Published by The Lawfare Institute
in Cooperation With
Cyber warriors in the United States are preparing for a digital Cold War, deterring cyberattacks against specific critical infrastructure—when what is most urgently needed is a counterinsurgency (an “e-surgency”) strategy to beat back the everyday cyberattacks that individually never rise to the level of acts of war. On their own, these strikes may not directly threaten national security. But taken together, they target this country’s civic center of gravity and pose a clear danger to U.S. values.
Despite increased government attention and private-sector focus, cyberattacks are increasing along every dimension. No longer confined to the traditional major threats—Russia, China, North Korea and Iran—world-class cyber threat groups have emerged in southeast Asian developing economies, Sunni Gulf monarchies, and Latin American regional powers. The degree of damage has increased too, possibly topping $100 billion in costs to the U.S. economy alone in 2016, according to White House estimates. Damage to trust, privacy and freedom from fear have been growing at least as fast.
Several policies and de facto behaviors steer the United States away from success in what has become a global information war thanks to a focus on fitting cyber tools into old security paradigms rather than focusing on cyber weapons as part of a unified effort to exert legitimate state power in the modern age. Russia and other rivals have already begun to do this.
Cyber operations have disrupted or altogether bypassed traditional security institutions, defenses, and military deterrents. Much as Netflix radically altered the relationships among media companies, Amazon reshaped retail, Uber bypassed taxi services models, and social media companies have reconfigured expectations about how users receive news and other information, cyber-threat actors have bypassed democratic nation-states’ large and well-equipped standing armies to threaten citizens’ most basic rights (privacy and free speech among them) in cyberspace.
China, for example, did not hesitate to turn infrastructure associated with its “Great Firewall” censorship system into the “Great Cannon” distributed denial-of-service attack system used in 2015 to target infrastructure in the United States when Beijing wanted to stop U.S. press coverage of Chinese leadership from reaching its citizens. Russia, Iran and North Korea have similarly targeted Western media, industry, and government-run public communications in attempts to limit their own domestic disruption by controlling democratic discourse abroad. Such an approach has not been limited to great powers: Ethiopia has successfully targeted expatriate journalists in Washington it saw as encouraging domestic dissent.
These diverse targets and methods challenge the sovereignty of the targeted nation without regard to conventional military might, counterintelligence capabilities, or diplomatic influence—the old paradigms for measuring state power—and without targeting the critical infrastructure that the U.S. government has pledged to defend. This suggests that repeated cyber strikes the United States has suffered are a failure of concept as much of capability.
Gen. Valery Gerasimov, the Russian military’s chief of the General Staff, noted in 2013 that “the role of nonmilitary means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”
Yet U.S. intelligence and military cyber defense resources are focused foremost on ensuring continuity of government: in other words, on defending themselves from cyber intrusion or attack. Presidential Policy Directive 21 (PPD 21) extends this to “assets, systems, and networks” whose incapacitation would have a “debilitating effect on security, national economic security, national public health or safety” through a list of 16 industries that receive defensive intelligence from the government, that receive preparations and funding to harden their defenses and improve readiness, and that would be defended if necessary.
While appropriate for earlier-generation warfare, this approach misses the targeting of retailers and service providers that do not have clear ties to government continuity but that, taken together, are the economic and civic lifeblood of the country. Put another way, this approach makes sense for defense against physical attacks, by focusing on sectors whose destruction would be catastrophic for all Americans—defense, emergency services, nuclear power—or on high-population areas.
Cyberattacks, however, can be dispersed to affect many sectors nationwide with little additional cost or difficulty. Unclassified networks, by virtue of having several orders of magnitude more people connected to them than those that handle classified information, have become the “sensitive” targets. But for all the attention paid to election interference and other attacks in recent years, U.S. cybersecurity strategy has not kept pace with this development. Russia has targeted hundreds of thousands of home routers, China has carried out prolific theft of individual health records, and North Korea has carried out high-profile assaults on private Western companies—all without tripping over designated critical infrastructure. It is easy to imagine the problem getting worse.
Consider that until interference in the 2016 election campaign became public, voting equipment was not considered critical infrastructure. As the cyber-issues official within the Office of the Director of National Intelligence told the Washington Post in September 2016, “just releasing DNC emails? Welcome to the new world. I would say that’s a law enforcement matter. The ‘doxing’ of a private entity is not a national security event.” Even President Obama famously called the North Korean attack on Sony Pictures “cybervandalism.”
This approach is dead wrong. While not a direct attack on human life, tolerance of these activities only encourages further activity. If a hostile nation believes that using its resources to target a sector in the United States will be good for them and harmful for the U.S., why doesn’t the U.S. government agree?
Recent history has shown that the U.S. government is not as good at picking which industries to protect as threat actors are at finding strategically valuable soft targets to hit. And today’s institutions, however well-staffed, well-equipped and well-led, have not focused on the right problems.
Better the People Do Security Tolerably Than the Government Do It Perfectly
Most victims of cyberattacks are in the private sector; the most relevant attacks on critical infrastructure and political health happen in this space rather than against classified government networks. As a result, much of the technical experts in any Western country will be having unclassified discussions of these threats.
Much like the post-9/11 shift in terrorism reporting, U.S. intelligence agencies must consider the actionability of the intelligence they gather by uncleared security personnel and the general public rather than just the information’s analytic value for U.S. policymakers. Detailed threat information needs to be made public much more rapidly.
