U.S. Options for a Consistent Response to Cyberattacks

Thomas G. Pledger is an U.S. Army Infantry Officer currently serving at the U.S. Army National Guard Directorate in Washington, DC. Tom has deployed to multiple combat zones supporting both the Conventional and Special Operations Forces. Tom holds a Master in Public Service and Administration from the Bush School of Public Administration at Texas A&M University, a Master of Humanities in Organizational Dynamics, Group Think, and Communication from Tiffin University, and three Graduate Certificates in Advanced International Affairs from Texas A&M University in Intelligence, Counterterrorism, and Defense Policy and Military Affairs. Tom has been a guest lecturer at the Department of State’s Foreign Service Institute. He currently serves on 1st NAEF’s External Advisory Board, providing insight on approaches for countering information operations. Tom’s current academic and professional research is focused on a holistic approach to counter-facilitation/network, stability operations, and unconventional warfare. Divergent Options’ content does not contain information of an official nature, nor does the content represent the official position of any government, any organization, or any group.


National Security Situation:  The United States Government (USG) does not have a consistent response or strategy for cyberattacks against the private sector and population. Instead, it evaluates each attack on a case by case basis. This lack of a consistent response strategy has enabled hackers to act with greater freedom of maneuver, increasing the number and types of cyberattacks.

Date Originally Written:  April 24, 2020.

Date Originally Published:  June 29, 2020.

Author and / or Article Point of View:  The author believes that a lack of a consistent response or strategy for cyberattacks against the United States private sector and population have emboldened foreign powers’ continued actions and prevented a coordinated response.

Background:  The United States private sector and population has become the target of an almost continuous barrage of cyberattacks coming from a long list of state-sponsored actors, including Russia, China, North Korea, and Iran[1]. These actors have used the low financial cost of execution and low cost of final attribution to utilize cyberattacks as a tool to stay below the threshold of armed conflict. In the United States, these attacks have primarily avoided negative impacts on critical infrastructure, as defined by the USG. Therefore, the USG has treated such attacks as a matter for the private sector and population to manage, conducting only limited response to such state-sponsored attacks.

Significance:  The number of known cyberattacks has increased at a near exponential rate since the 1990s. During this same period, these attacks have become more sophisticated and coordinated, causing increased damage to both real-world infrastructure, intellectual property, societal infrastructure, and digital communication platforms. This trend for cyberattacks will continue to rise as individuals, industry, and society’s reliance on and the number of connected devices increases.

Option #1:  The USG categorizes cyberattacks against the United States’ private sector and population as an act of cyberterrorism.

Risk:  Defining cyberattacks against the United States’ private sector and population as cyberterrorism could begin the process of turning every action conducted against the United States that falls below the threshold of armed conflict as terrorism. Patience in responding to these attacks, as attack attribution takes time, can be difficult. Overzealous domestic governments, both state and federal, could use Option #1 to suppress or persecute online social movements originating in the United States.

Gain:  Defining cyberattacks against the United States’ private sector and population as cyberterrorism will utilize an established framework that provides authorities, coordination, and tools while simultaneously pressuring the USG to respond. Including the term “digital social infrastructure” will enable a response to persistent efforts by state actors to create divisions and influence the United States population. Option #1 also creates a message to foreign actors that the continued targeting of the United States private sectors and population by cyberattacks will begin to have a real cost, both politically and financially. A stated definition creates standard precedence for the use of cyberattacks not to target the United States’ private sector and population outside of declared armed conflict, which has been applied to other weapon systems of war.

Option #2:  The USG maintains the current case by case response against cyberattacks.

Risk:  The private sector will begin to hire digital mercenaries to conduct counter-cyberattacks, subjecting these companies to possible legal actions in United States Courts, as “hack the hacker” is illegal in the United States[2]. Cyberattacks conducted by the United States private sector could drag the United States unknowingly into an armed conflict, as responses could rapidly escalate or have unknown second-order effects. Without providing a definition and known response methodology, the continued use of cyberattacks will escalate in both types and targets, combined with that U.S. adversaries not knowing what cyberattack is too far, which could lead to armed conflict.

Gain:  Option #2 allows a case by case flexible response to individual cyberattacks by the USG. Examining the target, outcome, and implication allows for a custom response towards each event. This option maintains a level of separation between the private sector operating in the United States and the USG, which may allow these organizations to operate more freely in foreign countries.

Other Comments:  Although there is no single USG definition for terrorism, all definitions broadly include the use of violence to create fear in order to affect the political process. Cyberterrorism does not include the typical act of violence against a person or property. This lack of physical violence has led some administrations to define cyberattacks as “cyber vandalism[3],” even as the cyberattack targeted the First Amendment. Cyberattacks are designed to spread doubt and fear in the systems that citizens use daily, sowing fear amongst the population, and creating doubt in the ability of the government to respond.

Recommendation:  None.


Endnotes:

[1] “Significant Cyber Incidents.” Center for Strategic and International Studies, Center for Strategic and International Studies, Apr. 2020, http://www.csis.org/programs/technology-policy-program/significant-cyber-incidents.

[2] “Hacking Laws and Punishments.” Findlaw, Thomson Reuters, 2 May 2019, criminal.findlaw.com/criminal-charges/hacking-laws-and-punishments.html.

[3] Fung, Brian. “Obama Called the Sony Hack an Act of ‘Cyber Vandalism.’ He’s Right.” The Washington Post, WP Company, 22 Dec. 2014, http://www.washingtonpost.com/news/the-switch/wp/2014/12/22/obama-called-the-sony-hack-an-act-of-cyber-vandalism-hes-right/.

Cyberspace Option Papers Policy and Strategy Thomas G. Pledger United States