National Security Situation: Unless deterred, cyber-intrusions into non-government computer systems will continue to lead to the release of government-related information.
Over the years, a great deal of attention has been paid to gaining security in cyberspace to prevent unauthorized access to critical infrastructure like those that control electrical grids and financial systems, and military networks. In recent years a new category of threat has emerged: the cyber-theft and subsequent public release of large troves of private communications, personal documents and other data.
This category of incident includes the release of government data by inside actors such as Chelsea Manning and Edward Snowden. However, hacks of the Democratic National Committee and John Podesta, a Democratic party strategist, illustrate that the risk goes beyond the theft of government data to include information that has the potential to harm individuals or threaten the proper functioning of government. Because the federal government depends on proxies such as contractors, non-profit organizations, and local governments to administer so many public functions, securing information that could harm the government — but is not on government-secured systems — may require a different approach.
The growing dependence on government proxies, and the risk such dependence creates, is hardly new, and neither is concern over the cyber security implications of systems outside government’s immediate control. However, recent attacks have called the sufficiency of current solutions into question.
Here are three potential options to address this challenge.
Option #1: Build Better Defenses
The traditional approach to deterring cyber-exploitation has focused on securing networks, so that the likelihood of failure is high enough to dissuade adversaries from attempting to infiltrate systems. These programs range from voluntary standards to improve network security, to contractual security standards, to counter-intelligence efforts that seek to identify potential insider threats. These programs could be expanded to more aggressively set standards covering non-governmental systems containing information that could harm the government if released.
Risk: Because the government does not own these systems, it must motivate proxy organizations to take actions they may not see as in their interest. While negotiating contracts that align organizational goals with those of the government or providing incentives to organizations that improve their defenses may help, gaps are likely to remain given the limits of governmental authority over non-governmental networks and information.
Additionally, defensive efforts are often seen as a nuisance both inside and outside government. For example, the military culture often prioritizes warfighting equipment over defensive or “office” functions like information technology, and counter-intelligence is often seen as a hindrance to intelligence gathering. Other organizations are generally focused on efficiency of day-to-day functions over security. These tendencies create a risk that security efforts will not be taken seriously by line operators, causing defenses to fail.
Gain: Denying adversaries the opportunity to infiltrate U.S. systems can prevent unauthorized access to sensitive material and deter future attempted incursions.
Option #2: Hit Back Harder
Another traditional approach to deterrence is punishment — that is, credibly threatening to impose costs on the adversary if they commit a specific act. The idea is that adversaries will be deterred if they believe attacks will extract a cost that outweighs any potential benefits. Under the Obama administration, punishment for cyber attacks focused on the threat of economic sanctions and, in the aftermath of attacks, promises of clandestine actions against adversaries. This policy could be made stronger by a clear statement that the U.S. will take clandestine action not just when its own systems are compromised, but also when its interests are threatened by exploitation of other systems. Recent work has advocated the use of cyber-tools which are acknowledged only to the victim as a means of punishment in this context, however the limited responsiveness of cyber weapons may make this an unattractive option. Instead, diplomatic, economic, information, and military options in all domains should be considered when developing response options, as has been suggested in recent reports.
Adversaries might be willing to attack because they feel the threat of retaliation is not credible.
Risk: Traditionally, there has been skepticism that cyber incursions can be effectively stopped through punishment, as in order to punish, the incursion must be attributed to an adversary. Attributing cyber incidents is possible based on forensics, but the process often lacks speed and certainty of investigations into traditional attacks. Adversaries may assume that decisionmakers will not be willing to retaliate long after the initiating incident and without “firm” proof as justification. As a result, adversaries might still be willing to attack because they feel the threat of retaliation is not credible. Response options will also need to deal with how uncertainty may shape U.S. decisionmaker tolerance for collateral damage and spillover effects beyond primary targets.
Gain: Counter-attacks can be launched regardless of who owns the system, in contrast to defensive options, which are difficult to implement on systems not controlled by the government.
Option #3: Status Quo
While rarely discussed, another option is to maintain the status quo and not expand existing programs that seek to protect government networks.
Risk: By failing to evolve U.S. defenses against cyber-exploitation, adversaries could gain increased advantage as they develop new ways to overcome existing approaches.
Gain: It is difficult to demonstrate that even the current level of spending on deterring cyber attacks has meaningful impact on adversary behavior. Limiting the expansion of untested programs would free up resources that could be devoted to examining the effectiveness of current policies, which might generate new insights about what is, and is not, effective.
-Elizabeth M. Bartels