Elizabeth M. Bartels is a doctoral candidate at the Pardee RAND Graduate School and an assistant policy analyst at the nonprofit, nonpartisan RAND Corporation. She has an M.S. in political science from the Massachusetts Institute of Technology and a B.A. in political science with a minor in Near Eastern languages and civilization from the University of Chicago. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
National Security Situation: Unless deterred, cyber-intrusions into non-government computer systems will continue to lead to the release of government-related information.
Date Originally Written: March 15, 2017.
Date Originally Published: May 11, 2017.
Author and / or Article Point of View: Author is a PhD candidate in policy analysis, whose work focuses on wargaming and defense decision-making.
Background: Over the years, a great deal of attention has been paid to gaining security in cyberspace to prevent unauthorized access to critical infrastructure like those that control electrical grids and financial systems, and military networks. In recent years a new category of threat has emerged: the cyber-theft and subsequent public release of large troves of private communications, personal documents and other data.
This category of incident includes the release of government data by inside actors such as Chelsea Manning and Edward Snowden. However, hacks of the Democratic National Committee and John Podesta, a Democratic party strategist, illustrate that the risk goes beyond the theft of government data to include information that has the potential to harm individuals or threaten the proper functioning of government. Because the federal government depends on proxies such as contractors, non-profit organizations, and local governments to administer so many public functions, securing information that could harm the government – but is not on government-secured systems – may require a different approach.
Significance: The growing dependence on government proxies, and the risk such dependence creates, is hardly new[1], and neither is concern over the cyber security implications of systems outside government’s immediate control[2]. However, recent attacks have called the sufficiency of current solutions into question.
Option #1: Build Better Defenses. The traditional approach to deterring cyber-exploitation has focused on securing networks, so that the likelihood of failure is high enough to dissuade adversaries from attempting to infiltrate systems. These programs range from voluntary standards to improve network security[3], to contractual security standards, to counter-intelligence efforts that seek to identify potential insider threats. These programs could be expanded to more aggressively set standards covering non-governmental systems containing information that could harm the government if released.
Risk: Because the government does not own these systems, it must motivate proxy organizations to take actions they may not see as in their interest. While negotiating contracts that align organizational goals with those of the government or providing incentives to organizations that improve their defenses may help, gaps are likely to remain given the limits of governmental authority over non-governmental networks and information[4].
Additionally, defensive efforts are often seen as a nuisance both inside and outside government. For example, the military culture often prioritizes warfighting equipment over defensive or “office” functions like information technology[5], and counter-intelligence is often seen as a hindrance to intelligence gathering[6]. Other organizations are generally focused on efficiency of day-to-day functions over security[7]. These tendencies create a risk that security efforts will not be taken seriously by line operators, causing defenses to fail.
Gain: Denying adversaries the opportunity to infiltrate U.S. systems can prevent unauthorized access to sensitive material and deter future attempted incursions.
Option #2: Hit Back Harder. Another traditional approach to deterrence is punishment—that is, credibly threatening to impose costs on the adversary if they commit a specific act. The idea is that adversaries will be deterred if they believe attacks will extract a cost that outweighs any potential benefits. Under the Obama administration, punishment for cyber attacks focused on the threat of economic sanctions[8] and, in the aftermath of attacks, promises of clandestine actions against adversaries[9]. This policy could be made stronger by a clear statement that the U.S. will take clandestine action not just when its own systems are compromised, but also when its interests are threatened by exploitation of other systems. Recent work has advocated the use of cyber-tools which are acknowledged only to the victim as a means of punishment in this context[10], however the limited responsiveness of cyber weapons may make this an unattractive option. Instead, diplomatic, economic, information, and military options in all domains should be considered when developing response options, as has been suggested in recent reports[11].
Risk: Traditionally, there has been skepticism that cyber incursions can be effectively stopped through punishment, as in order to punish, the incursion must be attributed to an adversary. Attributing cyber incidents is possible based on forensics, but the process often lacks speed and certainty of investigations into traditional attacks. Adversaries may assume that decision makers will not be willing to retaliate long after the initiating incident and without “firm” proof as justification. As a result, adversaries might still be willing to attack because they feel the threat of retaliation is not credible. Response options will also need to deal with how uncertainty may shape U.S. decision maker tolerance for collateral damage and spillover effects beyond primary targets.
Gain: Counter-attacks can be launched regardless of who owns the system, in contrast to defensive options, which are difficult to implement on systems not controlled by the government.
Option #3: Status Quo. While rarely discussed, another option is to maintain the status quo and not expand existing programs that seek to protect government networks.
Risk: By failing to evolve U.S. defenses against cyber-exploitation, adversaries could gain increased advantage as they develop new ways to overcome existing approaches.
Gain: It is difficult to demonstrate that even the current level of spending on deterring cyber attacks has meaningful impact on adversary behavior. Limiting the expansion of untested programs would free up resources that could be devoted to examining the effectiveness of current policies, which might generate new insights about what is, and is not, effective.
Other Comments: None.
Recommendation: None.
Endnotes:
[1] John J. Dilulio Jr. [2014], Bring Back the Bureaucrats: Why More Federal Workers Will Lead to Better (and Smaller!) Government, Templeton Press.
[2] President Barack Obama [2013], Executive Order—Improving Critical Infrastructure Cybersecurity, The White House Office of the Press Secretary.
[3] National Institute of Standards and Technology (NIST) [2017], Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.1.
[4] Glenn S. Gerstell, NSA General Councel, Confronting the Cybersecurity Challenge, Keynote address at the 2017 Law, Ethics and National Security Conference at Duke Law School, February 25, 2017.
[5] Allan Friedman and P.W. Singer, “Cult of the Cyber Offensive,” Foreign Policy, January 15, 2014.
[6] James M. Olson, The Ten Commandments of Counterintelligence, 2007.
[7] Don Norman, “When Security Gets in the Way,” Interactions, volume 16, issue 6: Norman, D. A. (2010).
[8] President Barack Obama [2016], Executive Order—Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.
[9] Alex Johnson [2016], “US Will ‘Take Action’ on Russian Hacking, Obama Promises,” NBC News.
[10] Evan Perkoski and Michael Poznansky [2016], “An Eye for an Eye: Deterring Russian Cyber Intrusions,” War on the Rocks.
[11] Defense Science Board [2017], Task Force of Cyber Deterrence.
