2 April 2017

America's plan for stopping cyberattacks is dangerously weak

by Greg Allen 

Outside contributors' opinions and analysis of the most important issues in politics, science, and culture. 

In 1899, diplomatic representatives from the world’s leading nations, many in elegant suits adorned with gold pocket watches and sporting exquisite waxed mustaches, gathered in the Hague, Netherlands, for a grand conference. The diplomats set out to achieve nothing less than taming the destructive potential of a new military technology. The recent invention of motor-driven military aircraft had led all nations to fear man-made storms of balloons raining bombs on their cities.

After weeks of tense negotiations, the diplomats emerged to announce a stunning victory for world peace: a five-year ban on the offensive military use of any aircraft — which they hoped would soon be made permanent. Fifteen years later, in 1914, with the outbreak of World War I, the diplomats’ soaring ambitions crashed into two stubborn facts: Airplanes are critical for winning a modern war, and losing a modern war is terrifying. The ban evaporated, and bombs fell on every European belligerent’s capital save Rome.

The United States again confronts the grim challenge of managing technological advances and their implications for warfare (as it has several times since, from chemical weapons to missiles to drones). Today, cyberweapons are nearly as synonymous with military power as fighter jets. What’s more, as demonstrated by the recent New York Times report on the cyberattacks used to disrupt North Korean ballistic missile tests and the latest WikiLeaks claims about a CIA hacking unit, cyber capabilities are too tempting for governments to refrain from using — even in peacetime.

Most of this activity is merely espionage, but cyber operations are unique in that espionage operations can easily transform into offensive attacks that deliver real-world destruction. Persuading the world’s militaries and intelligence agencies to stop building ever more powerful cyber arsenals appears as impossible as convincing them to renounce the use of attack aircraft.

Nevertheless, the United States must find a way to reduce the threat from hostile state actions in cyberspace, or else risk cyber hostilities escalating into full-blown war. Doing so will require changes to US cyber diplomacy, the bolstering of cyber defenses, and the establishment of credible cyber deterrence.

Nations are already engaged in bold cyberattacks. How long before it escalates into real-world warfare?

It’s true that small but talented teams of cybercriminals can execute impressive operations, and that cybercrime threatens individuals and companies as well as nations. Still, there is an immense difference between an everyday cybercriminal and the power wielded by a government like the United States.

America spends $6.7 billion annually on unclassified military cyber activities plus unknown billions more to develop and deploy the cyber capabilities of classified agencies. If President Donald Trump’s planned $54 billion increase in defense spending becomes law, cyber funding will almost certainly see further dramatic increases.

Since digital weapons are often cheaper than physical ones, dollars spent on cyber capabilities buy serious bang for buck. Militaries and intelligence agencies from around the world have used cyberattacks to shut down an air defense radar network prior to bombing, knock out a power grid, steal billions of dollars’ worth of jet fighter R&D, steal tens of millions of actual dollars, destroy nearly every computer in an oil company’s network, disrupt elections, and cause nuclear weapons centrifuges to violently self-destruct.

And these are merely the cyberattacks that have filtered out into the media. Some, such as Stuxnet, are nearly a decade old. Cyber capabilities, which remain closely guarded secrets of major militaries, have only grown stronger since.

“Many countries fear the full brunt of US-UK cyber hostility could be regime-threatening,” Sir John Sawers, who led the British Intelligence Agency MI6 from 2009 to 2014, told me in an interview. Sawers now serves as chair of Macro Advisory Partners.

Cyberwarfare appears to be distinctive in that, so far, deterrence appears to be less effective than in other arenas of armed conflict. America’s formidable aircraft and nuclear weapons deter attacks by air and by missile, but its fearsome cyberweapons have not been enough to prevent cyberattacks.

