The U.S. and its political parties have repeatedly fallen victim to cyber intruders in recent years. The most recent being the intrusion into a number of networks and accounts affiliated with the Democratic National Committee as well as state election systems, sowing some concern and distrust in American institutions.
While the U.S. has coyly identified Russian-affiliated hackers as responsible for the most recent incidents, it has not expressed any official response. When it comes to responding to incidents in cyberspace, the U.S. has outlined a broad "whole of government" approach involving multiple channels, agencies and measures for a coordinated response.
Assistant Attorney General for National Security, John Carlin, describes in a recent paper publishedin the Harvard National Security Journal that "[n]o one agency can beat the threat. Instead, success requires drawing upon each agency’s unique expertise, resources and legal authorities, and using whichever tool or combination of tools will be most effective in disrupting a particular threat."
According to the White House’s cyber deterrence strategy, released in December 2015, a whole of government response can include:
- The State Department’s use of tight relationships with foreign governments to coordinate policy responses.
- The Department of Justice and the FBI’s use of their investigative, prosecutorial, and law enforcement capabilities and authorities.
- The Department of Homeland Security’s utilization of its critical-infrastructure knowledge and relationships with the private sector to protect these assets, mitigate threats and respond to cyberattacks.
- The Secret Service’s utilization of its expertise in cyber fraud investigations with potential national implications.
- Immigration and Customs Enforcement and DHS’s investigation in cybercrime as it relates to online theft of intellectual property, export-controlled data as well as other cyber-related crime such as child exploitation, smuggling and underground marketplaces.
- The economic agencies such as the Department of Commerce, the Department of the Treasury and the Office of the United States Trade Representative to leverage their understanding of economic and market forces and use of their authorities to issue economic sanctions against individuals or organizations, or enforce trade laws.
- Sector-specific agencies, using their unique insight into the sectors of the economy that could be threatened by a cyber incident, can complement those of the intelligence community and the Department of Defense to identify, mitigate and defend against cyber incidents.
These measures culminated into a formalized presidential policy directiveissued in July 2016. Titled "Presidential Policy Directive 41 — United States Cyber Incident Coordination," the directive established the government’s response to cyber incidents affecting both the private and public sector, essentially codifying the aforementioned processes.
As evidenced by the long list of agencies and options, officials have expressed that the U.S. does not need to respond to an incident in kind in cyberspace, which in addition to the aforementioned options, can include a kinetic military response. In fact, this facet of the U.S. government’s response options has acted as a significant deterrent ability, according to experts.
"There’s lots of things that a China, a Russia, an Iran could do in this realm — they don't in large part, not merely because of our offensive cyber capability to hit back but because we can hit back in other realms," Peter Singer, a strategist at the New America Foundation, told Congress in July. Similarly, Isaac Porche, a senior engineer at the think tank Rand, told the House Homeland Security Committee in February that cyber is just one domain, and the U.S. military operates in others.
"But what prevents nation-states from taking action are the fact that they would have to deal with the United States in other domains. And so it always has to include all domains, not just cyber. Our response to a cyberattack may not be in cyber," Porche told the committee.
The Department of Justice has, in fact, issued indictments for several incidents involving international hackers intruding upon U.S. networks and companies. The most high-profile examples include the 2014 indictment of five members of the People's Liberation Army for stealing U.S. intellectual property to benefit Chinese companies, the 2016 indictment of a Kosovar hackeracting on behalf of the Islamic State group, the 2016 indictment of members of the Syrian Electronic Armyfor various intrusions into U.S. networks, and the 2016 indictments of Iranian hackersfor hacking into critical infrastructure and financial institutions.
In regard to diplomacy, the coordinator for cyber issues at the State Department, Christopher Painter, in response to a hypothetical scenario, offered how the agency would respond to a cyber incident, in testimony before the Senate Foreign Relations Committee last year.
The scenario, teed up by Sen. Cory Gardner, R-Colo., involved U.S. networks penetrated by the fictional nation Ruritania, which has exhibited hostile behavior to U.S. interests in the past.
"So if this came up we would, there are a number of things we could do," Painter described. He first offered that the State Department is part of the interagency process harking back to the whole-of-government approach. On this note, Painter added that State is part of the Cyber Response Group (CRG), established by the White House, where the interagency partners — State included — would be offering up how their expertise can contribute to a response.
"We participate in these interagency discussions, we’d look at all the tools that we had as an interagency — law enforcement tools, technical tools, tools like sanctions for instance — we would have a range of tools, and we’re trying to develop new ones. And then we would see how our diplomatic tools can play into that," he said.
Painter also described the partnerships he has forged with several of his counterparts within governments across the world pointing out that there are 20 offices globally focused on cyber issues he can get in touch with quickly to coordinate responses.
Painter offered a few real-world examples as to what his office has done on these fronts when cyber incidents break out. One, being the 2012-2013 distributed denial of service attacks against financial institutions, in which botnets were employed across the world, Painter said: "Our technical people were reaching out to all those countries trying to mitigate that threat. What we did as the State Department is we reached out using demarches — diplomatic demarches — to governments, over 20 around the world, which raised the level of concern."
He added that they received a lot of assistance from other governments as they understood this was not merely a technical issue but more of a policy issue that was elevated within governments around the world.
