What constitutes an act of war in cyberspace? What should be U.S. response options to a consequential cyberattack? These questions are repeatedly asked at Congressional hearings with U.S. officials struggling to provide satisfactory answers.
Today, the Center for Preventive Action released a Contingency Planning Memorandum, “Strategic Risks of Ambiguity in Cyberspace,” which I am tremendously proud to say directly addresses these issues and much more.
Written by Benjamin Brake, a CFR international affairs fellow and foreign affairs analyst in the Bureau of Intelligence and Research at the Department of State, this report details how the Obama administration can strengthen its ability to correctly and efficiently attribute an attack, reduce the likelihood of escalation, and mitigate the consequences of an ambiguous attack. This report does not reflect the position of the U.S. government, but tracks closely with how many officials and staffers in cyber-related agencies are thinking.
Most recently, in a March hearing, Sen. John McCain (R-AZ) asked Adm. Mike Rogers, director of the National Security Agency, “Does this raise the issue…as to whether we have a policy or not as to what to do in the event of cyberattacks? Do we just spend our time trying to erect further defenses?...Or do we start devising ways to raise a price for those attacks?...Doesn’t that mean that we should start devising methods and capabilities to enact a price for these people to pay, whether they be nation states or rogue individuals or groups?” Rogers gave a nondescript response, as expected: “We not only need to continue to build on the defensive capability, but we have got to broaden our capabilities to provide policymakers and operational commanders with a broader range of options…We also need to think about how can we increase our capacity on the offensive side here, to get to that point of deterrence.”
Brake writes that over the next twelve to eighteen months the United States could face several plausible contingencies in cyberspace that would be complicated by intentional or inadvertent ambiguity. Past actions of Iran and North Korea suggest they are the most willing to conduct destructive or disruptive cyberattacks, while attempting to conceal responsibility. Although U.S. officials accused North Korea of being responsible for the destructive cyberattack against Sony Pictures Entertainment, North Korean officials repeatedly denied the country’s role and will similarly obscure its involvement in future attacks. In other cases, ambiguity is inadvertent, but just as risky. “Due to the difficulty of determining whether certain activity is intended for espionage or preparation for an attack, cyber operations run the risk of triggering unintended escalation,” writes Brake. BlackEnergy, espionage malware found on U.S. critical infrastructure networks, could be considered “one update away from becoming an attack tool.”
To remedy the risk of conflict stemming from ambiguity in cyberspace, Brake recommends a series of preventive and mitigating policy recommendations, including:
• Congress should pass legislation that facilitates real-time information sharing within and between the private and public sectors.
• The White House should issue warnings to adversaries of the potential consequences of violating cyberspace norms, such as “adjustments to network traffic, criminal sanctions, diplomatic condemnation, and U.S. Treasury actions.”
• Congress should create a Department of State Bureau of Internet and Cyberspace Affairs, which would demonstrate that the United States gives as much weight to diplomatic policy options as it does military ones. It should also make the National Security Agency director a Senate-confirmed position eligible for civilians. Missions other than intelligence should be shifted to other appropriate entities, including U.S. Cyber Command and the combatant commands.
• “When possible and appropriate, defense officials should highlight U.S. involvement in offensive cyber operations against states, terrorist groups, and other illicit actors to fortify the credibility of U.S. retaliatory capacity among potential adversaries.”
If you are interested in how the United States should prepare for the most likely and consequential risks to cyberspace, please read Brake’s excellent memo.