The administration’s new policy of striking first at online attackers might invite cyberattacks, not deter them.
At first glance, it would be easy to confuse the Trump administration’s new National Cyber Strategy with its predecessors: the Obama administration’s 2009 Cyberspace Policy Review and George W. Bush’s 2003 National Strategy to Secure Cyberspace. All three documents emphasize strikingly similar goals: the importance of hardening critical infrastructure, working with the private sector, securing government networks and establishing more robust partnerships for sharing information about online threats.
Despite its similarities with previous administrations’ plans, however, the National Cyber Strategy represents an abrupt and reckless shift in how the United States government engages with adversaries online. Instead of continuing to focus on strengthening defensive technologies and minimizing the impact of security breaches, the Trump administration plans to ramp up offensive cyberoperations. The new goal: deter adversaries through pre-emptive cyberattacks and make other nations fear our retaliatory powers.
The framework for this shift to an offense-first strategy is found in three recently announced pieces of policy. The first, the National Cyber Strategy, outlines a broad vision of how the administration plans to approach online issues and emphasizes the importance of imposing “swift, costly and transparent consequences” on online attackers.
The second is the new Department of Defense cyber strategy, a more detailed plan for how the military will approach cybersecurity. It outlines a plan to “defend forward” by going after threats “before they reach their targets” and disrupting “malicious cyber activity at its source.”
And the third is the classified National Security Presidential Memorandum 13, which makes it easier for the military to launch offensive cyberoperations by largely eliminating a lengthy interagency approval process put in place by the Obama administration.
The idea of using offensive cyberattacks for defensive purposes is not a new one — discussions about the potential risks and rewards of “hacking back,” especially in the private sector, go back more than five years. But for the American government to embrace this strategy is a sharp change from the cautious, defense-oriented approach of the past decade.
President Barack Obama was notably restrained in his authorizationof offensive cyber missions. When deciding whether to use the Stuxnet worm to compromise uranium enrichment facilities in Iran in 2010 (his administration’s most famous use of offensive cyber capabilities), he reportedly expressed repeated concerns about the precedent it would set for other countries. The Obama administration’s forbearance and careful decision-making around cyberattack authorization aligns with the 2015 Department of Defense cyber strategy, which identified controlling the escalation of cyber conflicts as a key strategic goal. That goal is conspicuously absent from the Department of Defense’s new strategy.
The Trump administration’s shift to an offensive approach is designed to escalate cyber conflicts, and that escalation could be dangerous. Not only will it detract resources and attention from the more pressing issues of defense and risk management, but it will also encourage the government to act recklessly in directing cyberattacks at targets before they can be certain of who those targets are and what they are doing.
One of the advantages of the slow, unwieldy approval processes put into place by previous administrations is that they gave the government ample time to ascertain who was behind a cyberattack. That is not always easy to do: Many adversaries route cyberattacks through compromised third-party machines in other countries, such as university computer systems. Rushing to retaliate may make it more likely that the United States will lash out at the wrong target, which may invite new attacks rather than deter them.
It could also lead to more attacks from existing adversaries like Russiaand North Korea, from whom we already face substantial online threats. These countries have demonstrated their considerable online capabilities in cyberattacks directed at hospitals and power companies. If the United States pre-emptively attacks their servers and online infrastructure, it will only provoke greater and more damaging shows of force. And what these countries are capable of will be every bit as terrifying and harmful as what we can do.
There is no evidence that pre-emptive cyberattacks will serve as effective deterrents to our adversaries in cyberspace. In fact, every time a country has initiated an unprompted cyberattack, it has invariably led to more conflict and has encouraged retaliatory breaches rather than deterring them. Nearly every major publicly known online intrusion that Russia or North Korea has perpetrated against the United States has had significant and unpleasant consequences.
When North Korea compromised Sony Pictures in 2014 and stole the company’s data, it experienced a national disruption to its internet connectivity the following month. More recently, Russia has faced sanctions, indictments identifying their key online activities and personnel, and possibly covert cyber operations as punishment for a series of online intrusions and computer compromises. While nobody knows where these counterattacks originated, experts believe some of them came from the United States. Under the new attack-first policy, it’s likely that North Korea or Russia will retaliate against the United States in similar ways if threatened. For the United States, this is an especially risky approach given how much of our infrastructure — from energy distribution to financial systems to voting — is digitized and how vulnerable that dependence on computer networks makes us to cyberattacks.
A smart national cyber strategy would focus on securing our computer systems, data and networks by allocating more money for their protection and by allocating more time and energy to regularly update, measure and test their security. It would charge the government with attacking its own servers and systems domestically to identify potential vulnerabilities before foreign adversaries have a chance to exploit them, rather than encouraging officials to strike out at overseas targets. And it would reserve the use of offensive cyber capabilities for situations that allow for careful consideration of the possible unintended consequences, narrow tailoring to a specific mission and contained, targeted damage.
Ironically, the new national cyber strategy also charges the United States government with enhancing cyber stability “through norms of responsible state behavior.” As the rest of its policies make all too clear, this administration has already committed itself to irresponsible uses of cyber force that may serve to destabilize everyone’s online infrastructure, including our own. – The New York Times