a strategy of CYBER deterrence

By Michael Chertoff & Frank Cilluffo59

The global cyber threat landscape is expanding exponentially, challenging national security officials and corporate executives in the United States and around the world to adapt to more sophisticated and diverse attack methods at the rapidly bending curve of technological change. Recently we have witnessed an uptick in major cyber attacks against American interests both public and private. Although this has led the current Administration to take strides to improve our cyber security posture, much remains to be done in terms of developing cyber policies that are bold and advanced enough to reliably disarm and deter malicious actors. America does not enjoy the luxury of time in confronting this issue. Instead, commitment and urgency are key factors in the race to propel American cyber capabilities ahead of those of its adversaries, and to assume a role of leadership and superiority in this new realm of defense strategy.

While American cyber security is already benefitting from the strength of government relationships with the private sector, focus on improving these vital partnerships must remain a priority. Of course, in order for the United States to become the most capable cyber power in the world, it is also necessary that it invest in the training of a skilled cyber workforce. Finally, it is paramount for America’s leaders to use these emerging assets to create an environment in which this nation and its interests are not only secure from cyber attacks but can also benefit from a robust strategy of cyber deterrence.

The first step in addressing this country’s cyber security requirements is to recognize that credible threats come from a wide variety of actors, including states, criminal organizations, terrorist groups, and political activists. These entities have different capacities to do significant harm, but some of their goals are achievable with only moderate hacking skills or the money to purchase hacking-as-a-service.[60] Thus, while it is primarily only states that can now execute significant espionage or military operations, non-state actors frequently target U.S. interests for financial gain or to make political statements that seek to undermine U.S. credibility.

When it comes to cyber attacks, the challenges surrounding attribution are critical. The complexities of cyber space and the increasing proclivity of states to use proxies in government-sponsored cyber missions mean that it is often difficult to prove who is responsible for a particular attack. Therefore, the U.S. government must marshal and coordinate its intelligence and technical capabilities to ascertain the identities of specific actors responsible for cyber attacks. In order to mount a credible deterrence, American cyber capabilities must be capable of precise attribution to enable the most appropriate and flexible response.

Today, the most advanced and persistent cyber threats to the United States remain those directed by states and their proxies. China and Russia pose the greatest threats, although the growing cyber capabilities of both North Korea and Iran deserve careful attention as well. The most significant danger that the United States faces from a national defense standpoint is that these state actors are integrating cyber capabilities into their foreign intelligence services along with their military doctrines and strategies.[61]

When assessing these threats, in addition to those that threaten the economic prosperity of the U.S., it is helpful to differentiate between Computer Network Exploitation (CNE) and Computer Network Attacks (CNA). CNE includes industrial espionage as well as intelligence preparation of the battlefield through mapping of a country’s digital and critical infrastructure. CNA encompasses actions that disrupt or destroy targeted data or information. While CNE may seem to be less threatening, its role as a necessary precursor to attacks makes it vital for the U.S. government to articulate a cyber strategy that deters all attempts to compromise the integrity of U.S. networks.

One of the major cyber threats facing the country today is that of espionage, a form of CNE and a tool that America’s adversaries are using in an increasingly brazen manner. For example, the massive data breach of the Office of Personnel Managements (OPM) records of approximately 20-25 million current and former Federal employees compromised a database of personal, financial, and location information on military, diplomatic, and intelligence officials with top security clearances. Additionally, more than one million fingerprint records were stolen, potentially compromising the identities and employment opportunities of numerous federal employees. This breach, which was discovered in April and May 2015 after about a year of exploitation, is, according to informed observers, most likely attributable to China. While it may be impossible to keep malicious actors from penetrating government networks, the U.S. government must develop standard practices to quickly identify, quarantine, and jettison intruders from these critical systems.[62]

Additionally, organized crime syndicates and other actors have adapted fraud schemes to the internet and scaled them to network level threats on America’s financial institutions and economic prosperity. In 2013, hackers began to implement a massive fraud scheme that utilized “spear phishing” and a strain of malware called Carbanak to help criminals steal hundreds of millions of dollars from dozens of banks in countries around the world, including the United States. While the financial services sector is typically regarded as one of the most security-proficient sectors in America, this type of fraud against banks is not uncommon and must be addressed in a comprehensive cyber security strategy.