At a minimum, the director of national intelligence should consider requiring intelligence agencies to provide Secret-level briefings of major findings and technical indicators for all cyber-related finished intelligence that is published. This would greatly widen the circle of outside experts, private companies, and cleared academics that could benefit from reporting. This requirement is already a standard practice for interagency products like National Intelligence Estimates; it should be extended to analysis produced by individual agencies.
Another improvement would be to flip the classification expectation so that, drawing on the experience of using counterterrorism intelligence to inform State Department travel warnings, all technical indicators the public could use to protect itself that are gathered by U.S. intelligence agencies could be made available immediately by default, with exceptions requiring an agency head to sign off on withholding such information. In all likelihood these exceptions would be common in order to protect sensitive sources. Still, such a change would reset expectations within agencies and give Congress hard data to inform its oversight of such decisions. While avenues for sharing indicators exist today, and the Department of Homeland Security in particular makes great effort to pull such indicators from intelligence community reporting, the onus on those making classification decisions in the first place is still tilted too heavily in favor of withholding security information from the public.
This is not about the U.S. government disclosing more zero-day vulnerabilities. Even the most sophisticated threat groups compromise almost all of their victims using well-known techniques, such as exploiting vulnerabilities that are patchable or tricking users into giving up passwords or access. There is little evidence that disclosing more vulnerabilities would stop the most powerful cyber actors from gaining access to the targets they care about most. The current Vulnerabilities Equities Process is working fine in national security terms.
Focusing on categories of victims to protect rather than specific actors to counter risks inviting further policy and intelligence failures. So too does focusing cyber capabilities on physical battlefield effects and positioning intelligence resources to enable massive retaliatory cyber strikes that have rarely been called for or materialized even when needed. The United States should not wait until continuity of government is threatened by widespread disruption as Estonia suffered in 2007 before making changes.
Instead, the U.S. should prioritize use of its military and intelligence services to counter foreign government hacking operations and information campaigns while they are in progress, up to and including disruptive attacks on network infrastructure supporting those attacks, regardless of what those attacks target and before using those resources to support conflict in other domains. Progress will be clear when change is reflected in acquisition budgets and requirements put forth by combatant commanders who today procure cyber weapons overwhelmingly for their ability to project conventional military power on a physical battlefield.
Cyber operations sufficient to deter sophisticated adversaries have required approval from the president himself, mostly to avoid overly ambitious and unplanned tactical military activities that could have strategic consequences for the United States. Rivals such as China with its intellectual property theft and Russia’s hybrid warfare have deliberately kept their cyber operations below the level that would make it onto the president’s agenda—an incredibly high bar.
The U.S. and its allies must push more authority to the commanders of cyber forces so that they have freedom to act to the degree required to keep citizens safe from ongoing and imminent cyber operations. President Trump’s decision to revisit PPD 20 and take off some of those handcuffs is a necessary first step. More tolerance will be needed in the political sphere for engagement with the adversary and inevitable mistakes without actions becoming bogged down in partisan recriminations.
U.S. and allied policymakers should also reconsider the wisdom of overreliance on targeted sanctions, one of the current preferred policy tools. With regard to cybersecurity, sanctions and related policy tools such as indictments are mostly utilized as unobjectionable, lowest-common-denominator policymaking. Absent concrete or creative ideas, with limited military and intelligence options for countering threats without undue escalation, successive U.S. administrations have relied on sanctions and indictments to signal U.S. “displeasure” to adversaries.
There is no evidence that such measures have improved cybersecurity for the United States. Chinese operations continued apace after the 2014 indictment of hackers associated with the Chinese military and decreased only after diplomatic efforts became serious. Sanctions on Russia have preceded its most potent cyberattacks, while arrests have become bilateral irritants contributing to spiraling distrust and widespread preparations for cyber sabotage.
Targeted sanctions—especially those targeting government officials for activities undertaken in their official capacity—have also normalized state-on-non-state activity in cyberspace, exactly the opposite of the state-state cyber norm the United States should be seeking to prevent threats to its own sovereignty and legitimacy at home. While there may be other strategic reasons to levy sanctions, claims that doing so will deter rivals from engaging in cyberattacks should be viewed skeptically in light of the results to date.
In fact, such activity can magnify the damage cyberattacks cause to legitimacy if indictments are unlikely to result in extradition and trial. The U.S. should abandon legal proceedings it knows will be toothless as a means of foreign policy because they undermine public confidence and governing institutions while raising the perceived influence of the targeted individual’s country.
In light of the inefficacy of current non-military policy tools, Sen. Ben Sasse’s “Cyber Solarium” proposal to find all-spectrum deterrence options to cyber threats merits serious consideration—if only to end tit-for-tat scenarios in which the United States, because of its greater wealth and reliance on information technology, consistently loses.
While legal and practical concerns persist—I predict that hand-wringing, particularly among European allies and lawyers, will subside as the consequences grow—failure to act is effectively choosing to cede control not only of cyberspace but of domestic governing legitimacy. By attacking citizens and exploiting bureaucratic and strategic failures, cyber adversaries will eventually call into question both the legitimacy and ability of the U.S. government to do its job. That threat should be the guiding principle when officials decide what pace of change and risk of failure they can tolerate.