‘Why don’t we hit them back?’ Lack of rules hampering U.S. ability to respond to cyber theft

(CyberWar.news) In recent years, the United States has been increasingly targeted by nation-states and non-state actors alike who are using cyberattacks to probe for military secrets, conduct corporate espionage and temporarily disable or disturb financial networks and even air traffic control.

As the attacks have become more and more brazen – such as the suspected North Korean hack of Sony Pictures and the suspected Chinese theft of data of tens of millions of current and former U.S. government employees, many have asked why the Obama Administration has not taken aggressive cyber countermeasures in response.

First, it should be noted that if or when the U.S. government responds (or has responded) to cyberattacks, don’t expect to see an announcement in the paper or on a news website (unless of course word of the response is leaked). These are highly secretive intelligence operations, and governments don’t discuss them publicly.

But also, say experts, the U.S. may be more reluctant to respond – or respond in certain ways – because the so-called “rules” of response have yet to be written and it’s likely that officials are still weighing opinions as to what would be – and would not be – appropriate.

As reported by PC World recently:

Fight back, critics argue, as the U.S. government faces increasing cyber attacks, with rival nations as the most likely suspects. A passive approach by the U.S. government only emboldens perpetrators—draw a red line, they urge. Most recently, the massive Office of Personnel Management breach has inspired calls for a decisive response.

On the other side, some experts warn that retaliation, in any form, would be shortsighted, simplistic and unrealistic, potentially undermining America’s interests. The rules of engagement, even informal guidelines, have yet to be written, they say.

Experts and officials who advocate striking back say the breach at OPM should have been the trigger. However, others say where to strike back is not clear; thus far, the Obama Administration has not publicly assigned blame for the OPM hack – not an individual, group of individuals or a government.

Robert Knake, former head of cybersecurity policy at the National Security Council and co-author of the 2010 book Cyber War with cyber expert Richard A. Clarke, told PC World that those advocating for hacking back are overreacting.

“It’s bad. But it’s not devastating,” said Knake of the confidential data exposed by the breach. “The reason it’s not devastating is that we know about it.”

During a recent Atlantic Council panel debate regarding the consequences of taking cyber revenge, Knake said that identifying the cyber breach means that the government has the opportunity to mitigate its damage. And, once armed with the knowledge that the hack occurred, the government can use that information to its advantage.

For instance, he said, in the event that a nation uses information that was gleaned from the hack to identify Americans who may be involved in sensitive intelligence operations, Knake said the U.S. could respond with misdirection by changing personnel.

Knake also said that the intelligence operations involving the National Security Agency leaked by former NSA contractor Edward Snowden changed the paradigm of norms in cyberspace, making cyber spying an open secret.

“We are in the post-Snowden period where the whole world knows the U.S. engages in this kind of [surveillance] activity,” said Knake. Despite vehement protests from spied-upon allies, the U.S. did not shut down its programs, Knake pointed out. “We got through all those disclosures without… Angela Merkel or anyone else declaring that it was an act of war.”

In addition, say other experts, cyber spying involves a different skill set and rule book than when government had to defend against pre-Internet, traditional Cold War-type espionage.

“Whatever country is trying to steal our state secrets or international property doesn’t have to have a physical body,” said Austin Berglas, Senior Managing Director and head of the U.S. Cyber Investigations and Incident Response practice at K2 Intelligence, and former head of the FBI’s New York Cyber Branch. “They can do it from their own home. There is a cloak of anonymity that people can hide behind to deny the actions.”

And Jason Healey, senior fellow at the Atlantic Council’s Cyber Statecraft Initiative, said times have changed, noting that, in the Cold War, there was a set of unwritten “Moscow rules” containing so-called red lines that would not be crossed.

“It wasn’t a treaty, but there was this sense of where each side could go and if they overstep that, than there might be repercussions,” Healey said at the panel discussion. “We would never kill a Russian. They will never kill an American spy.”

By contrast, he noted that no such rules – unwritten or otherwise – currently exist for cyber espionage. There are no lines to determine if or when someone or some nation has gone too far.

“Not only is there no playbook for countries and companies looking to respond to a cyberattack,” said Daniel Garrie, founder and editor-in-chief of the Journal of Law & Cyber Warfare, “but there are arguably a hundred different playbooks, for each country, making the appropriate and permissible response all the more challenging.”

See also:





comments powered by Disqus