Certainly, major states have cyber capabilities they fear to use because of potential consequences. But America’s extraordinary spending and advanced weaponry weren’t enough to stop Russia from interfering with the US election or China from stealing hundreds of billions of dollars of US military technology. Deterrence in cyberspace is only partial. It’s like street fighting, in which antagonists generally refrain from deliberately gouging eyes or punching throats but will still beat the hell out of each other.

Any hostile military aircraft that strays into US airspace is likely to be detected and destroyed quickly, and the offending country would be subject to equally prompt retaliation. In contrast, a single slip in maintaining proper computer security procedures, or a single vulnerability in a system’s code, can open the digital gates to hackers, who thereafter operate undetected in the targeted network for days or even years.

In 2014, the Pentagon conceded that nearly all of its weapons systems are vulnerable to hacking. A year later, the Office of the Director of National Intelligence ranked malicious cyber activities as the greatest threat to national security.

It’s also going to be hard to maintain the advantage in cyber capabilities — and hard to keep US-built cyberweapons out of adversaries’ hands. When China stole the blueprints and R&D data for America’s F-35 fighter aircraft, for example, it likely shaved years off the development timeline for a Chinese F-35 competitor — but China didn’t actually acquire a modern jet fighter or the immediate capability to make one. That’s because aerospace manufacturing is incredibly difficult, and China can’t yet match US competence in this area.

But when a country steals the code for a cyberweapons, it has stolen not only the blueprints, but also the tool itself — and it can reproduce that tool at near zero-marginal cost.

James Comey, FBI director, shakes hands with Michael Rogers, director of the National Security Agency, after testifying about Russian meddling in the 2016 presidential election. Zach Gibson / Getty

Just last year, a group of hackers believed to have ties to Russia tried to auction off stolen NSA cyberweapons on the black market. WikiLeaks, which has a source that apparently compromised the CIA’s cyber unit, plans to release the cyber tools it acquired, purportedly so that tech companies can update their software to repair the vulnerability.

Fortunately, the vulnerabilities that these tools exploit appear to be old, and therefore many have already been patched by affected companies such as Apple. Still, no one knows what WikiLeaks’ source did with the stolen tools before giving them to Julian Assange.
In the cybersphere, the line between espionage and attack is thin — which heightens the danger of escalation

The stolen CIA tools appear have been created to exploit vulnerabilities in targeted systems to secure access and establish surveillance, not to wreak physical destruction. But just as a sniper’s telescope can be used to either spy on a target or aim a shot, cyber tools for securing surveillance access are often identical to the tools used to deliver a destructive payload.

In the cyber domain, the line between espionage, which countries typically do not find sufficient to justify retaliation, and attack, which they do think warrants an armed response, is often blurred.

That leads to heightened tensions and adds to the risk of a miscalculation. When a country determines that someone has secured cyber access to its nuclear arsenal, for instance, it is unclear if the intention is spying, sabotage, or a preparation for all-out war. It’s hard to be calm when you are constantly discovering sniper rifles aimed at your chest.

So far, no hostile uses of cyber have directly led to war between nation-states, but it would be foolhardy to count on that trend continuing forever. Not all deadly air-to-air dogfights or missile attacks result in wars either, but with air combat, most states try to avoid rolling the dice unless they are prepared for war.

In contrast, because cyber operations for espionage and attack are cheap and might go undetected, states find them irresistible­ — they roll the dice again and again. States think they know what they can get away with, but, in truth, each side can at best make an educated guess at where their adversary will draw the line, and respond with force. Meanwhile, the potential fruits to be gained using the latest and greatest cyber tools grow ever more tempting.

The goal in cyberwar, or cyber diplomacy, is to get states to roll the dice less often, and to clarify the chances they take on each roll. For the United States, achieving this will sometimes require strategic restraint, sometimes demonstration of resolve — and sometimes retaliation. Addressing the threat of cyberwar and hostile escalation will require an improved US cyber policy across three areas: diplomacy, deterrence, and defense.