Frank Cilluffo, associate vice president and director of the Center for Cyber and Homeland Security at George Washington University, told C4ISRNET in an interview that sometimes the U.S. can inflict a greater cost on perpetrators through other means than cyber, such as diplomacy or kinetic. A response "shouldn’t be exclusively cyber because we sometimes have greater strengths in bringing something to a court," he said. "If you’re dealing with a non-state actor who doesn’t have a whole lot to lose in cyber, what is a cyber response in kind going to do?"
Another reason for the so-called all-tools approach could be fear of setting a dangerous precedent.
"A lot of the tools that the U.S. government, I would argue, has used in response to cyber espionage, damaging cyberattacks, has actually been outside of the cyber realm — in part because we don’t want to set a bad precedent," Denise Zheng, deputy director and senior fellow in the Strategic Technologies Program at the Center for Strategic and International Studies, said at a Sept. 6 event hosted by the Atlantic Council. "We don’t want to condone this type of activity, it’s a slippery slope. And so that’s why we use things like sanctions, indictments, we’ve used diplomatic actions — a combination of all of the above to deter this type of activity."
Many have been critical of the effect indictments and sanctions have had as a response to cyber incidents and in turn a deterrent effect meant to change behavior going forward.
"Do I really think you’re going to see three PLA officers in a U.S. courtroom anytime soon? No," Cilluffo said. "But it did demonstrate that this is a significant set of issues. And you know what? It does stymie their ability to travel. At some point, they’re going to figure out: 'Hey, maybe that’s not such a good outcome.' "
Additionally, the indictments might have an ancillary effect in demonstrating attribution capability. The Chinese "were really stunned at our attribution capabilities that we identified which office in the PLA was doing it, who was doing it and we even went onto the Facebook page of one of the guys doing it. So that must have kind of woken them up and wondered what else we can do," Robert Manning, senior fellow at the Atlantic Council, said Sept. 6.
Sanctions, as all other response tools, have their own time, place and actors in which they can cause a real effect. Michael Daniel, White House cybersecurity coordinator, said during a 2015 conferencethat while the online community affords a great deal of anonymity, sanctions can prevent hackers from remaining in the shadows as their assets can be blocked.
Issuing sanctions can also help level the playing field against those acting below the threshold of war, Cilluffo said.
"The most sophisticated actors are in the business of stealing secrets. Does that mean you have a military response? … Probably not," he said. "If you have U.S. companies spending hundreds of millions, if not billions, in [research and development] and someone else just steals it to gain market share … there I actually think the sanctions model does work."
Sanctions and diplomatic measures can also be a useful tool against nations that might not be willing to take action against those within their jurisdictions hacking outside the country’s borders.
"If law enforcement refuses — and I’ve worked in a couple of countries that refused to take actions against their citizens where we had clear and compelling, overwhelming evidence beyond probable cause and they refused to take action — maybe, that’s where the policy, the diplomatic, the economic sanctions come in because there’s an unwillingness to hold their own citizens accountable," Shawn Henry, president at CrowdStrike, said during a panel at the Intelligence and National Security Summit.
However, sanctions might not provide a desirable outcome against all actors. Sean Kanuck, who most recently served as the national intelligence officer for cyber issues in the Office of the Director of National Intelligence, told C4ISRNET at the 2016 Intelligence and National Security Summit, that sanctions against North Korea for the hack against Sony pictures likely did not have a major impact given "there already wasn’t a lot of commerce between North Korean entities and a lot of the world."
How does the process work?
Carlin, speaking in front of an audience at the Center for Strategic and International Studies in June, offered greater clarity on the whole-of-government response process. He described today’s framework as a structural change, noting that previously within the National Security Council there was a group that would convene and respond to terrorist incidents. Today, the Cyber Response Group serves this function.
Representatives from relevant agencies — Treasury, State, Justice, FBI, DoD, CIA, etc. — would sit around the situation room following a major terrorist event and brief the president on what the intelligence could reveal about the threat. The agency representatives would then present the options their organization could provide under current legal authorities in the way of a response. Sometimes one option or tool would be chosen, Carlin said, or a campaign involving multiple options would be chosen to maximize the most amount of disruption against the threat.
"You’re starting to see that same mentality or approach on cyber. So now there’s a CRG that’s operating along the same principle," he said. "So I think you’re starting to see some of the structures put in place that allow for the execution of this whole-of-government, all-tools, disruption, deterrent strategy."
While the cyber strategy field is still nascent, "there have been some major developments, there have been some policies and presidential directives that have been promulgated that are helpful, but it’s by no means where counterterrorism was," Cilluffo said. "In fact, I’d say, in some cases it’s sort of the equivalent of 2003 in the counterterrorism environment — not 9/12/2001, but more like 2003 in terms of understanding some of our counterterrorism efforts."
"As far as the process itself, it’s a learning process," Kanuck said, regarding the cyber incident response process. "I haven’t been in those meetings in a few months, but having been in them before, it’s good to work through the processes in non-catastrophic situations so that you can exercise those muscles, if you will, so you know what to do if situations of worse scope happen."
Cilluffo praised the current administration for putting presidential directives in place and taking the cyberthreat seriously, but the proof will be in the pudding in terms of how the whole process will play out.
"There has not been a whole lot of clarity, visibility, transparency in terms of how that actually plays out," he said adding that these measures must culminate around a deterrent strategy to change behavior, which the U.S. has not done yet, he said.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.