19 September 2020

The Best (Cyber) Defense Is a Good (Cyber) Offense

JAMIL N. JAFFER 

We are at war in cyberspace. While lawyers might quibble about the definitions of armed attacks and other niceties of international law, the fact of the matter is that, for around a decade, we've been in series of consistent—albeit small-scale—conflicts in cyberspace. These conflicts have intensified recently, particularly since the start of the COVID pandemic, and have had a massive impact on the American public and private sectors. One can hardly pick up a news magazine today without being assaulted by headlines about data breaches, ransomware, cyber-enabled financial crime or social media-spread misinformation and disinformation. Standing alone, cyber-enabled economic warfare conducted by China drains the American private sector of billions of dollars a year, with total damages estimated in the trillions. Former NSA Director Gen. Keith B. Alexander described this concerted effort as "the greatest transfer of wealth in human history," and former House Intelligence Committee Chairman Mike Rogers (R-MI)—nearly a decade ago—called out the ongoing cyber economic war.

Even worse, in the last six years alone, we've seen our adversaries undertake attacks tantamount to acts of war. For example, we've seen North Korea and Iran engage in the affirmative destruction of data and the bricking of computer systems here in the United States. And the threat level continues to grow. Just last year, then-Director of National Intelligence (DNI) Dan Coats told Congress that Iran is actively "preparing for cyber attacks against the United States and our allies" and is "capable of...disrupting a large company's corporate networks for days to weeks." During the same testimony, the DNI noted that "China has the ability to launch cyber attacks [in the U.S.] that [could] cause...disruption of a natural gas pipeline for days to weeks." Of course, we all know about Russia's wildly successful covert influence campaign that has undermined public confidence in our elections and rule of law institutions. While the Russian activities are likely to go down in history as among the most effective covert influence operations ever, what sometimes goes missed in all the election talk is the DNI's assessment that Russia is also actively "mapping our critical infrastructure with the long-term goal of being able to cause substantial damage," including by "disrupting an electrical distribution network for at least a few hours."

Notwithstanding the significant costs imposed on the American people and our economy by these activities, the Russians and others have paid little price for their actions. While we've imposed limited sanctions against Russia (primarily because Congress pushed for them), have indicted some key actors in both Russia and China and imposed some limited trade measures against China, the continued pace of activity from our adversaries in cyberspace makes clear that they are largely undeterred. This is especially clear, given the frenetic activity we've seen in the recent months as threat actors have sought financial and strategic gains in the post-COVID environment, including targeting institutions conducting cutting-edge vaccine research. And there is little question that cyber-enabled covert influence activity will only increase as we get closer to election day.

And yet, even in light of all this, there are those who would have us unilaterally disarm—or at least significantly constrain ourselves—when it comes to responding to cyber activities. These advocates of restraint have myriad reasons why we ought to handcuff ourselves. First, they argue that taking such actions unfairly harms others in foreign states. Second, they argue that cyber activities could cause physical damage to people and property. Third, and perhaps most critically, they argue such efforts are escalatory and could push us into an actual shooting war. As a result, these advocates suggest the right approach is to reimpose constraints on our military and intelligence communities, and to raise the evidentiary bar for taking action in cyberspace. This is exactly the wrong answer.


In order to stop the current onslaught in cyberspace, we must effectively deter our opponents by making the costs of taking action against us outweigh the benefits. For far too long, we have failed to do this in the nascent cyber war and, as a result, our enemies have gotten more and more bold, testing the our outer boundaries. As such, the fact that American offensive actions in cyberspace might be painful for our adversaries is not a bug—it's a feature. Of course, it goes without saying that we should be careful to avoid unnecessarily imposing costs on civilians or causing wanton damage to people and property. But let's be clear: Our opponents have been doing exactly that to us for the better part of a decade. They have fundamentally undermined our economy, conducted deliberate and destructive attacks and are actively putting in place capabilities to conduct very real harm to our people when they choose to do so. Given all this, now is exactly the wrong time to unilaterally disarm. Rather, we ought to up our game and increase pressure on our adversaries.
U.S. Cyber Command, NSA, Central Security ServiceSAUL LOEB/AFP VIA GETTY IMAGES

It is worth noting, of course, that we have taken some amount of action to respond to the enemy in cyberspace. In late 2018, Congress removed (actual and perceived) legal barriers to U.S. Cyber Command taking action against specific nations, and President Trump is understood to have gotten rid of the Obama administration's apparent Rube Goldberg-like web of approvals required for cyber operations, replacing it with a broader delegation of authority to the military and, ostensibly more recently, the intelligence community. And the Pentagon itself has adopted a new "defend forward" strategy by persistently engaging the enemy overseas, taking the fight to them before they arrive on our (cyber) shores.

Notwithstanding these important changes to our cyber response posture, we still face a significant onslaught. There are many reasons for this, including that when we do act, our responses appear to have been fairly limited in nature and may not impose significant enough costs. Moreover, we rarely take public responsibility for our actions, making it difficult to deter more than one party. And finally, we are loath to talk affirmatively about our redlines and what kind of a response crossing them would elicit. Rather than walking back these efforts and reimposing ineffectual constraints, we ought to instead double down. We should be clear about our capabilities, put out a clear declaratory policy on cyber redlines and be earnestly willing to take swift, decisive and visible action when those lines are crossed. It's not that deterrence doesn't or can't work in cyberspace—it's that we simply don't really practice deterrence today.

And to those who say deterrence is always escalatory, one need only look back at recent history to prove them wrong. In the early part of the Syrian civil war, notwithstanding his infamous redline on chemical weapons use in Syria, President Obama waffled publicly after the Assad regime used sarin on its own people. He ultimately backed off, running towards an obviously too-good-to-be-true deal with the Russians and, in the process, demonstrating our sheer lack of resolve to maintain our commitments, significantly weakening us in the eyes of friends and foes alike. And, of course, the thousands of Syrian civilians who've suffered from relentless chlorine gas and sarin attacks by the Assad regime since our redline whiff know all too well that our unwillingness to enforce our deterrence policy in Syria has led to more death and destruction, not less.

In contrast, when the current administration responded to Iranian proxy attacks killing Americans in Iraq with a devastating blow, taking out its elite military leader, Qassem Soleimani, American newspapers were full of editorials and "news analyses" opining that we were on the precipice of full-scale war with Iran. Of course, all the hand-wringing was for nought. Rather than take us into war, the current administration's bold and forceful response got the attention of the Iranians, forcing them to rethink their decades of attacks on American forces. Of all the things that the Soleimani strike might have been, the one thing it was not was escalatory.

So what does all this tell us? First, it ought be clear that, with cyber threats at an all-time high, now is absolutely not the time to let down our guard or step back. To the contrary, we ought to provide more resources and authority to those taking the fight to the enemy in cyberspace. Second, we need to help build up our defenses here at home so that we can limit the damage caused. To that end, it is critical that the American government provide effective, real-time direct assistance to critical infrastructure providers in the private sector to help them rapidly upscale their defenses. This collective defense approach will require the government to collect and share highly classified intelligence at scale and speed and actively collaborate with the private sector on defense. If we are to succeed in this very real war, we must make clear to the world that while we did not start this fight, we will bring it to a successful close.

Jamil N. Jaffer currently serves as senior vice president for strategy, partnerships, and corporate development at IronNet Cybersecurity and as the founder and executive director of the National Security Institute at George Mason University's Antonin Scalia Law School. Among other things, he previously served as chief counsel and senior advisor to the Senate Foreign Relations Committee, senior counsel to the House Intelligence Committee and in senior national security roles in the Bush Justice Department and White House.

No comments: