Is the US Ready to Escalate in Cyberspace?

For three years running, the U.S. Department of Justice has announced an increasing number of cyber-related charges, indictments, arrests, and pleas by its Computer Crime and Intellectual Property section:

2016: 86
2017: 138
2018: 167 (through Nov. 2)

And 2018 is ending with a steady drumbeat of responses to cyber criminality, concerning both recent attacks and years-old cases involving U.S. companies and vital infrastructure.

In early November, Justice officials unsealed indictments against more than a dozen Chinese men accused of hacking American aerospace firms for five years, beginning in January 2010. That followed another indictment of three more people and companies with ties to Beijing.
In October, seven Russian military hackers were charged with “computer hacking, wire fraud, aggravated identity theft, and money laundering.”
In September — nearly four years after it happened — U.S. officials indicted a North Korean man for his alleged role in the Hollywood-shaking hack of Sony Pictures studios.

But cybercrime watchers are also watching another trend: computers are learning to learn. They’re getting smarter, “organically evolving their own algorithms.” What can the world’s most powerful nation do to better protect its people, economy and values for the digital wars of the 21st century?

There has been no shortage of large-scale hacks against American infrastructure, institutions and employers. Consider the DNC hack, which contributed to a polluted information stream in the final months of the 2016 U.S. general election. See also the Office of Personnel Management data breach that affected millions of Americans, many with top-secret security clearances. Recall the Sony Pictures hack that rattled Hollywood movie studios in late 2014, just as a satire about the assassination of North Korea’s leader was about to be released in theaters worldwide.

Across the globe, “you cannot separate what you’re doing in cyberspace from the larger geopolitical situation,” said Michael Daniel, CEO of the Cyber Threat Alliance in September. And to that end, it has been China — far more than North Korea — that has taken the lion’s share of American institutional focus on cyber defense in the years since the Sony hack.

For many years, official U.S. retaliation in the cyber domain was viewed publicly as a non-starter. That’s due in part to the notorious difficulty of attributing actors in cyberspace. For better or worse, that norm may now be moving to the dustbin of history. A senior National Security Agency official, Rob Joyce, told an audience in Aspen in early November that “other nations’ hacking efforts into [U.S.] critical infrastructure are not only unlikely to deter us, they’re likely to have the opposite, escalatory effect… cyber doesn’t deter cyber."

"We've decided that we've got to have one element of our national power be cyber capabilities,” said Joyce. “Looking at a strategy that just says: 'We're going to wait until the attacks come to us, and then we'll defend them at the boundary, we'll clean up and remediate and try to push them back out after there's been a compromise, we'll recognize that we lost information'; that's not a winning strategy.”

But is the U.S. well-positioned to escalate in cyberspace, as the Trump administration aims to do with its 2018 National Cyber Strategy? One limiting factor is an apparent dearth of cyber professionals in the United States. The U.S. is in the midst of a cyber personnel shortfall of some 300,000 workers, according to the Aspen Institute’s Cybersecurity Group. That’s a potentially huge problem in a world where more than 2 billion people around the world are believed to have had their personal information stolen or compromised. That’s the same world that sees an estimated 300,000 new viruses introduced daily. The annual damage from cyber crime is believed to approach $600 billion, according to a February estimate from the security firm McAfee.

On the bright side, and as a result of that personnel shortfall, the outlook for cyber-related jobs is bullish and estimated to grow almost 30 percent by 2026, according to the Bureau of Labor Statistics.

Additionally complicating: The pace of technological change — from hardware upgrades to operating system updates — often feels overwhelming to both ordinary citizens and industry officials. "Technology has changed at such a rapid pace, I'm not sure we're safer," said Sean Joyce, who oversees cybersecurity at the auditing and tax service firm, PwC.

Regulators are struggling to keep up. “It’s going to be incredibly difficult to make regulations dynamic enough to keep up with the pace of change in the cybersecurity field,” said Suzanne Spaulding, former Department of Homeland Security Under Secretary for Cyber and Infrastructure Protection, at a book launch back in September.

Proceeding with caution also appears to be the preferred tactic of U.S. Cyber Command, which was reportedly tasked with deterring Russian efforts to interfere in the 2018 U.S. midterm elections. One huge concern in this evolving game of cyber-retaliation: how to keep your adversary “from escalating in response by taking down the power grid or conducting some other reprisal that could trigger a bigger clash,” as The New York Times described the tension.

