The Director of National Intelligence released his annual threat assessment last week, and cyberattacks top the list. There were at least three headlines in Clapper’s written and oral statements. First, while a "cyber armageddon"—a destructive attack that debilitates wide swathes of U.S. infrastructure—might be possible, it is very unlikely. Instead, the risk is from an "ongoing series of low-to-moderate level cyber attacks," which will "impose cumulative costs on U.S. economic competitiveness and national security." Second, China may get most of the press coverage, but Russia is a serious challenge. In fact, Clapper admitted that the "Russian cyber threat is more severe than we’ve previously assessed." Third, Clapper accused Iran of hacking the Sands Casino and warned that the next wave of attacks could change or manipulate information, impairing decision making by government officials, corporate executives, or investors.
As several other U.S. government officials have done over the last several months, Clapper also claimed that attribution has become easier. Hackers can no longer assume that their attacks will be undetected and they can no longer expect that when attacks are unmasked, their identities will remain anonymous. With enough time and resources, attacks can be attributed. This, however, has not created deterrence. Breaking into networks remains easy, the gains of the attacks high, and the relatively long delays between attack and attribution create a permissive environment.
This seems to be especially true in the case of China. Clapper notes that Chinese cyber espionage continues despite "detailed" private cybersecurity reports attributing attack on U.S. companies and government agencies, "scathing" public denouncements, and "stern" U.S. government demarches. Clapper does suggest one way of limiting attacks. Because Chinese hackers use relatively simple tools and techniques, improving defenses would force them to develop more sophisticated, expensive, and time consuming methods. The costs of economic espionage would go up.
Coincidentally, I was at a conference last week in Washington focused on this exact question: how do you raise the cost to Chinese hackers? There was a great deal of skepticism that the United States would be able to get China to accept a norm against the cyber-enabled theft of intellectual property, trade secrets, or business strategies. Other states do not believe the United States actually adheres to the norm, and many friends of the United States actively engage in cyber-enabled economic espionage. One participant, for example, noted an uptick in attacks on U.S. companies coming from South Korea.
There was also little sense that big technology companies would be interested in pursuing trade or other sanctions against the Chinese firms that are thought to be benefiting from the theft. Smaller firms might have the stomach for a fight, but the larger firms, with sizable investments in the market, are already overexposed to retaliation from the Chinese government. Things are already bad, with foreign technology being removed from government procurement lists and a draft counterterrorism law that would require firms to hand over encryption keys and install backdoors, and they fear that it will only get worse.
Instead of raising the costs by engaging in active defense where small groups of U.S. hackers with highly detailed intelligence disrupt attacks in China before they hit U.S. networks, the one idea that generated any enthusiasm was to lower the value of the information Chinese hackers stole through deception. Here the model is the Farewell Dossier. In 1981, French intelligence obtained the services of Col. Vladimir I. Vetrov, "Farewell," who photographed and supplied 4,000 documents on KGB efforts to obtain scientific and technical secrets. President Mitterrand offered the information to President Reagan, and the CIA discovered that the Soviets had already stolen radar, computer, machine tool, and semiconductor technology. In an effort to conduct its own version of economic warfare on Moscow and poison the collection efforts, the CIA fed fake information to Soviet agents that would later fail. (Fans of The Americans will recognize this plot line. Elizabeth and Phillip send stolen plans of propellers that cause a submarine to sink.)
A strategy of poisoning the well would require cooperation from industry. Companies would have to help design fake but attractive data and maintain it on their networks (and make sure it was not used by mistake internally). This might be too high a bar for many companies, but even a failed cyber Farewell Dossier, or just the suggestion that companies are adopting such a strategy, could raise costs for Chinese hackers. Once there was a doubt about the veracity and usefulness of data, all information taken would be subject to much higher levels of scrutiny which may force a slow down in collection. Hackers might become more cautious, afraid of supplying faulty goods to their customers and superiors.
Last year’s worldwide threat assessment contained no reference to making hacking more difficult for China but we shouldn’t read too much into one section of this year’s assessment. The United States will continue being detailed, scathing, and stern with China on cyber industrial espionage, and one U.S. government official at the meeting insisted that he was "not convinced that the boat had sailed on norms." But Clapper’s brief mention of defensive measures may signal a small tilt away from developing a norm toward inflicting cost.