How can the US deter other nations from executing cyber-attacks? According to a panel of US government officials speaking at the RSA Conference in San Francisco, there is a range of legal, diplomatic, and even military options that can be considered.
Adam Hickey, Deputy Assistant Attorney General, National Security Division at the US Department of Justice (DOJ), commented that there is a lot that can be done to deter nation-states from conducting cyber-attacks.
“Law enforcement is one tool of federal power and should be used to deter threat actors,” Hickey said.
Hickey noted that he knows in many cases even if a state threat actor is charged in a legal indictment, an arrest won’t be made. That’s why the DOJ is using other legal instruments that can disrupt operations, including court orders to seize infrastructure.
That infrastructure, however, can be anywhere in the world, which is a challenge that Steven Kelly, Chief of Cyber Policy, Cyber Division for the Federal Bureau of Investigation (FBI), brought up. Kelly noted that because of the complexity of cyber-attack infrastructure attribution is often complex.
“Some people might scoff at the idea that we can deter nation-state cyber-attack activity, because the attacks keep happening, but we’re working on it,” Kelly said.
Kelly added that multiple agencies have been working together to get faster at identifying who is behind an attack and then working together to impose consequences more rapidly. He emphasized that it takes a lot of cooperation within the US government and with other law enforcement groups around the world to get all the facts that enable the FBI to identify threat actors behind an attack.
“Nations and the individuals that are working on their behalf can no longer assume that they can operate with anonymity,” Kelly said.
Secret Information and Public Indictments
Among the assets that the US government has engaged to help deter nation-state cyber-attacks is the intelligence community, though much of their work still needs to remain secret, commented Thomas Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy at the US Department of Defense (DOD).
Wingfield noted that while the DOD can’t reveal everything about its operations it can and does help other agencies to keep the country safe.
Information from the public is also a key part in helping with deterrence. Hickey commented that in recent years, as companies have matured in their own cybersecurity process, attacked companies have disclosed information to the government that is critical to helping with attribution.
In the final analysis, Wingfield emphasized that deterrence isn’t just about lawsuits or projecting power in some way with a retaliatory action. Rather, in his view deterrence is about influencing would-be attackers to make a different decision.
“At the end of the day, deterrence is meant to work in one place, and that is inside the human element, inside of the brain of the adversary decision maker,” Wingfield said.