The US State Department has been trying for nearly a decade to establish behavioral norms in cyberspace, while the US defense and intelligence communities have been working to establish credible cyber deterrence. Toward the end of the Obama Administration, there were some signs of progress, such as Obama’s threat of economic sanctions on China. These helped reduce (but did not eliminate) China’s state-sponsored cybertheft of US intellectual property. The Department of Justice (DOJ), for its part, recently released indictments full of damning evidence of the Russian government’s collaboration with cyber criminals.

Unfortunately, the leaked draft of President Trump’s executive order on cyberthreats and efforts to combat them did not mention the DOJ or the State Department’s work on cyber norms. Both omissions are significant errors, as is the administration’s budget request, which plans to cut State Department funding by 31 percent just as the agency’s diplomatic efforts on cyber are gaining momentum. A military-first approach to cyber fails to recognize the important role that law-enforcement and diplomatic organizations have in achieving US goals in this domain.

What follows are moves the Trump administration could make to demonstrate that it is taking this fast-developing threat seriously:
The US needs to make clear what kinds of cyber intrusions will not be tolerated

First, the United States needs to clarify to other countries through diplomatic channels which actions in cyberspace the US is likely to interpret as escalatory — and seek those countries’ views on the same questions. Given cultural gaps and divergent national interests, this is nowhere near as straightforward as one might assume.

For instance, strategists writing for Chinese military journals have argued that in the event of a hostile maritime incident with the United States, shooting down US early-warning satellites could be a de-escalatory measure — a response signaling a desire for no further fighting. The truth, of course, is that such an action might spark a full-blown war.

Identifying and resolving whatever similarly disastrous misconceptions might exist on cyber issues will require continued diplomatic and military-to-military engagement. All countries are still learning to communicate their preferences, intentions, and levels of resolve in the new language of cyber espionage and cyberwar.

The 2015 Department of Defense Cyber Strategy states that the United States may respond to — and escalate to armed conflict in the case of — any cyberattack on US “critical infrastructure,” singling out 16 areas that would be protected (the “Chemical Sector,” “Critical Manufacturing Sector,” “Transportation Sector,” and so on). But the list of no-go zones, maintained by the Department of Homeland Security, isn’t comprehensive enough.

After Russia’s interference with the 2016 election, for instance President Barack Obama felt the need to reclassify American elections as critical infrastructure to fall under the policy’s protective umbrella. Many other gaps remain. For example, government weather forecasting and GPS satellites, crucial for protecting and enabling America’s critical infrastructure, currently fall outside the definition. Poorly crafted statements on what targets will prompt countermeasures raise the risk of warfare.

Second, the United States must back up its words about what count as “unacceptable” threats with action. After China made off with millions of government personnel records by hacking the Office of Personnel Management, the United States declined to retaliate since the attack was “fair game” under international norms of espionage.

Perhaps that strategic restraint was the right response, but the United States has not clearly defined what falls outside bounds of fair game, a problem made worse by the insufficientresponse to Russia’s cyber meddling. Both enemies and allies alike have reason to doubt the United States’ resolve.

To reestablish credible deterrence, the United States must be willing to act but find a way to do so that limits the risk of escalation. As President Obama said in December, “Our goal continues to be to send a clear message to Russia or others not to do this to us, because we can do stuff to you.” In fact, that is not a warning that we’ve delivered convincingly — at least not in public.
We now have the ability to figure out where attacks came from

Strong deterrence also requires dispelling the misconception that the source of cyberattacks cannot be reliably identified. In 2010, then Deputy Secretary of Defense William Lynn wrote, “Whereas a missile comes with a return address, a computer virus generally does not.” Lynn’s argument becomes less true by the day.

As the latest DOJ indictment of Russian state-sponsored hackers should make clear, attribution is no longer a routine problem for the US government, thanks to improvements in cyber forensics, cyber espionage, and noncyber sources of intelligence. But to achieve the desired improvements in deterrence, senior US officials must effectively communicate the nation’s new capabilities in cyber attribution.