A third form of significant cyber aggression is the disruption of networks or online services, frequently accomplished through Distributed Denial of Service (DDoS) attacks. These attacks overpower internet services with malicious traffic in order to block legitimate access to such services. DDoS attacks can be executed through the use of a malicious robotic network (botnet[63]) or through other manipulations of unsuspecting internet users. In one recent example, Chinese-linked hackers redirected traffic to the popular search engine Baidu to temporarily cripple the webpages of a U.S. software company that linked to a Chinese language version of the New York Times and a website intended to help Chinese citizens circumvent government censorship. DDoS has also been used by Iran to target the U.S. financial sector and, perhaps most infamously, by Russian actors to paralyze Estonian networks in 2007. While DDoS attacks are used to disrupt service, they are also often used as a diversionary tactic to distract a victim’s security team from guarding against other coordinated attacks on valuable information and systems.[64]

The final cyber threat that poses the most profound risk is an outright destructive attack against critical infrastructure. Examples from at home and abroad, including Iranian attacks against the Sands Casino and the North Korean assault on Sony Pictures, indicate a growing capacity among adversaries to carry out such attacks. However, it is not only the entertainment industry that is at risk. The threat to critical infrastructure was demonstrated by a 2012 Iranian attack against Saudi Aramco that hampered its operational capacity for two weeks by turning 30,000 of its computers into bricks. American critical infrastructure must be secured against such threats, and potential actors must be deterred by U.S. cyber capabilities.

The most advanced and persistent cyber threats to the United States remain those directed by states and their proxies. 

Alongside this overview of the cyber threat landscape, the next step toward understanding how the United States must build its cyber security and cyber deterrence strategies is to examine the current responses and vulnerabilities of U.S. policy. As the private sector owns and operates over 90 percent of this nation’s critical infrastructure, its role in promoting America’s cyber security cannot be overstated. For years, industry has been on the front lines of cyber attacks and, on a sectoral basis, many private businesses have self-organized into Information Sharing and Analysis Centers (ISACs) to share threat indicators and defensive cyber strategies.

Over the past few years, these ISACs and standalone companies have increasingly coordinated with the Federal government to mitigate and respond to cyber threats by sharing information on malware signatures, vulnerabilities, and other indicators of malicious activity. However, the private sector is not only useful as a source of information for the government but also as a resource to law enforcement in assisting with the takedown of cyber criminal enterprises like botnets. Despite recent efforts to strengthen partnerships with the private sector, much industry potential remains untapped when it comes to protecting critical infrastructure and taking a more active role in defending American interests.[65]

The U.S. government'􏰀s efforts to bolster the country's cyber security posture have been partly realized through three Executive Orders signed by President Obama. EO 13636 promoted a culture in which the government shares threat information with private businesses and directed the National Institute of Standards and Technology (NIST) to develop a voluntary framework of cyber security best practices to reduce risk to critical infrastructure. Although privacy remains a contentious issue surrounding the information sharing debate, the NIST Framework is increasingly being adopted by private businesses to eliminate cyber risks.

In 2015, President Obama signed two other Executive Orders dealing with cybersecurity. EO 13691 attempts to increase information sharing within the private sector by promoting the formation of Information Sharing and Analysis Organizations (ISAOs), a categorization of information sharing entities that would include ISACs in addition to non-sector specific organizations. Still, however, this policy of improved sharing of threat indicators fails to fully leverage industry’s potential to defend against and fight cyber threats.

The final cyber Executive Order allows the Secretary of the Treasury, in conjunction with the Departments of State and Justice, to impose sanctions on individuals or entities outside of the United States who are responsible for, or complicit in, malicious cyber activities against American interests. While recognition of the need to sharpen economic instruments and sanctions is an important symbolic step, U.S. leaders must consider these tools to be only one element of a comprehensive and coherent strategy of cyber deterrence.

In addition, the Department of Homeland Security has been at the forefront of the battle to protect U.S. networks and coordinate cyber security incident response. Currently DHS employs its Einstein and Continuous Diagnostics and Mitigation (CDM) programs to detect cyber intruders, halt malicious traffic, and prioritize vulnerabilities in government networks. However, these programs have not yet been fully implemented, would greatly benefit from increased congressional funding, and sometimes are hampered by legacy systems, harming the security of Federal information. It must be a priority of government agencies to replace such legacy systems and work more closely with DHS in the coming years.

Organized crime syndicates and other actors have adapted fraud schemes to the internet and scaled them to network level threats on America’s financial institutions and economic prosperity.

DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is the center for information sharing and incident response coordination between government agencies and the private sector. As the clearinghouse for troves of sensitive data, DHS also has established officers to ensure the protection of citizens’ privacy and civil liberties. DHS and the NCCIC, as civilian agencies, should continue to be the focal point of information sharing, and they should strive to earn and retain the trust of the American people, which is necessary in securing their interests in cyber space.

Not to be overlooked in the Federal government’s efforts to combat threats to the nation’s cyber security is the Department of Defense (DoD). DoD is currently preparing itself for the possibility that all conventional conflicts may now involve a cyber component. Therefore, it has recently released an updated Cyber Strategy, outlining three major goals to secure its networks and demonstrate to the world the precision and effectiveness of America’s cyber operational capabilities.

