Erica D. Borghard is an Assistant Professor at the Army Cyber Institute at West Point. Shawn W. Lonergan is a U.S. Army Reserve officer assigned to 75th Innovation Command and a Director in the Cybersecurity and Privacy practice at PricewaterhouseCoopers. You can follow them @eborghard and @Shawn_Lonergan.
The views expressed in this article are personal and do not reflect the policy or position of the Army Cyber Institute, U.S. Military Academy, Department of the Army, Department of Defense, U.S. Government, or PricewaterhouseCoopers.
Last week, the Washington Times reported that the United States had begun to conduct cyber operations against China in response to largescale cyber-enabled intellectual property (IP) theft. These operations reportedly included U.S. cyber-enabled theft of information about Chinese military technology—in other words, giving the adversary a taste of its own medicine. They follow a December 2018 Department of Justice indictment of several members of a Chinese cyber threat actor group, dubbed APT 10, for intellectual property theft, as well as similar indictments in October for theft of aviation trade secrets.
If reports about the recent cyber operation are accurate, it would represent a significant departure from the U.S. approach to this behavior thus far, which had focused on a “name and shame” strategy through leveraging legal and diplomatic instruments of power. This new, more robust strategy to address IP theft likely reflects the reality that legal and diplomatic measures alone, while generating some positive outcomes, have failed to stem the tide of cyber-enabled IP theft. This is concerning because rampant Chinese IP theft related to “grey area” industries such as aviation and aerospace, as well as other industries that develop and produce U.S. military weapons systems, threatens to reshape the overall distribution of conventional military power between the U.S. and its strategic competitors.
The United States clearly recognizes that it can do more to counter IP theft of national security assets. However, any program to counter IP theft must achieve a difficult balance. On one hand, it must impose direct and indirect costs on perpetrators of IP theft that outweigh the benefits. At the same time, it must avoid self-defeating economic effects (for instance, trade wars) and clearly signal the intent behind policy actions so they are not mistaken as precursors to war. It is clear that the legal and diplomatic approach to cost-imposition, which is limited to inflicting discrete costs on indicted individuals and more diffuse reputational costs on governments that sponsor such activity, has not produced an appreciable change in behavior. This begs the question: Is a U.S. strategy of responding to cyber-enabled national security IP theft through offensive cyber operations that include theft of adversary IP the right way to generate costs and change behavior?
We argue that this is problematic for two reasons. First, it undermines U.S. efforts to develop norms against cyber-enabled IP theft. The United States has a comparative advantage in innovation and should not take steps that could further erode protections of it. Second, this approach will not be sufficiently costly in practice to alter adversary behavior. The reality is that the United States is unlikely to devote the scale of manpower and resources to cyber-enabled adversary IP theft campaigns to generate meaningful costs against their targets.
Rather, we recommend a program of deepening public-private collaboration between the Defense Department (DoD) and the defense industry, which balances the objective of imposing costs on adversaries with the risks of escalation. Private entities like Boeing and Lockheed Martin typically have a deep understanding of the threat environment and threat actor tactics, techniques, and procedures (TTPs) because they own and operate the networks and systems that threat actors target on a daily basis. However, they are constrained by legal limits on engaging in active measures. The reverse is true of the U.S. government: the government can engage in proactive defense measures (such as active defense or hacking back) as well as offensive cyber operations, but lacks the same picture of the threat environment. Collaboration, therefore, is imperative.
The defense industry already cooperates with the Defense Department through several institutional mechanisms. The DIB Cybersecurity (CS) Program, for instance, was established as a voluntary information-sharing initiative to share unclassified and classified cyber threat information. The DoD Cyber Crime Center (DC3) is the organization that implements the DIB CS Program. A similar information-sharing program within the defense sector exists through the National Defense Information Sharing and Analysis Center (NDISAC).
While existing information-sharing efforts are important, they focus on aiding reactive, defensive postures to respond to recognized activity after it has already occurred. Moreover, they do not address threat actors as evolving organizations with organized campaign plans that may encompass a range of tradecraft. Put simply, the current approach fails to meet the challenge of anticipating and preempting the adversary.
Therefore, public-private partnerships for national defense should be re-energized with the DC3 and NDISAC as the anchoring organizations to support a more robust, better-resourced collaborative effort. This effort should contain three elements: 1) an intelligence-sharing and joint analysis program across classification lines; 2) developing and routinely exercising playbooks; and 3) predefined countermeasures.
First, an early warning program that is based on directed intelligence collection against threat actors and their TTPs to provide proactive information to network defenders is critical to ensure the long-term integrity of U.S national security innovation. Stakeholders across the defense industry and government, including the intelligence community, should build on and expand existing classified and unclassified intelligence-sharing efforts to get ahead of the threat, rather than responding to and sharing information about it after the fact. This is especially important for IP theft because there is little that can be done to repair the damage, absent a rapid responsive countermeasure, from the loss of proprietary information. An early warning program should include developing measurable indications and warning and aim to develop holistic assessments of threat actors as strategic, learning organizations with evolving TTPs. This will enable firms in the defense industry to be proactive about network and infrastructure defense in anticipation of future adversary behavior.
Second, stakeholders should develop and routinely exercise playbooks that stipulate roles and responsibilities for scenarios involving likely adversaries where, due to early warning, theft of national security IP is imminent or a critical threshold has been breached. Playbooks should sync response efforts across the interagency to coordinate potential policy options taken by various departments and agencies. The outcomes of playbooks and exercises should drive decision-making about defensive strategies and emplacement of early warning assets (such as sensors), and refine collaborative intelligence collection and analysis. Playbooks should also explicitly recommend policy options for appropriate countermeasures that consider the compressed timeframe associated with responding before the adversary can capitalize on stolen property. The process of developing and exercising playbooks will also create shared expectations about and credibility for countermeasures at various thresholds.
Finally, in cases where adversaries succeed in stealing valuable IP, the Defense Department in conjunction with select intelligence agencies should establish criteria and corresponding rules of engagement for offensive cyber countermeasures. Cyber National Mission Force (CNMF) or select intelligence agencies can employ offensive cyber countermeasures in non-U.S. cyberspace to corrupt or degrade stolen national security information and the infrastructure and capabilities employed to acquire it. While it may be impossible for the CNMF to recover or neutralize all stolen IP in every case, offensive counter operations can still degrade the adversary’s capabilities and therefore make their operations costlier to conduct in the future. Therefore, these operations could serve a dual function of covert or overt signaling and attrition of adversary capabilities.
There are a number of proactive measures the U.S. government can employ to confuse and foil adversaries as well. Proactive deception efforts based on the principles of military deception, for instance, can be effective to force adversaries to reveal themselves, expend valuable resources pursuing false targets, and sow confusion about the integrity of absconded property. While there are strict limits to Pentagon’s ability to operate in U.S. cyberspace, the Department of Homeland Security, and intelligence and law enforcement agencies (including Air Force Office of Special Investigations) have greater purview in this space. Therefore, government responses should consider the conditions under which proactive deception, such as emulating networks, planting false or harmful information, beaconing capabilities, logic bombs, and honeypots, could be employed.
A more proactive effort by the U.S. government and private entities to thwart national security IP theft will necessarily increase the risks of miscalculation and potential retaliation. Coupling these efforts with continued diplomatic and legal levers can mitigate some of these concerns. However, the reality is that if the U.S. government finds the status quo to be unacceptable, it must accept certain tradeoffs in developing implementable policies to address it or otherwise risk the continued erosion of U.S. relative power.