America Goes On The Cyber Offensive

The Trump administration has rolled back Obama-era rules governing the use of cyberweapons. U.S. government hackers will now have more latitude to respond to and deter cyber attacks by adversaries. For the military—especially U.S. Cyber Command, which has long desired more freedom to manoeuvre—this is welcome news. Other agencies, especially those with sensitive intelligence and diplomatic equities at stake, are surely less enthusiastic about the prospect of turning up the temperature in the cyberwars. A cyber policy is shaped by a trade-off between deterrence on the one hand and intelligence collection and diplomatic standing on the other. A relaxed cyber engagement policy increases U.S. deterrence capabilities—if you hit us, we can hit back. But it could also endanger existing spy operations. Robert Chesney, a University of Texas legal scholar, has observed that if the National Security Agency “is in a target system and reaping important intelligence, an offensive operation that imperils that collection may or may not be in the country’s net national interest.” If the military goes on a cyber offensive, it could also undermine the standing of U.S. diplomats when they call for international norms supporting a free and open internet.

During the Bush and Obama administrations, advocates of intelligence and diplomatic priorities enjoyed greater institutional clout in Washington and better access to the president. But in the Trump White House, the military has significant access to the West Wing, while the intelligence and diplomatic corps are at odds with the president. The days of sacrificing deterrence to other interests in cyberspace seem numbered. These conflicts are not new or unique to cyberspace. What the Pentagon calls “intelligence gain/loss” considerations apply to all domains. Dropping a bomb on a terrorist camp may disrupt one plot, but it may also kill the terrorist group’s courier who is under surveillance. Is a tactical military win worth risking a strategic intelligence asset and possible damage to U.S. diplomatic interests? In the digital domain, these calculations become much more complicated and unpredictable. Unlike the physical realm, where it is easy to calculate the blast radius of an ordinance or the likelihood of civilian casualties, the collateral effects of a cyber operation are often best guesses.

Consider the 2017 Russian cyber attack that became known as NotPetya. What started as a targeted operation against organisations in Ukraine quickly spun out of control. It metastasised into a global campaign that struck some of the world’s largest corporations, including the American drug manufacturer Merck, the Danish shipping giant Maersk and even the Russian state-owned oil company Rosneft. The cyberweapon—part of which was allegedly developed by and later stolen from the NSA—travelled well beyond Russia’s intended targets. If the U.S. launched malware at Russia, would the Kremlin stop hacking the emails of American political candidates and remove their “implants” in our critical infrastructure? Or would the code be reverse-engineered and used against the U.S. after the operation burned American intelligence sources? Fear of the latter has resulted in a very conservative approach to engaging adversaries in cyberspace. For the U.S. cyber arsenal to serve as an effective deterrent, leaders must be willing to sacrifice intelligence and diplomatic interests for military ones when circumstances warrant it. But the best use of the cyber arsenal is not necessarily in response to cyber attacks. Fighting cyber with cyber may expose America’s digital defences. It also perpetuates the norm that hostilities are confined to either the physical or virtual domain. If the U.S. and other digitally dense and dependent nations do not reserve the right to respond to cyber attacks with conventional means, we will be beholden to perpetrators of asymmetric cyberwarfare. Stability in cyberspace depends on a universal definition of force that encompasses cyberwarfare.

America’s use of cyberweapons should be reserved for two scenarios. The first is offensive. Cyberweapons are an effective first-strike capability when conventional conflict is imminent or has already commenced. No one has demonstrated this better than the Russians, who launched distributed denial of service attacks in concert with ground assets during their invasions of Georgia in 2008 and Crimea in 2014. The U.S. should prioritise integrating digital weapons with its conventional arsenal. The second is defensive. Cyber-operators enjoy levels of stealth and speed unrivalled by conventional weapons systems to prevent or repel attacks, be they on the battlefield or in cyberspace. The U.S. should not hesitate to disable infrastructure that is facilitating the digital invasion of our sovereignty. To minimise the harm to U.S. diplomatic legitimacy from defensive cyberoperations, America must secure international partnerships that support them. Despite the challenges and risks of operating militarily in this new domain, the status quo is simply unacceptable. Just ask Adm Mike Rogers, former commander of U.S. Cyber Command. When pressed shortly before his departure from office in February by the Senate Armed Services Committee about America’s weak response to Russia’s election meddling, he said, “I haven’t been granted any, you know, additional authorities.” So long as the U.S. Cyber Command has its hands tied, adversaries do not perceive sufficient costs from attacking in cyberspace. Meanwhile, international norms against strong countermeasures favour countries with the least to lose. The U.S. must be prepared to defend its digital sovereignty with all the tools at its disposal.

Credit: Dave Weinstein for The Wall Street Journal, 28 August 2018.

Mr Weinstein is a cybersecurity policy fellow at New America, vice president of Threat Research at Claroty, and a former operations planner at U.S. Cyber Command.