Recent attacks on American critical infrastructure by Russian “cybercriminals,” including oil pipeline, meatpacking company, and possible transport provider, created inconveniences. The attacks could have been worse. What should be done to stop future attacks? What should not be done? What strategic steps might be taken? This could be Biden’s moment.
Interestingly, while Russia is implicated in these cyberattacks – shielding presumed perpetrators, possibly being complicit – a response is tricky. Here is why.
First, identifying with certainty who perpetrated a cyberattack, given “opposing barbershop mirrors” of cyber-deflection, is often difficult. State actors deflect other state or non-state actors. Non-state actors do the same. Like picking up beads of mercury with fingers or nailing Jell-O to a wall, the task is inherently hard.
Second, responding without giving away how you know who and where an attack came from, so an attacker does not correct, better deflect, learn “sources and methods,” is also difficult.
US Cyber command exists to “ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries,” but the cyberworld of is one of shadows, feints, and counter-feints. United States Cyber Command.
Several years ago, a senior National Security Agency official was asked why no executive order saying we would hit back hard if hit?
His response was revealing – and remains relevant.
“It could be useful but dangerous because if someone knows ‘if you do this I’ll whack you in this way,’ they could pretend to be another nation-state actor.” While “attribution is hard,” it is “probably not … as hard as people think,” but “hard to do in a timely way and an actionable way,” as “it usually involves some fairly sensitive intelligence sources, and if you disclose those they won’t be there the next time.” See NO NEED FOR A STANDING ORDER ON CYBER ATTACKS.
The whole exercise is like snipers hunting snipers.
Third, any response – at law or national security – must be proportional or risk escalation. The goal should be a return signal that is focused, timely, and demonstrates attacker vulnerability to deter future attacks. By keeping the response proportional, we avoid starting a cyber war.
Finally, while much of cyberspace is hidden, the public is getting drawn into this battlespace. Official and rogue actors are widening their aperture, intentionally creating collateral damage. In short, what was government-to-government harassment and mere pilfering is affecting society.
Given these realities, what should – and should not – be done? Whatever we may know, these constraints are important. We want to deter future attacks without starting a war. A broad cyberattack risks being wrong, disproportionate, compromising intelligence, and triggering counter-attacks – which means more collateral damage.
On the other hand, a perpetrator must know we know who they are to deter future attacks, whether “non-state,” so caught and prosecuted, or “state,” so outed and internationally punished.
The best answer, in this case, depends on what we know, with what confidence, and whether we can tailor a response to hit the attacker’s point of origin – discretely. Public reports say Biden sees these attacks as “a national security threat” and is “contemplating offensive cyber operations against hackers inside Russia,” which may be the right – but must be discrete, proportional, and not trigger further escalation. See, e.g., ‘They are hair on fire’: Biden admin mulling cyber attacks against Russian hackers.
At the same time, words are cheap, sanctions often ineffective, and Biden is going to meet Russian President Putin on June 16th – whose foreign ministry said they would be sending “uncomfortable signals” before the summit.
Biden just issued an executive order reviewing federal regulations and foreshadowing compulsory information sharing between private and public sectors. That is nice but inadequate, possibly also subject to legal challenge. See Executive Order on Improving the Nation’s Cybersecurity.
The real issue is whether we are entering a new phase of international conflict, one in which harassment and pilfering get replaced by cyberattacks to shut down society – led by adversaries.
If so, how do we stop it? Nutshell: We get direct – in private – with our adversaries. We let them know we are watching, holding our cyber-fire, expect them to help identify cybercriminals, cease complicity. Next, we send a cyber signal that we know what we know. Finally, we harden and modularize cyber-defenses, starting with our critical infrastructure – the necessities.
This could be Biden’s moment – probably will not be but could be. If he wanted to prevent cyberwar, turn the page, show real leadership, he could identify cyberwarfare as tantamount to nuclear – not conventional – warfare. The time is coming when similar damage could be done.
Biden could work with Republicans, US Allies, plus Russia, and China, to initiate “Cyber Strategic Arms Limitation Talks” – a new idea, a Cyber-SALT regime, to anticipate, and curtail cyberwarfare before this gets any worse. Just an idea.
Meantime, watch your cyber-defenses!
We hope you've enjoyed this article. While you're here, we have a small favor to ask...
Support AMAC Action. Our 501 (C)(4) advances initiatives on Capitol Hill, in the state legislatures, and at the local level to protect American values, free speech, the exercise of religion, equality of opportunity, sanctity of life, and the rule of law.Donate Now
Hidin’ Joe Biden does not have a level of mental skills and capacity to be serving as POTUS of this great Nation. Right now, the question is … who is really running the Nation and administering control at the executive level??? I pray we, as a Nation, can survive his embarrassing and disappointing incompetence and brain and related deterioration that unfortunately come to bear with old age. He is putting the Nation at risk and covering up accountability functions of Presidential functions.