Improved communication is critical, but it’s not enough. The United States must also deliver a proportional response that will make Russia and others think twice before using cyber capabilities to attack the United States in the future. The Obama administration focused on economic sanctions and criminal indictments, a reasonable first step.

However, Russia’s ongoing meddling in European elections suggests that Obama’s message was not received. The United States could redouble its financial and criminal sanctions but it should at least consider a proportional response in the cyber domain. The US might: 
Take an eye for an eye, with document leaks: Proportional responses in warfare follow the logic that anything your adversary illegitimately does to you, you are legitimately justified in doing to it. Since Russia hacked into the email of US politicians and strategically leaked the documents, the United States could respond in kind. 

Rather than imposing sanctions on members of Putin’s inner circle, the United States could leak embarrassing emails from within it. The leaks won’t make it onto Russia’s government-controlled nightly news, but Russia’s oligarchs have business partners and rivals both at home and abroad that could make good use of revelations of corruption, fraud, and backstabbing. 

Weaponize Russia’s social media: Russia used strategically leaked stolen information and Twitter bot networks to take advantage of the United States’ freedom of the press. The United States could likewise develop a network of Russian social media accounts and use them to spread embarrassing documents and information. 

If the United States sought to be especially aggressive, they could even take control of major Russian news and media websites in order to disseminate the information. 
Punish Russian cyber units: In noncyber warfare, retaliatory attacks are traditionally considered less escalatory when targeting the specific military unit that attacked you. The United States should therefore consider imposing costs upon the Russian cyber units involved in hacking US elections. The bank accounts of the units’ leaders might suddenly empty — or, again, embarrassing personal information about them might begin to circulate. 

The United States could respond to the Kremlin’s cyberattacks with proportionate hacks. Oleg Nikishin/Getty

Though these retaliatory attacks are designed to be proportional and nonescalatory, there is no guarantee that the Russians would perceive them that way, so they must be backed up by effective communication and public diplomacy.

The United States can risk escalation by responding appropriately or it can risk future attacks by failing to demonstrate resolve. This is an admittedly difficult needle to thread, but the Trump administration’s lack of a response to Russia’s election meddling is setting the message that this behavior will be tolerated. Indeed, prior to Michael Flynn’s dismissal, he suggested that the United States would lift Russian sanctions. The consequence of this deterrence failure will be seen in Russian cyber aggression throughout Europe and the world.

Finally, while cyber offense is probably a sexier activity for US hackers, defense is more important. While it’s true that the United States is unlikely to ever achieve the near-absolute security it enjoys over its physical airspace, there is dramatic room for improvement in protecting its virtual territory. Most cyberattacks on the United States are enabled by human error and failures of management, so proper training will be part of the solution.

But so will technology, including cyber defenses enhanced by artificial intelligence and machine learning applications — methods already under study at the Defense Advanced Research Projects Agency. With proper focus and investment, a world is not far off where many software vulnerabilities are identified and patched by AI before a system is ever deployed.

In 2015, diplomats from around the world gathered again in The Hague for a grand conference, this time on cyberspace. No grand bargain was struck. The conference’s goals were more modest than those of the 1899 meeting — participants sought to establish norms of state behavior in cyberspace and promoting practical cooperation. But we must hope that the progress from this and other diplomatic negotiations on cyber is more enduring than that of The Hague conference on aircraft.

If global cyber conflict continues to escalate at its current pace, the world risks the cyber equivalent of the 1914 assassination of Archduke Franz Ferdinand — a seemingly trivial spark that ignited the flames of war.

Greg Allen is a George Leadership fellow at Harvard Kennedy School and Harvard Business School. He previously worked at the White House Office of Science and Technology Policy. The opinions expressed here are those of the author alone. Find him on Twitter@Gregory_C_Allen.

No comments: