Recent White House warnings urging the private sector to shore up its cyber defenses have experts questioning why U.S. officials haven’t already defined what constitutes cyberwarfare.
Although the experts praised the warnings, they said that the Biden administration should also prioritize defining what the thresholds are for retaliating against a major cyberattack.
“We have to set up rules of engagement that are absolute, saying any cyberattack that is associated with a [hacking group] loosely tied with the Russian government or the Chinese government will immediately trigger the following actions,” said Emil Sayegh, president and CEO of data security firm Ntirety.
The experts were weighing in on recent warnings issued by the White House urging critical sectors to prepare for possible Russian cyberattacks following new U.S. intelligence suggesting that the Kremlin is exploring “options for potential cyberattacks” against critical infrastructure.
The FBI also issued a similar notice this week warning the private sector to strengthen its cyber defenses, saying U.S. agents were “particularly focused on the destructive cyber threat” from Russian agents.
Experts said the warnings are a serious wake-up call for critical industries to start upgrading and strengthening their security systems as soon as possible.
“The biggest issue is on critical infrastructure because an attack against our critical infrastructure could really paralyze our nation,” said Paul Capasso, vice president of strategic programs at Telos, a cybersecurity firm based in Virginia.
Capasso added that industry leaders, the government and those in academia need to work collectively to figure out the best way to counter cyberattacks targeting critical infrastructure.
Capasso also echoed Sayegh’s sentiment that it is crucial to establish what a major cyberattack consists of.
“Is it a loss of monetary value? Is it loss of life?” Capasso said. “It’s really hard to say what the Biden administration’s thresholds are.”
Many have wondered whether the U.S. and NATO would consider triggering Article 5 if a major and destructive cyberattack was launched against a NATO member. The article states that an act of war against any member will trigger a response from the full alliance.
Capasso said that there are two scenarios in which Article 5 could be triggered. The first scenario is a direct cyberattack against a critical infrastructure causing major material or economic loss as seen with the 2021 Colonial Pipeline ransomware attack, which caused the company to shut down its operations for nearly a week. The incident caused gas shortages in several states as fuel prices spiked.
The second scenario is if an attack intended to target a non-NATO member like Ukraine was to bleed into a NATO nation like Poland, which borders Ukraine.
Capasso said if either of those two scenarios were to happen the administration could take several actions, including diplomatic, economic or military actions. However, Capasso cautioned that just because a NATO member is the victim of a major cyberattack doesn’t mean that that nation would immediately invoke Article 5; the NATO nation may want to first hold a meeting with its fellow members to discuss how to respond.
“Every situation is going to be different,” Capasso said. “The Biden administration basically holds the keys on how you define what that major attack is … and what are the thresholds that have been broken.”
Biden’s national security adviser Jake SullivanJake SullivanThe Hill’s 12:30 Report – Manchin’s magic ‘yes’ vote Biden to meet with Ukrainian refugees, give ‘major address’ on Saturday The Hill’s Morning Report – Biden turns up heat on Russia MORE told reporters at a March press briefing that “cybersecurity is an alliance issue” and that the U.S. is coordinating with its allies and is prepared to take any necessary actions in response to a major cyberattack.
“We could see circumstances in which a collective response by the alliance to a cyberattack would be called by an ally. That is absolutely something where we and other countries could bring capabilities to help a country to both defend itself and respond to a particular cyberattack,” Sullivan said, adding that that response could take many different forms.
When pressed by reporters when would be the appropriate time to trigger Article 5, Sullivan said it would depend on the type of cyberattack launched. He said if a “disruptive and destructive” cyberattack were to occur, then that could potentially be a threshold for cyberwarfare or “mere preparation for a future attack.”
“How one defines cyberwarfare or cyberattacks is going to differ across individuals,” he said.
Sayegh added that the issue with cyberattacks is that they are difficult to prove and hard to determine their origin. Governments would need to have a burden of proof before invoking Article 5.
He also said once government officials have hard evidence against the perpetrators, they need to establish rules of engagement regarding a proper response.
“We really need to define what these scenarios are and make them public so that our adversaries know what our responses would be,” Sayegh said.