WASHINGTON, D.C. — The audacious hack of data on 4 million U.S. government employees exposed America’s shaky cyber defenses and the Obama administration’s ongoing struggle to develop an effective deterrence.
On April 1, in the midst of tense negotiations over Iran’s nuclear program, President Barack Obama signed an executive order authorizing sanctions against foreign-based hackers. For the administration, it was a critical step to address a growing national security threat, a threat every bit as real as that posed by Tehran.
Part of the strategy was to boost cyber defenses — new versions of the government’s intrusion detection system “Einstein” would be fast-tracked and the National Security Agency would be given more powers to screen for potential attacks.
But defenses, as the latest China-originated breach at the Office of Personnel Management showed, are imperfect, quickly outdated and expensive to keep up. The Department of Defense alone has an estimated 7 million networked devices to protect.
So the White House looked at developing an effective deterrence.
“We’ve talked a lot about what we are doing to protect our network defenses and increase public-private cooperation on information sharing,” said an administration official, who asked not to be named. “But you are also seeing an effort to develop some new response capabilities.”
Prosecuting offenders would play a role. Last year, five officers from Unit 61398 of the Third Department of the People’s Liberation Army of China were charged with spying on six U.S. companies in the nuclear, metals and solar sectors.
On the scale of deterrence options, indictments, like sanctions, sat usefully between diplomatic complaints or “demarches” unlikely to be a game-changer and kinetic military action.
But even today, with a range of responses available to Obama, there is still limited deterrence, said retired Lieutenant General David Barno, who commanded US and coalition forces in Afghanistan from 2003 to 2005.
“We have a degree of deterrence” toward state actors, he said, “but it’s inadequate to the scope of the threat.”
A cyber doctrine
The chief problem might be that cyber adversaries still don’t know what response to expect.
Because cyber attacks range vastly in scope and intent, knowing who, how and when to hit back is fraught.
Officials point to the difficulties in simple attribution in an arena where lines are blurred between military and civilian, criminality and espionage.
“What is easily overlooked if you are talking about a response is the fact that it is so exceedingly complicated and difficult to affix firm and certain attribution if you are talking about cyber activities,” the administration official said.
The People’s Liberation Army — like Iran’s Revolutionary Guard or forces in Russia and North Korea — might be major state-level players, but their actions can be masked by the use of cybermilitias and other groups.
Knowing how to respond might be even more difficult than finding a target.
In 2012, then-State Department lawyer Harold Koh seemed to set the bar for an attack that would warrant military action.
“Cyber activities that proximately result in death, injury or significant destruction would likely be viewed as a use of force,” he said.
Possible scenarios included an air traffic control breach that caused an airline to crash, or a cyber-prompted meltdown at a nuclear power station.
Even though this latest hack compromises 750,000 civilian Pentagon employees, a military response would seem disproportionate. Other cases are less clear-cut.
Looking back, looking forward
Iran is thought to be behind a series of attacks in 2012 on Saudi Aramco designed to halt oil production.
Presidents since Jimmy Carter have said they would use military force in response to physical threats that would similarly hurt vital U.S. interests.
America’s own Stuxnet program targeted Iranian’s nuclear facilities and was widely seen as an alternative to military airstrikes.
Experts point to cyber counterattacks as a possible key to developing a credible deterrent.
But as one administration official put it, “there is no ‘bad internet.’ The bad guys are using the same internet as everybody else is using. It is hard to ensure that only the bad guys are getting impacted by that.”
Barno compared the difficulties in using a cyber counterattack to deterrence during the cold war.
“In the nuclear world, I can count warheads, I can look at bombers versus bombers. In the cyber world, I don’t know what to count,” he said. “No one knows what proportional is; proportional may look very different in the eye of the person who is on the receiving end of it.” And without a mutually understood framework, “you lose control of escalation very rapidly. There is no way to calibrate proportional responses.”
Working out these problems, and building an effective deterrent, is likely to extend well beyond Obama’s presidency.
“We really have not got any established rules of the road that everyone understands. We barely have a working vocabulary,” Barno said. “We shouldn’t underestimate how long this took in the Cold War. We didn’t have this (deterrence) in the 1940s and well into the 1950s. We are at the very beginnings of this in the cyber domain.”
By Andrew Beatty
Copyright Agence France-Presse, 2015