Calls for offensive cyber action are increasing in the US. Stewart Baker who served as general counsel of the National Security Agency from 1992 to 1994 andwas assistant secretary for policy at the Department of Homeland Security from 2005 to 2006 has just made the latest case for US cyber-aggression in the face of what many see as Russian and other nation-states’ attempts to win control of cyberspace and the internet.
In the Washington Post Baker writes: “The United States may have pioneered the idea of fighting wars in cyberspace, but it’s our adversaries who are using cyberattacks most effectively. To deter them, the country needs creative new ways to punish nations if they launch the devastating attacks that are within their grasp. The need for options to strike back at cyber-aggressors is obvious — and urgent.”
Baker focuses on Russia’s attack on the 2016 U.S. presidential election and its continued attempts to to infiltrate the computer networks of multiple congressional campaigns. He also points out that the Department of Homeland Security says Russia is making a major push to infiltrate US power-plant control rooms.
But Russia is only one actor. Chinese industrial espionage has been conducted on a vast scale and is a significant contributor to Chinese economic ascendancy. U.S. intelligence agencies believe that China is cheating on its Obama-era pledge not to engage in commercial cyberespionage.
North Korea has moved its best hackers to China and other countries where Internet service is better, and is using them to steal from banks, as well as to threaten the United States.
And Iran, which wielded its willingness to attack U.S. corporations, banks and even dams as leverage in nuclear arms talks, remains one of the most active of all the nation-state hackers followed by the cybersecurity firm FireEye.
Director of National Intelligence Daniel Coats recently said of these cyberthreats: “The warning lights are blinking red again.”
But the most interesting thing is the US response to this point. Unable to arrest the hackers, and equally unable to stop attacks using technology (raising questions about the value of defensive technologies as a whole), the US has used highly selective economic sanctions. Sanctions are a long term and usually ineffective method of achieving solutions to specific problems, and there is no evidence to suggest that they will be effective in curbing cyber incursions.
So why does the US not retaliate in kind? Conventional wisdom has it that this is down to fear: Baker says: “The United States is so reliant on computer networks that we’re afraid to launch a tit-for-tat exchange in cyberspace. It was true during the Obama administration and remains true today. As Army Lt. Gen. Paul Nakasone said during his confirmation hearing in March to be the nation’s top cyberwarrior, our adversaries “don’t fear us.”
So what should the US do? According to Baker, “We need to get tougher and more inventive.”
- Countries hosting hackers to be forced into expelling them
- US special forces to be used to grab hackers not expelled
- EMP weapons able to knock-out to be installed in hostile states
- Embed sleeper malware in the CNI of hostile states to be activated if they attack
Others are similarly calling for an offensive cyber-operation and are worried that US administrations have so little in the way of response. They also note that cybersecurity is a revolving door in US government and without strong and stable leadership, policy is likely to be fragmented and ineffectual.
Given the current president’s need for distractions and the increasing clamour for action, don’t be surprised if the US begins to mount high-profile cyber offence. If it does, the ramifications will be profound. Assuming immediate retaliation and escalation, the private sector looks to be the big loser. The easiest way to penalise a government for offensive cyber action is to disable as many poorly protected businesses as possible regardless of sector, to cause the broadest possible disruption and the greatest political backlash. Disrupt multiple manufacturing supply chains, payment systems, internet service providers and e-Commerce plaforms, and few boards would be able to continue to view the economic effects of cybercrime as theoretical.
In the current environment, CISOs need to keep an eye on the politics of cyberwarfare. It’s not just a matter for governments.