The United States may still be the world’s preeminent superpower, based on size and reach of military and intelligence operations, but defending the virtual borders of cyberspace is another matter. Cyberattacks by foreign nations and their agents are on the rise, and this new form of conflict doesn’t fit easily into the existing paradigms of how to wage, or win, a global war.
The budget to support the U.S. government’s cybersecurity efforts is $14 billion for fiscal 2016, about 10 percent more than the $12.5 billion the government budgeted for 2015. Despite this increased spending, the U.S. is still vulnerable to attack.
“You could basically say the attacker has the advantage,” said Martin Libicki, senior management scientist at RAND Corp. and a professor at the Pardee RAND Graduate School.
Major data breaches in the past couple months alone have implicated foreign nations with which the U.S. has the most critical, and volatile, relationships in maintaining world order. The most recent attack was carried out by Russiaagainst the Pentagon’s Joint Staff unclassified email system. Like Russia’s sophisticated attack, the Chinese breach in the server of the Office of Personnel Management (OPM) was difficult to attribute to either the government or to individual actors. But given the scope of these attacks, in both cases government officials pointed the finger at state actors.
The attack on the federal government’s OPM, discovered in June, was noteworthy not only because the personal details of 21.5 million Americans investigated by the government’s human resources agency were stolen but because many employees the OPM monitors have security clearances.
In response, sources within the Obama administration told The New York Timesthe government was planning to retaliate against China.
“One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” said a senior administration official in a recent comment to the Times. “We need to disrupt and deter what our adversaries are doing in cyberspace, and that means you need a full range of tools to tailor a response.”
Actual retaliatory measures taken by the U.S. show that, at least so far, a “hack back” is not a strategy that will work to thwart future attacks. This is especially true if the hacker is located in a country that has Internet restrictions like North Korea.
North Korea stated in December that the U.S. was responsible for shutting down the country’s Internet for almost 10 hours in a retaliatory move after North Korea’s alleged hack against Sony Entertainment for releasing the movie “The Interview,” in which North Korean leader Kim Jong-un is assassinated. Along with several derogatory statements aimed at President Obama, the North Korean government claimed the U.S. “feigned ignorance” of the attack.
The U.S. didn’t deny culpability, but security experts find it implausible that the U.S. would have responded as the North Korean government claimed. Using a term that demonstrates how technology and global conflict are now entwined, experts said that a retaliatory act with the goal of cyber deterrence would be ineffective because an “information asymmetry” exists between the two countries. A limited number of people have access to the Internet in North Korea, and computer ownership requires permission from local government authorities.
“It is highly implausible the United States hacked North Korea,” Libicki said. “We would have nothing to gain, since North Korea is a country that barely has an Internet.”
A response to China’s hack is more complicated. Breaking through China’s Internet censorship program, or “Great Firewall,” which blocks websites likeFacebook and Twitter, could send a message, though may ultimately be as symbolic as it is effective.
“Maintaining control of their Internet is core to Chinese interests. Going after the Great Firewall would be one way we could show them we mean business in an effort to have them alter current tactics,” said Richard Bejtlich, chief security strategist at cybersecurity firm FireEye, and a Brookings Institution senior fellow.
An economic response
Steps the U.S. government has taken to respond to hacking by foreign agents show the tentative nature of its cyber offense. Sanctions have been the primary means of retaliation, and these responses have focused on the government assisting U.S. corporations that have been hacked rather than direct response to government systems’ encroachment.
The U.S. extended sanctions on North Korea in response to the attack on Sony it attributed to North Korea’s government. This week, government officials told Reuters and The Washington Post that the U.S. is considering sanctions against companies and individuals in China and Russia who have benefited from hacking U.S. trade secrets. The Washington Post report notably said that the sanctions would not be a response to hacks into government systems such as the alleged Chinese hack of the OPM, because these attacks were carried out for intelligence reasons rather than to benefit business interests.
An executive order signed earlier this year allows the White House to use economic sanctions and other trade and diplomatic measures against cyberhackers.
The Post quoted an administration official as saying the possible sanctions move “sends a signal to Beijing that the administration is going to start fighting back on economic espionage, and it sends a signal to the private sector that we’re on your team. It tells China, enough is enough.”
The spy who came in from the code
Bejtlich said that there is a key distinction between cyberattacks on government systems and those against commercial interests.
“The problem for the U.S. is that it is suffering attacks upon government, military, and intelligence systems, all considered traditional espionage targets and ‘within bounds,’ while it is suffering attacks upon commercial industry, considered by the U.S. and allies as ‘out of bounds,'” he explained.
Governments have always reserved the right to respond to traditional espionage, but Bejtlich said those responses have been based in the physical world rather than in cyberspace—deporting identified spies, declaring certain embassy personnel as personae non gratae, ending joint events, etc. Bejtlich said that to deter China and other states from stealing American national security information, the U.S. will likely implement a mix of punishments.
Libicki said that it is plausible that the OPM attacks motivated a sense that something had to be done, even though the government positions the response as only a defense of commercial interests.
“The Chinese and Russians do not make such hard and fast distinctions,” Libicki said. “Instead of arguing, ‘Yes, we spy on commercial companies and that’s OK,’ they simply deny carrying out cyber espionage on anyone.” Libicki said this approach makes it difficult to talk about norms for cyber espionage that would legitimize some targets and de-legitimize others.
Such responses may not appear as proportional to the scale of the Chinese attack on OPM, such as hacking into a Chinese government entity of equal importance and housing similarly sensitive information. But experts warn that the risks of a more potent response may, in effect, represent a new era of mutual deterrence, with computer rather than missile code the key weapon.
“If you point to foreign policy, the biggest failures occur when you assume the other nation is using the same template and tactics,” said Jack Devine, former acting director of the CIA’s overseas operations and currently president of The Arkin Group, an international risk consulting and intelligence firm. “They might do something crazy back and you end up in a world of escalation.”
Devine said that a proportional hacking response could ultimately harm U.S. strategy. Since the U.S. is assumed to be conducting regular surveillance within the networks of foreign countries, a public display of retaliation could compromise efforts already in place meant to obtain critical information from foreign governments.
“I would hope there is a great deal of dormant activity that we are doing to breach their networks, but we should also not feel comfortable,” Devine said. “At the policy level, you would not want to compromise a great capability just to even the score by hacking back.”
Libicki said any response other than existing, and expected, cyber-espionage efforts of our own pose risks for the U.S. The target country could ignore or downplay what has happened. It can take offense but do nothing further (as China has done with the indictment of 5 PLA officers). The country can retaliate, or it can accede to U.S. demands.