Intelligence officials: Cyber domain is still the 'Wild West'
IC leaders and members of Congress tussle over the slow progress toward defining the terms of engagement in cyberspace.
There appears to be two glaring trends in cyber policy today—the lack of defined terms and the lack of deterrence. Government and military officials say that operating in and defining the cyber realm is not easy for several reasons and that it will take a few years to build up the cyber mission force and develop norms – something also incumbent on the international community.
With regard to definitions, lawmakers on Capitol Hill seem to be most concerned with what constitutes “cyber war” and how other activities in cyberspace are different. “Any type of malicious activity, which causes either damage or a theft of materials, theft of information or [intellectual property] – all of those are under either cyber, malicious cyber activities, it might be espionage – in each case, there’s no defined red line for what would constitute an act of war,” Deputy Secretary of Defense Robert Work told Sen. Deb Fischer (R-Neb.) when asked in a Tuesday Senate Armed Services Committee hearing if the administration had a definition for what constitutes a “cyber attack.”
“We’re still working our way through that,” NSA director and commander of the U.S. Cyber Command Adm. Michael Rogers told lawmakers this week regarding cyber definitions of war. While talking about the parameters that could define an cyber act of war, he said the that building on conventional war frameworks is a useful exercise – something he elaborated on in greater detail this spring at the Aspen Security Forum. “What [the hack of the Office of Personnel Management databases] represents is a good question … so what are the parameters we want to use? Is it as [Director of National Intelligence James Clapper] has said, is it the intent is within the acceptable realm, is it scale, is it you can do espionage at some level for example but if you trip some magic threshold – hey is 20 million records, is 10 million records – is there some scale component to this?” said Rogers this week.
Clapper and Rogers have previously warned lawmakers about using the proper terms for operations in cyberspace. “Terminology and lexicon is very important in this space,” Rogers told the House Intelligence Committee earlier this month. “And many times I’ll hear people throw out ‘attack’ and ‘act of war’ and I go, ‘That’s not necessarily in every case how I would characterize the activity that I see’.” Clapper agreed with Rogers, saying that although the OPM hack has been characterized as an attack, it actually wasn’t, given its passive nature and the fact that did not result in destruction. (Although that hack, which exposed detailed information on 21.5 million current and former government employees and contractors, has prompted the United States to pull spies from China over fears that they could be identified.)
Things become much more complicated when it comes to espionage. “And so what this represents of course is espionage – cyber espionage,” Clapper told the Senate Armed Services Committee this week. “And of course we too practice cyber espionage…we’re not bad at it.”
The fact that the U.S. engages in these practices—and a recent cyber agreement the White House entered into with China does not address or prohibit continued espionage—makes responding to such incidents difficult. “So when we talk about what are we going to do for, to counter espionage or punish somebody or retaliate for espionage, well we, I think it’s a good idea to at least think about the old saw about people live in glass houses shouldn’t throw rocks.”
This statement drew ire, and likely to some degree, frustration from the committee’s chairman Sen. John McCain (R-Ariz). “So, it’s OK for them to steal our secrets that are most important…because we live in a glass house – that is astounding,” McCain said.
Several lawmakers have been quick to point out—on a bi-partisan basis—that U.S. acceptance that cyber espionage happens doesn’t do much to deter attacks. The key point is imposing some kind of a cost for operations in cyberspace, something in which the lines between espionage, hacks and even damaging attacks (something that has only occurred in rare and limited circumstances) continue to be blurred. Given how secretive U.S. cyber operations are, lawmakers say a deterrent must be transparent, physical and flaunted as a means of demonstrating said cost – something akin to nuclear weapons during the Cold War.
“I think the contrast with the Cold War is a good one to think about in that…the concern that people are raising is, Should there be red lines on spying?” Clapper said this week. “That’s really what this gets down to. We didn’t have red lines during the Cold War – it was free-wheeling as far as us collecting intelligence against the Soviet Union and vice versa. There were no limits on that – it was very difficult for both sides. And of course, underlying it – the backdrop to all that was the deterrent, the nuclear deterrent, which of course restrained the behavior even though it got rough… We’re sort of in the Wild West here with cyber where there are no limits that we’ve agreed on, no red lines – certainly on collecting information, which is what the OPM breach represented.”
Work told members of the House Armed Services Committee on Wednesday that “at this point we don’t believe that our deterrence policy has been effective up to this point or as effective as it should be and that’s why we want to strengthen it” citing attribution as a big hindrance in striking back.
