Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

‘What’s the next step?’: US officials are rethinking how to dissuade cyberattacks

Monday, March 9, 2020

Categories: ASCF News Bipartisianship Cyber Security

Comments: 0

In a coordinated show of force last month, the State Department and the Department of Defense joined more than 20 other nations in attributing and condemning a 2019 cyberattack on the country of Georgia to Russia’s military intelligence wing.

The move was part of a broader “name and shame” strategy aimed at slowing cyberattacks from foreign adversaries, part of a deterrence policy that also includes indictments and sanctions.

But during the one of the cybersecurity community’s biggest trade shows, just days after the State Department announcement, U.S. policymakers repeatedly acknowledged their strategies for discouraging state-backed cyberattacks aren’t working. And, in that vacuum, what’s re-emerging is a debate over what the federal government should do now — especially given the expanding threat several nation-state actors pose to the 2020 presidential election.

While some officials hope sanctions and indictments will eventually force hackers to think twice before attacking American networks, other experts suggested that the federal government should lower the bar for a military strike in response to a digital attack.

“We should be very explicit about how low the threshold is for a kinetic response to an attack on our infrastructure,” said Tom Corcoran, a former senior staffer on the House and Senate intelligence oversight committees from 2001 to 2014 and the current head of cybersecurity at Farmers Insurance Group. “It doesn’t necessarily need to cause a loss of life or even a significant economic impact.”

Some current officials are more optimistic.

“We think that the diplomatic aspect of the public attribution and public statements may not work today … but it is setting the expectation, operationalizing this framework that we’ve all agreed to and will have an effect over time,” said Liesyl Franz, senior policy adviser in the Office of the Coordinator for Cyber Issues at the U.S. Department of State. She was referring to a framework agreed to at the United Nations about responsible state behavior in cyberspace.

She added, “what’s the next step? Well, at some point we’ll figure out how to impose additional types of consequences. Sanctions are one tool that we’ve used, indictments are another, but what are other ones that we can do?”

The threshold for armed response

The outstanding problem is that cyberactivity falls below what experts call “the threshold of armed conflict.” One example is the 2014 hack of Sony by the North Koreans that caused tens of millions of dollars in damage to the company. The Obama administration responded with sanctions.

“Think about it this way, if the North Koreans had sunk a cruise liner, just like an empty cruise liner that was coming from a shipyard back to its home port, but they had sunk a $200 million cruise liner, what would our reaction have been? That would have been an act of war,” retired Adm. James Stavridis, former Supreme Allied Commander of NATO, said in an interview with Fifth Domain. “We'd be literally launching B-1 bombers immediately to North Korea. Yet because it was a cyberattack, somehow it's just a hack.”

In another example, Stewart Baker, former general counsel for the NSA, suggested that if Iran were to launch distributed denial of service attacks on U.S. banks, a preferred method of attack by their hackers, the United States could bomb an Iranian oil platform, but provide 24 hours of advanced warning to allow the Iranian government to get workers to safety.

Policymakers are careful in responding to this argument. The State Department’s Franz said it is critical governments operate with transparency and warn others that specific types of attacks would lead to an aggressive response. In addition, the response must be proportionate, must not escalate the conflict and must not cause irreversible damage.

“Something that causes pain that doesn’t … [leave] the country in the doghouse forever,” Franz said.

One such example came from Timo Koster, ambassador at large for the Netherlands, who suggested that in response to Russia’s 2014 invasion of Crimea, the international community could have responded by moving the World Cup from Russia, which the country hosted in 2018. That response would have a detrimental economic impact, but not cross a threshold of war. Without such consequences, current behavior will continue, experts said.

Nations hack “because they can,” Koster said. “Very simple. It’s an easy way to get what you want, assert yourself, and it’s something you can probably get away with most of the time.”

Today’s deterrence strategy

While U.S. officials said their strategies may not appear to be working in the short term, the long game is to establish norms of acceptable behavior in cyberspace.

To this end, the Department of Justice has indicted malicious foreign operators. For example, former Special Counsel Robert Mueller indicted dozens of Russians for their role in cyber operations relating to the 2016 election. More recently, the Justice Department indicted Chinese hackers allegedly behind the Equifax breach.

The shortfall of this strategy is that it’s unlikely the United States ever gets those actors in a U.S. court — a reality U.S. officials recognize.

“We’re aware of the fact that in many of those cases, we may not have the opportunity to arrest the individual ... charging a case is reactive, it’s good to hold individual actors accountable,” said Adam Hickey, deputy assistant attorney general in the Justice Department’s national security division. “But that alone is not sufficient.”

Instead, Hickey said the Justice Department wants to win court orders that would allow officials to seize infrastructure as a way to disrupt activities or to gather evidence in an effort to help the State Department and Defense Department build out cases to present to the international community.

Though the Justice Department officials recognize they likely won’t see the criminals in court, officials hope they may be able to change individual hackers’ minds from taking on nefarious work in the first place.

“I suspect that we're maybe changing the thought calculus of even the workforce” of foreign adversaries’ hackers, said Steven Kelly, chief of cyber policy at the FBI’s cyber division. “Where do I want to work? Do I want to work for an organization, and I'll get caught and named the next thing you know, I can't travel to Europe on vacation because I might get arrested?

“This is a new space where everyone in the ecosystem is making decisions about how they want to participate in it and maybe, maybe they don't want to be working for an organization that's going to be causing them personal reputational harm.”

Franz said the United States will continue attribution with its foreign partners because the support of foreign governments is a “force multiplier” and that the strategy will work over time.

“If we can have 20 and 30 countries coming out with us, to join us in a statement of condemnation or … themselves bring consequences, pariah states will start to become more and more isolated,” Kelly said.

Deterrence suggestions on the horizon

In a March 11 report, the Cyberspace Solarium Commission, a group of government and non-government cyber experts, is expected lay out a “layered deterrence” approach, according to Chris Inglis, a commissioner and former deputy director of the NSA.

The first step is to set expectations for nations’ behavior by working across government agencies, the private sector and allies, the report is expected to say. Second, the federal government needs to strengthen its digital infrastructure, including people and the supply chain, and define the roles and responsibilities to better defend itself. Third, leaders must be willing to impose a cost on bad actors.

“If you haven’t actually shaped expectations, if you haven’t made the kind of digital infrastructure defensible, then you have no business disrupting because you live in a glass house, and that’s going to come quickly back to create chaos, disorder, indiscipline for your own side,” Inglis said.

Several experts agreed with Inglis’ point.

“We may have the biggest rocks; we also have the glassiest houses,” Baker said.

 

Photo: U.S. deterrence policy in cyberspace largely relies on indictments and attributing cyberattacks to foreign adversaries with the support of the international community. (matejmo/Getty)

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.

Search