WASHINGTON — The U.S. needs to coordinate with the international community in identifying and punishing those behind cyberattacks to deter future hacks, according to a co-chair of the Cyber Solarium Commission.
In testimony before the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, Sen. Angus King, I-Maine, called for a two-pronged approach to deter cyber-based espionage operations, attempts to disrupt U.S. banks, and widespread online influence campaigns. His recommendation included increased international cooperation to call out and punish such activities, and for the U.S. to create a stronger declaratory policy.
The Cyber Solarium Commission, a bipartisan organization created in 2019 to develop a multipronged U.S. cyber strategy, delivered a report in March advocating for multiple cyber deterrence efforts.
King said the U.S. hasn’t done a good job imposing costs against adversaries who conduct these cyber operations.
“We’ve become a cheap date in cyber,” he said, echoing similar comments made by Gen. Paul Nakasone, commander of U.S. Cyber Command, during his 2018 confirmation hearing for the post.
“We can be attacked … and there’s no real consequences, there’s no real results, there’s no cost paid by our adversary,” King said. “We’ve got to make adversaries go through a cost calculation saying, ‘Well, if we do this, they might do something else to us and it may not be cyber, it may be sanctions, it may be other kinds of a response,’ but we have to establish that there will be a response. Otherwise, because cyber is a relatively cheap form of aggression, it will continue to happen.”
King said international definitions of what constitutes cyberwar are still in their infancy, and the United States must be an active participant in setting standards, guardrails and the norms for activity in cyberspace, so when the country does respond to a cyber incident, it’s not doing so alone.
In recent months, large coalitions have called out and exacted punitive measures against cyber actors. In February, a coalition of more than 10 nations issued statements condemning Russian behavior against the country of Georgia. And this week, the European Union issued the first set of cyber sanctions against Russian and North Korean entities for a range of cyber activities dating back three years.
However, it is unclear how effective these measures have been, as actors continue to conduct cyberattacks.
For its part, the United States has not ruled out physical military retaliation for cyber action, but it’s unlikely it will risk a violent conflict over cybertheft or the defacement of websites. The military has come under fire recently for statements that appear to undermine the existence of international norms and laws in cyberspace.
“We’re not fighting an enemy that people can see,” said Chief of Naval Operations Adm. Michael Gilday, as quoted in a tweet from U.S. Cyber Command. “And we’re not fighting a war where international norms exist. But make no mistake, we are in conflict day-in and day-out in the cyber realm and you all are on the front lines.”
That position irked some in the international cyber arena as undermining international rules.
“Frustrating the ‘no international norms’ myth sticks around. If there are no international norms then there’s showing any restraint ourselves is a sucker bet. No one else is restrained, so why should we be? It’s a crap argument,” Jason Healey, a senior research scholar at Columbia University, tweeted in response. “Saying there are ‘no international norms’ for cyber conflict is ignorant, wrong, and dangerous. Often someone is just parroting what they’ve heard. Others specifically say it [because] they want fewest restraints on US cyber actions.”
“Conflicting messages, like the one below amplified by @US_Cybercom yesterday, undermine progress in developing and enforcing such limits,” tweeted Kristen Eichensehr, an assistant professor of law at UCLA Law School.
“U.S. CyberCom: the Russians and Chinese are conducting massive cyber attacks against the U.S. This is an outrage, they must stop! Also U.S. CyberCom: there are no rules in cyberspace. Errm, if so, Russia and China do not violate any rules. So why should they stop,” tweeted Przemysław Roguski, a lecturer in international law at Jagiellonian University in Poland.
The second prong of King’s deterrent approach involves a greater declaratory policy, because “if you don’t tell your adversary that you’ll respond, then it’s not a deterrent,” he said. “I think we need to have a much clearer statement of our doctrine, of our strategy so that adversaries know that they will, in fact, pay a price.”
U.S. defense officials have begun speaking more bombastically about their intentions and are attempting to signal to adversaries that malign activity is not acceptable.
Cyber Command and the National Security Agency “are going to know our adversaries better than they know themselves, we’re going to broaden our partnership and we’re going to act when we see adversaries attempting to interfere in our elections,” a July 24 tweet from Cyber Command read. This mirrors statements made by Nakasone on July 20 at an Association of the U.S. Army event, during which he said the security of the 2020 elections is his top priority.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.