The first goal of the cyber strategy is to move away from the model of service-based networks towards one larger Joint Information Environment (JIE). Currently in process, this shift will allow DoD to better defend its networks, systems, and sensitive information. The second and third goals of this strategy focus on building broader partnerships with the private sector and international allies to defend against disruptive or destructive cyber attacks while maintaining viable cyber options to control conflict escalation and deter threats at all stages of engagement. These goals represent a start toward an effective strategy of cyber deterrence and should be given the utmost priority.

DoD currently retains the right to use cyber tools to disrupt an enemy’s command of networks, military-related critical infrastructure, and weapons capabilities, although it generally reserves these tactics as a last resort. U.S. leaders must utilize these capabilities as a deterrent to America’s adversaries, but these tactics must also be tailored and precise to avoid disproportionate escalation.

Despite the current initiatives and responses of the U.S. government and its allies in the private sector and around the world, significant vulnerabilities in American cybersecurity policies remain to be repaired. The adoption of cyber security best practices, information sharing, and threat prevention are extremely important, yet not good enough. The private sector is restrained in its cybersecurity practices due to outdated and vague legal restrictions, and the government is still not fully utilizing this sector’s potential.

Furthermore, the consequences and penalties for committing malicious cyber acts against the United States must be raised and perpetrators must know that they cannot hide behind their keyboards if they attack American interests.[66]

The ability of the U.S. government to protect its own networks and infrastructure has been rightly questioned of late, and any doubts need to be laid to rest through active demonstration of America’s cyber defense capabilities.

That demonstration has four key parts. First, in order to develop the cyber capacities necessary for the United States to retain its position as the responsible, undisputed leader and military power of the world, America must invest in the cyber education of its workforce. Educational programs sponsored by the DoD and the private sector should be promoted and financially supported by the government where feasible. Although it is difficult for the public sector to compete with the salaries available to cyber professionals in the private sector, the prestige and significance of working to better America’s cyber posture will be a valuable asset in recruiting a strong and deep workforce.[67] Given that the initiative remains with the cyber attacker in the near term, the U.S. government must also invest in offensive capabilities. In order to articulate a credible deterrence capability, America must ensure the means to wield the best trained and equipped cyber arsenal.

Significant vulnerabilities in American cybersecurity policies remain to be repaired. 

Second, the Federal government must also take a lesson from the private sector, in which cyber security and information security are steadily becoming issues that chief executives prioritize and for which they are held accountable. The days in which the security of cyber networks were the sole responsibility of CIOs are over.

In the wake of the massive breach of the Office of Personnel Management, it became evident that agency leadership had failed to implement even basic recommendations for enhancing cyber security; the resignation of the agency director was a belated sign of accountability. But the failure to implement cybersecurity best practices and to identify and segregate one’s most valuable information and systems is far more widespread. According to a Government Accountability Office report, 19 of 24 major government agencies report cyber security as a "significant deficiency" or "material weakness."[68] Our government leaders, just like CEOs, must be held responsible when extensive data breaches occur due to avoidable lapses in security. Similarly, the President must drive government officials to enforce agency-wide cyber hygiene practices and make the security of networks and data a top priority.

Third, the framework for information sharing and the incentives for private sector investment in cyber security must be institutionalized. For years, bipartisan efforts have been mounted in Congress to establish a legal safe harbor for information sharing, but Executive Branch support to enact these proposals into law has been lacking. It is urgent that Congress pass legislation to ensure confidentiality and liability protection for participation in the exchange of threat information. Such legislation would allow the Administration's current ISAO (Information Sharing and Analysis Organizations) proposal to be more effective.

Legislation is also needed to create a liability cap for companies that adopt reasonable cyber security measures. A new law could be modeled in part on the recent NIST standards or similar plans. Just as the Safety Act promoted the development of counter terrorism technology, such a liability cap would create a strong financial incentive to implement more robust security measures. Such a plan would also promote the development of a more mature cyber insurance marketplace, thus providing another market driver to provoke changes in behavior and the adoption of best practices.

Fourth, to articulate a convincing message of deterrence against cyber actors, the U.S. government must fully develop a doctrine of response against varying levels of cyber intrusions, up to and including principles for when an attack would be treated as an act of war. While the Administration has utilized law enforcement tactics against cyber criminals and even foreign agents engaged in cyber espionage—including prosecution of illegal dark web marketplaces—and while in theory economic sanctions are now available against cyber bad actors, there is no apparent integrated overall strategy for deploying all elements of national power against cyber attacks.