Write your representatives & give them your view on Cyberattacks. For your info, Pat Robertson of 700-club has been warning about this for a few years now. Also, if crytocurrency is the preferred method of ransom payments — maybe America should say no to new currency that seems to benefit the bad guys.
In my opinion, Cyberattacks are the biggest issue facing the United States this year. We must count on BIi, HSA & best computer experts we have to protect our systems from hackers. This must come directly from our Govt. & not pass off to states or companies to solve independently. Remember, how it worked out when Govt. turned over Covid19 tasks to states instead of directing all of the states to work as a unit. Is the new Trump Space Force a group that can direct this, or ore they working on UFO’s. I am in the dark, as have not seen much on Space Force.
Jen Psaki, Biden’s spokesperson, indicated the Biden administration thinks of The Space Force as a joke because it was created by Donald Trump. She giggled when asked about it at a press conference. I can’t imagine they are utilizing it for anything.
I don’t know if that would be the appropriate agency to counteract cyber warfare anyway. Since so many of our so-called “intelligence” agencies are so compromised with Trump Derangement Syndrome, I don’t know if there is anyone left to work against foreign attacks and for America. The tech community is openly anti-American so we aren’t able to attract ‘the best and brightest’ to work for America instead of against her.
I believe the communist, former CIA directer, John Brennan, populated the CIA with like-minded operatives/double agents who are still there aiding and informing our enemies for whom they work and undermining whatever missions they are supposedly working on against the interests of our own country. The Biden administration is purging the military as fast as they can of anyone who supports our Constitution over fealty to “The Party (the State)”. Who will be left to defend us or work for our benefit?
Good article. This line of action is the type that this country takes on all aspects of breaches and attacks against it. It is tough for administrators because they have to gather the facts, make assessments and recommend the action to be taken. Sometimes it is fast, other times, slow. The question is “Does this current administration have the right think tank in place to handle these situations?” I won’t hold my breath.
Estd Comm on Cybersecurity & Wuhan virus
o Uniform goals for estd guidelines
o More Voc Tech Ed for field
o Task Force Estd for.
o Public Pvt partnerships estd.
o Hire ex hackers to combat hackers.
o Fines for hacking.
o New Legal field estd.
o Train employees?
o New codes in Law.
o ID bac hackers.
More can be done
o Uniform goals for estd guidelines – There are already well accepted industry best practices for securing networked IT infrastructure from potential hacking threats. However, some corporate CEOs choose NOT to fund or staff such initiatives in their companies as it doesn’t add to the bottom line. Which is how their exec compensation packages are structured.
o More Voc Tech Ed for field – We used to have a terrific American workforce in this field, but over the last two decades, to reduce salary costs, the emphasis has been in hiring H-1B candidates from India and China. They work for a 1/3 to 1/2 of U.S. citizens and they are bound to the company sponsoring them. Thus the domestic education in this field has essentially collapsed.
o Task Force Estd for.- We already have Cyber Defense, which is supposed to identify and counter-strike back against foreign actors either state or individual upon authorization of the President. So we don’t need another “task force” created. We just need Dementia Joe to authorize a proportional response. I won’t hold my breath on that one.
o Public Pvt partnerships estd. – Not needed for a multitude of reasons too numerous to explain here.
o Hire ex hackers to combat hackers. – Already done on a regular basis. They are called white hat hackers and they work for most of our government agencies tasked with cyber-related crimes or defense.
o Fines for hacking. – Numerous laws with fines already in place. However, when the bad actors are protected by foreign governments (Russia, China, Iran, N. Korea, etc.) those laws and fines are unenforceable.
o New Legal field estd. _The last thing we need is more useless lawyers drafting more useless paper on the subject.
o Train employees? – It isn’t that IT employees aren’t trained. In most cases they are not permitted to put the necessary firewalls and safeguards in place due to budget priorities of the corporate CEO. See my response again to your first bullet point.
o New codes in Law. – Unless you’re talking about specially making senior corporate management personally liable for not properly funding and staffing their network facing computer infrastructure, no new laws would get these CEOs motivated.
o ID bac hackers. – We already can do this today. We know where the attacks comes from within either minutes or, at worst if the attack is routed through multiple countries, a few hours. If you’re talking about IDing the specific person who is sitting behind the keyboard in a foreign country, good luck with that. These hacking shops are constantly moving their locations in foreign countries.