of consequences. Sanctions are one tool that we’ve used, indictments are another, but what are other ones that we can do?”
The threshold for armed response
The outstanding problem is that cyberactivity falls below what experts call “the threshold of armed conflict.” One example is the 2014 hack of Sony by the North Koreans that caused tens of millions of dollars in damage to the company. The Obama administration responded with sanctions.
“Think about it this way, if the North Koreans had sunk a cruise liner, just like an empty cruise liner that was coming from a shipyard back to its home port, but they had sunk a $200 million cruise liner, what would our reaction have been? That would have been an act of war,” retired Adm. James Stavridis, former Supreme Allied Commander of NATO, said in an interview with Fifth Domain. “We’d be literally launching B-1 bombers immediately to North Korea. Yet because it was a cyberattack, somehow it’s just a hack.”
In another example, Stewart Baker, former general counsel for the NSA, suggested that if Iran were to launch distributed denial of service attacks on U.S. banks, a preferred method of attack by their hackers, the United States could bomb an Iranian oil platform, but provide 24 hours of advanced warning to allow the Iranian government to get workers to safety.
Policymakers are careful in responding to this argument. The State Department’s Franz said it is critical governments operate with transparency and warn others that specific types of attacks would lead to an aggressive response. In addition, the response must be proportionate, must not escalate the conflict and must not cause irreversible damage.
“Something that causes pain that doesn’t … [leave] the country in the doghouse forever,” Franz said.
One such example came from Timo Koster, ambassador at large for the Netherlands, who suggested that in response to Russia’s 2014 invasion of Crimea, the international community could have responded by moving the World Cup from Russia, which the country hosted in 2018. That response would have a detrimental economic impact, but not cross a threshold of war. Without such consequences, current behavior will continue, experts said.
Nations hack “because they can,” Koster said. “Very simple. It’s an easy way to get what you want, assert yourself, and it’s something you can probably get away with most of the time.”
Today’s deterrence strategy
While U.S. officials said their strategies may not appear to be working in the short term, the long game is to establish norms of acceptable behavior in cyberspace.
To this end, the Department of Justice has indicted malicious foreign operators. For example, former Special Counsel Robert Mueller indicted dozens of Russians for their role in cyber operations relating to the 2016 election. More recently, the Justice Department indicted Chinese hackers allegedly behind the Equifax breach.
The shortfall of this strategy is that it’s unlikely the United States ever gets those actors in a U.S. court — a reality U.S. officials recognize.
“We’re aware of the fact that in many of those cases, we may not have the opportunity to arrest the individual … charging a case is reactive, it’s good to hold individual actors accountable,” said Adam Hickey, deputy assistant attorney general in the Justice Department’s national security division. “But that alone is not sufficient.”
Instead, Hickey said the Justice Department wants to win court orders that would allow officials to seize infrastructure as a way to disrupt activities or to gather evidence in an effort to help the State Department and Defense Department build out cases to present to the international community.
Though the Justice Department officials recognize they likely won’t see the criminals in court, officials hope they may be able to change individual hackers’ minds from taking on nefarious work in the first place.
“I suspect that we’re maybe changing the thought calculus of even the workforce” of foreign adversaries’ hackers, said Steven Kelly, chief of cyber policy at the FBI’s cyber division. “Where do I want to work? Do I want to work for an organization, and I’ll get caught and named the next thing you know, I can’t travel to Europe on vacation because I might get arrested?
“This is a new space where everyone in the ecosystem is making decisions about how they want to participate in it and maybe, maybe they don’t want to be working for an organization that’s going to be causing them personal reputational harm.”
Franz said the United States will continue attribution with its foreign partners because the support of foreign governments is a “force multiplier” and that the strategy will work over time.
“If we can have 20 and 30 countries coming out with us, to join us in a statement of condemnation or … themselves bring consequences, pariah states will start to become more and more isolated,” Kelly said.
Deterrence suggestions on the horizon
In a March 11 report, the Cyberspace Solarium Commission, a group of government and non-government cyber experts, is expected lay out a “layered deterrence” approach, according to Chris Inglis, a commissioner and former deputy director of the NSA.
The first step is to set expectations for nations’ behavior by working across government agencies, the private sector and allies, the report is expected to say. Second, the federal government needs to strengthen its digital infrastructure, including people and the supply chain, and define the roles and responsibilities to better defend itself. Third, leaders must be willing to impose a cost on bad actors.
“If you haven’t actually shaped expectations, if you haven’t made the kind of digital infrastructure defensible, then you have no business disrupting because you live in a glass house, and that’s going to come quickly back to create chaos, disorder, indiscipline for your own side,” Inglis said.
Several experts agreed with Inglis’ point.
“We may have the biggest rocks; we also have the glassiest houses,” Baker said.