Recent attacks on American critical infrastructure by Russian “cybercriminals,” including oil pipeline, meatpacking company, and possible transport provider, created inconveniences. The attacks could have been worse. What should be done to stop future attacks? What should not be done? What strategic steps might be taken? This could be Biden’s moment.
Interestingly, while Russia is implicated in these cyberattacks – shielding presumed perpetrators, possibly being complicit – a response is tricky. Here is why.
First, identifying with certainty who perpetrated a cyberattack, given “opposing barbershop mirrors” of cyber-deflection, is often difficult. State actors deflect other state or non-state actors. Non-state actors do the same. Like picking up beads of mercury with fingers or nailing Jell-O to a wall, the task is inherently hard.
Second, responding without giving away how you know who and where an attack came from, so an attacker does not correct, better deflect, learn “sources and methods,” is also difficult.
US Cyber command exists to “ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries,” but the cyberworld of is one of shadows, feints, and counter-feints. United States Cyber Command.
Several years ago, a senior National Security Agency official was asked why no executive order saying we would hit back hard if hit?
His response was revealing – and remains relevant.
“It could be useful but dangerous because if someone knows ‘if you do this I’ll whack you in this way,’ they could pretend to be another nation-state actor.” While “attribution is hard,” it is “probably not … as hard as people think,” but “hard to do in a timely way and an actionable way,” as “it usually involves some fairly sensitive intelligence sources, and if you disclose those they won’t be there the next time.” See NO NEED FOR A STANDING ORDER ON CYBER ATTACKS.
The whole exercise is like snipers hunting snipers.
Third, any response – at law or national security – must be proportional or risk escalation. The goal should be a return signal that is focused, timely, and demonstrates attacker vulnerability to deter future attacks. By keeping the response proportional, we avoid starting a cyber war.
Finally, while much of cyberspace is hidden, the public is getting drawn into this battlespace. Official and rogue actors are widening their aperture, intentionally creating collateral damage. In short, what was government-to-government harassment and mere pilfering is affecting society.
Given these realities, what should – and should not – be done? Whatever we may know, these constraints are important. We want to deter future attacks without starting a war. A broad cyberattack risks being wrong, disproportionate, compromising intelligence, and triggering counter-attacks – which means more collateral damage.
On the other hand, a perpetrator must know we know who they are to deter future attacks, whether “non-state,” so caught and prosecuted, or “state,” so outed and internationally punished.
The best answer, in this case, depends on what we know, with what confidence, and whether we can tailor a response to hit the attacker’s point of origin – discretely. Public reports say Biden sees these attacks as “a national security threat” and is “contemplating offensive cyber operations against hackers inside Russia,” which may be the right – but must be discrete, proportional, and not trigger further escalation. See, e.g., ‘They are hair on fire’: Biden admin mulling cyber attacks against Russian hackers.
At the same time, words are cheap, sanctions often ineffective, and Biden is going to meet Russian President Putin on June 16th – whose foreign ministry said they would be sending “uncomfortable signals” before the summit.
Biden just issued an executive order reviewing federal regulations and foreshadowing compulsory information sharing between private and public sectors. That is nice but inadequate, possibly also subject to legal challenge. See Executive Order on Improving the Nation’s Cybersecurity.
The real issue is whether we are entering a new phase of international conflict, one in which harassment and pilfering get replaced by cyberattacks to shut down society – led by adversaries.
If so, how do we stop it? Nutshell: We get direct – in private – with our adversaries. We let them know we are watching, holding our cyber-fire, expect them to help identify cybercriminals, cease complicity. Next, we send a cyber signal that we know what we know. Finally, we harden and modularize cyber-defenses, starting with our critical infrastructure – the necessities.
This could be Biden’s moment – probably will not be but could be. If he wanted to prevent cyberwar, turn the page, show real leadership, he could identify cyberwarfare as tantamount to nuclear – not conventional – warfare. The time is coming when similar damage could be done.
Biden could work with Republicans, US Allies, plus Russia, and China, to initiate “Cyber Strategic Arms Limitation Talks” – a new idea, a Cyber-SALT regime, to anticipate, and curtail cyberwarfare before this gets any worse. Just an idea.
Meantime, watch your cyber-defenses!