Similar tensions animate the U.S.-China relationship. But with Beijing, however, one consideration is distinctly different: the might of the Chinese economy. And a good forecast for U.S. hacking targets now and in the days to come appears to stem from Beijing’s own plans for its future, Dmitri Alperovitch, of the cybersecurity firm CrowdStrike, said last week in Aspen.

“For two decades, our strategy has been, ‘Pretty please, China, will you please stop stealing all of our intellectual property?’” Alperovitch said. “That clearly hasn’t worked.”

“This is across many, many sectors of [the U.S.] economy. We’re seeing this in law firms, insurance companies, manufacturing, biotech, you name it,” he said. “An industry that is part of China’s 2025 plan — guess what? Those industries are getting hacked.”

Those China 2025 industries include:

New information technology
High-end numerically controlled machine tools and robots
Aerospace equipment
Ocean engineering equipment and high-end vessels
High-end rail transportation equipment
Energy-saving cars and new energy cars
Electrical equipment
Farming machines
New materials, such as polymers.
Bio-medicine and high-end medical equipment.

"The strategy of putting pressure on China ultimately is the right strategy,” Alperovitch said. “I think for the longest time, the U.S. government really misunderstood this issue in dealing with this as a ‘cyber problem.’ This is not a cyber problem; it is an economic warfare problem that is being conducted through cyber as well as other means.”

U.S. officials have been trying to mitigate the threat from China for many years now. In 2015, President Barack Obama forged a pledge with Chinese President Xi Jinping to cease cyber economic espionage. And for a series of months immediately after that agreement was made, hacking from China decreased significantly, according to Alperovitch.

Today, however, U.S. officials think China is back to its pre-pledge tricks. When asked if Beijing is violating its part of the 2015 pledge, Rob Joyce said, “We think they are…it’s clear that they are well beyond the bounds today of the agreement that was forged between our countries.”

Another complicating factor that may be a bit foreign to U.S. readers: What Symantec CEO Greg Clark called a certain “philosophical problem” with China.

“In China, ownership of an idea is not in their fundamental 10,000-year-old philosophy,” Clark said. “Ideas are for everybody. Products that incorporate those ideas are protected and have normal legislation. So we have a philosophical problem trying to protect an idea at the head of state level between the U.S. and China.”

As the U.S. and its allies work to persuade China and perhaps even Russia to ease off their sponsorship of cyber attacks, one promising approach might be to develop the definition of online criminality. “If you really want to make a dent in the cyber problem, before you make it about the U.S. versus Russia, or the U.S. versus China, I think we should think about policies that co-opt their government into a combined effort around criminal organized crime — cyber crime” with applications to nation-state companies, Clark said.

Of course, agreeing to eventually define “criminal organized cyber crime” is easier to do than actually agreeing on a definition. But this approach appears to contain less inherent tension than standard U.S. responses: sanctions, public naming and shaming, or any number of reactions which could fall under the “whole of government” responses to U.S. national security challenges.

The good news: The OPM, Sony, and DNC hacks helped raise general public awareness of cyber threats and risks. And “We delivered a pretty successful 2018 election defense,” Joyce said. “We’ve learned a lot, we’ll continue to improve.”

The bad news: Virtually everyone is still failing at the basics of cybersecurity.

One big legendary cyber question still unanswered: Which is worth more to a society: citizens’ privacy or public safety? How can the U.S. and its allies best balance user privacy — of the sort promised by end-to-end encryption — with law enforcement entities’ ability to investigate and possibly prevent or mitigate threats to national security?

With the rising number of smart devices inside our homes like Alexa or Google Home, this question is becoming more pedestrian than existential. Indeed, as one expert suggested at Aspen, “The idea that your grandmother can use Alexa to call the hospital in an emergency is probably much better than the risk that her privacy may have been violated.”

In the meantime, perhaps increased personnel is the best salve for a cyber-wounded state like the U.S. To that end, the Pentagon’s Cyber Command recently acquired “the ability to commission individuals not as lieutenants but as colonels," said CYBERCOM’s Brig. Gen. Jennifer Buckner.

It could be that what is truly at stake in cyber deterrence and cyber regulation goes far beyond the preservation of the wholly Western value of liberty. But at the end of the day, as Ciaran Martin, a top British cybersecurity official at the unremarkably named intelligence agency called Government Communications Headquarters told the crowd at Aspen, "If we compromise on the fundamental principles of liberty, we've lost the whole thing.”