The notion of a whole-of-government approach to responding to cyber incidents is something U.S. officials have long expressed. “[S]omething I would like to emphasize is, although it’s a cyberattack, we don’t think about the response purely through a cyber lens; it would be all the tools of foreign policy and military options,” former principal cyber advisor to the Secretary of Defense Eric Rosenbach said in congressional testimony last spring.
This idea has also been endorsed by members of academia as well. “When we talk about deterrence today, it is cross-domain,” Bob Butler, adjunct senior fellow for the Center for a New American Security’s Technology and National Security Program said in a House Foreign Affairs Committee hearing on Wednesday. It is the idea of using the economic sanctions, potentially, some other tools in the economic inventory…looking at ways we could restrict travel of individuals into our country based on wrongful acts that are being prosecuted. It is certainly building the capability through our law enforcement activities.”
Additional witnesses at Wednesday’s committee hearing outlined various responses the U.S. could take against actions by nation-state actors. Catherine Lotrionte, director of the Institute for Law, Science and Global Security at Georgetown University, echoed Butler’s cross-domain strategy as a policy toward enforcing Chinese compliance with the recent cybersecurity agreement. “I would activate all those elements at once,” Lotrionte said. “Meaning, I would use law enforcement tools, I would start prosecuting those that are violating our domestic law. I’d pull out all the options on sanctions – whether it’s financial or others. I would also look at the WTO and I would start…to bring charges or claims against China for violations in the [Trade-Related Aspects of Intellectual Property Rights] agreement. And of course, less spoken of publically, I would have our intelligence organizations actively prepared to do counterintelligence and, in the more covert world, things to counter their actions.”
“You have a range of options,” James Lewis, senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies, said regarding more the potential responses in cyberspace. “You could, for example, with OPM, you could’ve erased data on some of the Chinese computer networks that held the OPM data…you could leak financial data on the Chinese leadership, you could interfere with the power grid – there’s a whole range of things we could do, but I think the fear is until we do something…people won’t take our threats seriously.”
The Sony hack attributed to North Korea, for example, while not necessarily a terrorist attack, was a coercive measure sought to instill fear in the entertainment company, and the attack violated international law, according to both Lewis and Lotrionte. Lewis added that the improved attribution capability of the United States to so quickly identify North Korea did put scare that country’s leadership.
Another option, mentioned by Butler, is taking the embarrassment route—naming and shaming. Rep. Brad Sherman (D-Calif.) noted that China’s corruption fives the United States an advantage in the shame game. “Could we, for example, steal Chinese proprietary company corporate information and just either hand it to an American company, which would raise huge questions—which company—or just publish it?” he asked Wednesday. Lotrionte said the United States could conduct economic espionage if it decided that was a course it wanted to take. She said the United States has the legal authority to publish such information as well as provide this information to private companies.
U.S. officials have described proportionality as the way forward in terms of striking back—similar to the way it responds to kinetic attacks. However, with ill-defined norms in the cyber realm, proportionality can become obfuscated, and deterrence policy can suffer.
“We don’t play offense. China hacks, we don’t talk about what tariff to put on all Chinese products in order to compensate ourselves for that,” Sherman said, adding that it’s more acceptable to ask for funds for defense rather than offense. Intelligence officials agree. “Personally, and this is not a company policy, this is my own view, that until such time as we do achieve or create both the substance and the mindset of deterrence, that this sort of thing is going to continue – the OPM breach,” Clapper said earlier this month.
However, as Lotrionte alluded to, there can be covert activity taking place hidden from the public eye, something that lawmakers have taken issue with in terms of a robust deterrent effect. Former NSA contractor Edward Snowden, in a forthcoming PBS interview, appears to refute Sherman’s words. The U.S. Cyber Command, is “an attack agency,” Snowden said. “If you ask anybody at Cyber Command or look at any of the job listings for openings for their positions, you’ll see that the one thing they don’t prioritize is computer-network defense. It’s all about computer-network attack and computer-network exploitation at Cyber Command.”
As they did during the Cold War, international norms will emerge in cyber. It is just a matter of when.
Lotrionte agreed with the frustration of some lawmakers of how long it has taken to the current situation in term of still-ill-defined terms as they relate to war and attacks in cyberspace. She said the current environment “remind[s] me when I was in the Intelligence Community the years leading up to 9/11 and it was like a good 15, 20 years it took people to understand what would be an armed attack under the law by non-state actors like terrorists that would allow us to use force in response against them and somebody else’s sovereign territory.”
Sean Lyngaas of Defense System’s sister publication FCW contributed to this report.