Two former government cyber officials are working on a new way for industry to measure whether the Trump administration’s surge in offensive hacking operations is successfully deterring U.S. cyber adversaries or just egging them on.
Jason Healey, a White House cyber official during the Bush administration, and Neil Jenkins, an Obama administration cyber official in the Homeland Security Department, are developing a program for tech companies to track the pace and severity of digital strikes against U.S. targets as well as other factors such as whether the attack was especially brazen, reckless or globally destabilizing. The Cyber Threat Alliance, a coalition of top tech companies that share cyberthreat information and where Jenkins is chief analytics officer, is likely to take on the task of measuring the attacks.
If the resulting data shows U.S. adversaries are becoming more aggressive, Healey and Jenkins hope the government will change course before cyberspace becomes more unstable.
“A lot of us see this as an incredibly high-risk strategy,” Healey, a senior research scholar at Columbia University, told me of the Trump policy. “If you punch the other guy harder, he might just punch you back harder. It might be worth it, but the only way we’re going to be able to figure that out is if we pay attention in a more disciplined manner.”
Healey and Jenkins plan to release the formal framework at the International Conference on Cyber Conflict in Tallinn, Estonia in May and shared a draft version with me last week.
The project highlights concerns among researchers and industry about the Trump administration’s decision in August to significantly loosen the reins on military and intelligence agencies launching retaliatory hacking operations, a move that national security adviser John Bolton said was aimed at imposing a “disproportionate cost” on adversary countries that hack U.S. targets.
The battleground in cyberspace is effectively private companies’ computer networks — and any increase in global conflict could cost them millions in breaches and increased cyber defense costs. As a result, high tech companies have been more forward about policy advocacy in cyberspace than in other national security sectors. Microsoft, for example, has proposed a Digital Geneva Convention to restrain government’s from hacking other nation’s companies.
Already, companies that are part of CTA — which include Cisco, Symantec and McAfee — have increasingly been using shared threat information to attribute hacking campaigns to government-linked threat groups in Russia, China, Iran and elsewhere, Jenkins told me. He says it would be relatively easy to take that analysis one step further to measure the pace, severity and other aspects of the attacks.
Jenkins has spoken with member companies about using the measurement framework, but they haven’t all committed to it yet, he told me. The plan will be to release public reports about the group’s findings but not the underlying data, he told me.
Jenkins and Healey are also hoping the government could also be a partner on the program. Based on their own informal conversations with military and civilian officials, they believe the government is not measuring the policy’s effectiveness internally, they told me. The White House did not respond by press time to a query about whether they’re measuring the program’s effectiveness.
Congressional Democrats have also said they plan to do oversight to ensure Trump’s more aggressive cyber policy doesn’t backfire.
There are some limits to what the framework could track. First off, there’s not a lot of apples-to-apples data from before the Trump policy shift, which will make it difficult to determine whether an increase or decrease in adversary hacks is due to the Trump policy or just part of the normal ebb and flow of hacking operations.
Second, while Bolton has said publicly that U.S. Cyber Command is doing more offensive hacking than it used to, researchers don’t know precisely how much hacking CYBERCOM is doing or against who or when. So, if researchers see a drop in hacks coming from North Korea, for example, they won’t know for sure that it’s because the hackers were cowed by an increase in U.S. offensive operations.
Finally, the framework may show correlation but not causation. An uptick in Chinese hacking, for example, may be sparked by U.S.-China trade tensions or other factors separate from how frequently or severely the United States is striking back in cyberspace.
Despite those caveats, Healey and Jenkins believe they can glean enough information to assess whether the offensive hacking campaign is doing more harm than good, they told me.
“We’ll measure what we can measure, which is the punches coming at us,” Healey told me. “If the attacks on us go sharply up, then it doesn’t rule out that it’s working the way they’re thinking it will, but it certainly makes it a lot less likely.”