The White House and DoD have said that the U.S. will no longer just defend against cyber attacks. Attackers should expect U.S. cyber offense to be ready.
The original version of this article was published in Forbes.
We’re all familiar with saber rattling. But this is the digital age. Welcome to the world of cyber rattling.
One of the core messages in both is that the U.S. will no longer just play defense when it is the target of cyber attacks.
As National Security Advisor John Bolton put it to reporters just before the release of the DoD paper, “For any nation that’s taking cyber activity against the United States, they should expect…we will respond offensively, as well as defensively.”
This, according to at least some experts, is no revolutionary change to U.S. policy, which has included numerous offensive actions short of declared war from time to time, including in the cyber world.
“Has everybody already forgotten about Stuxnet?” asked Gary McGraw, vice president of security technology at Synopsys, in reference to the 2010 cyber attack that destroyed nearly 1,000 uranium enrichment centrifuges in Iran, and that is widely attributed to the U.S. and Israel.
Still, this is a qualitative difference from the Obama administration’s 2012 Presidential Policy Directive 20 (PPD-20), which required a complex and lengthy interagency legal and policy process before approval of any offensive cyber operation.
President Donald Trump rescinded PPD-20 in mid-August, and the new policy puts the authority for offensive cyber operations with the Defense Department and intelligence agencies—the agencies that would conduct those operations.
Neither policy paper makes specific threats. But as the White House put it, “We must…work to ensure that there are consequences for irresponsible behavior that harms the United States and our partners.”
It says that “all instruments of national power are available,” including military force, “both kinetic and cyber,” and calls for imposing “swift, costly, and transparent consequences when malicious actors harm the United States or our partners.”
The DoD document, which regularly invokes the term “defend forward,” defines that as “leveraging our focus outward to stop threats before they reach their targets.” And most people would read “outward” as referring to getting inside the networks and/or systems of attackers.
All of which sounds like a somewhat bureaucratic way of saying, “We’re mad as hell, and we’re not going to take it anymore.”
The U.S. does have reason to be angry. A continuing stream of headlines over the past couple of years has focused on Russian cyber efforts to interfere or “meddle” in the nation’s elections.
China, according to the DoD, has sought to “erode U.S. military overmatch and the Nation’s economic vitality by persistently exfiltrating sensitive information from U.S. public and private sector institutions.”
Indeed, former National Security Agency (NSA) head Gen. Keith Alexander declared in 2012 that the cyber theft of U.S. intellectual property, mostly by China, amounted to “the largest transfer of wealth in world history.”
Not to mention a New York Times report from a year ago that North Korea had an “army” of more than 6,000 hackers focused on espionage, sabotage, and money.
In recent years, the U.S. has indicted alleged hackers from all four of those nations, charging them with criminal acts.
But the message is that the U.S. is moving beyond indictments to offensive cyber operations. And that stance, new or not, is getting generally favorable reviews, both politically and in the cyber security community.
It’s hard to imagine the two major political parties agreeing on much of anything these days, but there is at least some agreement on this issue. The policy drew praise from both House Homeland Security Committee Chairman Michael McCaul, R-Texas, and Senate Intelligence Committee Vice Chair Mark Warner, D-Va., although Warner issued a statement saying the administration “must now move beyond vague policy proposals and into concrete action towards achieving those goals.”
Robert M. Lee, co-founder and CEO of Dragos Security and a former U.S. Air Force cyber warfare operations officer, has been an outspoken opponent of private sector organizations taking the offense in cyber, even in retaliation. But he said it is different with governments. “The U.S. government can do what it wants there,” he said.
Joel Harding, blogger, retired military intelligence officer, and information operations expert, approves of the flexibility this kind of policy gives the U.S. military and intelligence agencies.
“We have a few options if we decide to respond in kind,” he said. “Call them up and tell them, ‘We are flicking your lights on and off right now, so cease and desist your attacks on us,’ or something along those lines. Or we can launch a punishing attack without attribution, from almost anyplace in the world.”
But Harding said cyber conflict is still enormously complex. “Actual offensive actions must still undergo rigorous examination, to limit effects and to preclude the perception of an act of war,” he said.
And McGraw said while attribution is difficult, it is not impossible, noting that retaliation doesn’t need to be immediate. “It can be along the lines of, ‘We told you we were going to do it, and now we’re going to do it,’” he said.
But McGraw again said this is not some major sea change in U.S. policy. “The DoD has always had a policy that if you bomb us, we’ll turn you into a smoking, radioactive crater,” he said.
Bolton said this is an effort not to escalate cyber conflict but to decrease it. The goal, he said, is deterrence, “to demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.”
That clearly would be the ideal result.
But Harding, in a blog post this past July, also offered a dose of political reality. In response to urging from Congress to launch cyber attacks against Russia and other hostile nation-states, he wrote that if the U.S. goes on offense, “other state and non-state actors have de facto carte blanch to act as they want in cyberspace.” They’ll figure, “If the U.S. can do it, so can we.”
“I do not believe this has been thought through,” he wrote.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.