Although America will need a comprehensive strategy of cyber deterrence, policymakers must develop specific strategies tailored to the unique qualities of the various actors likely to engage in cyber attacks. This is necessary because actors, rather than the attacks they launch, are the targets of a successful cyber deterrence strategy. The strategy must be able to differentiate between the motivations, methods, and vulnerabilities of such actors to be fully effective.[69]

The President must drive government officials to enforce agency-wide cyber hygiene practices and make the security of networks and data a top priority. 

The next President needs to mandate a strategy that addresses the following three key areas of questions:

• What structures are needed to further promote true international cooperation in investigating and prosecuting organized cyber fraud activity, including action against financial and other online enablers of criminality? How does the U.S. government deal with nations that provide safe haven for criminal hackers?

• In what circumstances will economic sanctions be imposed on individuals or even nations engaged in cyber espionage? Where intellectual property is stolen, how will the U.S. government use trade rules or even civil liability rules against those who steal or benefit from the stolen property?

• What is the threshold of destructive attacks beyond which the U.S. would treat them as an act of war? Under what circumstances would the U.S. government use kinetic force against a destructive attacker? Under what circumstances and with what degree of supervision would the government license private actors, extending 21st-century letters of marque, in essence—to engage in active defense against a cyber attacker?

Given that state-sponsored cyber attacks can be mounted from platforms anywhere in the world, even locations within the United States, policymakers need to revisit the legal architecture that currently constrains what military and intelligence authorities can do domestically (Titles 10 and 50). The traditional dividing line between domestic and foreign activities does not readily apply when cyber weapons spring from and travel through an uncountable number of geographic locations. The legal architecture surrounding these authorities needs to be revised in light of these changed circumstances.

[59] The authors thank Alec Nadeau, a Presidential Administrative Fellow at the George Washington University, for his contribution to this chapter.

[60] Tim G., “Hacking as a Service: How Much Does it Cost to Hack an Account,” The Underground Economy Part Four, August 4, 2014. http://www.symantec.com/connect/blogs/hacking-service-how-much-does-it- cost-hack-account

[61] Frank Cilluffo, “A Global Perspective on Cyber Threats,” Testimony before the U.S. House of Representatives, Committee on Financial Services, Subcommittee on Oversight and Investigation, June 16, 2015.

[62] Paraphrased from statements of U.S. Rep. Will Hurd (R-TX) made during a House Oversight and Government Reform Hearing on the OPM Data Breach. http://www.c-span.org/video/?326593-1/hearing- office-personnel-management-data-breach

[63] Symantec’s researchers define a bot and a botnet as follows: “A "bot" is a type of malware that allows an attacker to take control over an affected computer. Also known as “Web robots,” bots are usually part of a network of infected machines, known as a “botnet,” which is typically made up of victim machines that stretch across the globe.” http://us.norton.com/botnet/

[64] Neustar and Symantec have independently reported on the increasing use of DDoS attacks as “smokescreens” to hide more significant attacks like data theft and malware installation. Susan Warner, “Smokescreening: Data Theft Makes DDoS More Dangerous,” April 22, 2014. https://www.neustar.biz/blog/smokescreening-data-theft-makes-ddos-more-dangerous. Sam Shead, “Symantec: Data-stealing Hackers Use DDoS to Distract from Attacks,” October 9, 2012. http://www.zdnet.com/article/symantec-data-stealing- hackers-use-ddos-to-distract-from-attacks/

[65] As an example of the private sector’s potential to protect U.S. interests against cyber actors, see Symantec’s recent partnership with Europol that led to the takedown of the Ramnit botnet. Nadia Kovacks. Symantec Partners With Europol In Ramnit Botnet Takedown, February 14, 2015 http:// community.norton.com/en/blogs/norton-protection-blog/symantec-partners-europol-ramnit-botnet- takedown-pif

[66]Frank Cilluffo, Sharon Cardash, and George Salmoiraghi, “A Blueprint for Cyber Deterrence: Building Stability through Strength,” Military and Strategic Affairs (December 2012).

[67] Paraphrased from statements of Assistant Secretary of Homeland Security for Cybersecurity and Communications, Dr. Andy Ozment, before the American Bar Association, February 20, 2015. http://www.c- span.org/video/?324377-1/discussion-cybersecurity-law

[68] Gregory Wilshusen, “Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies,” Government Accountability Office. Testimony before U.S. House of Representatives, Committee on Science, Space and Technology, Subcommittee on Research and Technology and Oversight, July 8, 2015.

[69]Frank Cilluffo and Rhea Siers, Cyber Deterrence is a Strategic Imperative, April 28, 2015. http:// blogs.wsj.com/cio/2015/04/28/cyber-deterrence-is-a-strategic-imperative/