Cyber Defense

Intelligence officials: Cyber domain is still the 'Wild West'

There appears to be two glaring trends in cyber policy today—the lack of defined terms and the lack of deterrence. Government and military officials say that operating in and defining the cyber realm is not easy for several reasons and that it will take a few years to build up the cyber mission force and develop norms – something also incumbent on the international community.

With regard to definitions, lawmakers on Capitol Hill seem to be most concerned with what constitutes “cyber war” and how other activities in cyberspace are different. “Any type of malicious activity, which causes either damage or a theft of materials, theft of information or [intellectual property] – all of those are under either cyber, malicious cyber activities, it might be espionage – in each case, there’s no defined red line for what would constitute an act of war,” Deputy Secretary of Defense Robert Work told Sen. Deb Fischer (R-Neb.) when asked in a Tuesday Senate Armed Services Committee hearing if the administration had a definition for what constitutes a “cyber attack.”

“We’re still working our way through that,” NSA director and commander of the U.S. Cyber Command Adm. Michael Rogers told lawmakers this week regarding cyber definitions of war. While talking about the parameters that could define an cyber act of war, he said the that building on conventional war frameworks is a useful exercise – something he elaborated on in greater detail this spring at the Aspen Security Forum. “What [the hack of the Office of Personnel Management databases] represents is a good question … so what are the parameters we want to use? Is it as [Director of National Intelligence James Clapper] has said, is it the intent is within the acceptable realm, is it scale, is it you can do espionage at some level for example but if you trip some magic threshold – hey is 20 million records, is 10 million records – is there some scale component to this?” said Rogers this week.

Clapper and Rogers have previously warned lawmakers about using the proper terms for operations in cyberspace. “Terminology and lexicon is very important in this space,” Rogers told the House Intelligence Committee earlier this month. “And many times I’ll hear people throw out ‘attack’ and ‘act of war’ and I go, ‘That’s not necessarily in every case how I would characterize the activity that I see’.” Clapper agreed with Rogers, saying that although the OPM hack has been characterized as an attack, it actually wasn’t, given its passive nature and the fact that did not result in destruction. (Although that hack, which exposed detailed information on 21.5 million current and former government employees and contractors, has prompted the United States to pull spies from China over fears that they could be identified.)

Things become much more complicated when it comes to espionage. “And so what this represents of course is espionage – cyber espionage,” Clapper told the Senate Armed Services Committee this week. “And of course we too practice cyber espionage…we’re not bad at it.”

The fact that the U.S. engages in these practices—and a recent cyber agreement the White House entered into with China does not address or prohibit continued espionage—makes responding to such incidents difficult. “So when we talk about what are we going to do for, to counter espionage or punish somebody or retaliate for espionage, well we, I think it’s a good idea to at least think about the old saw about people live in glass houses shouldn’t throw rocks.”

This statement drew ire, and likely to some degree, frustration from the committee’s chairman Sen. John McCain (R-Ariz). “So, it’s OK for them to steal our secrets that are most important…because we live in a glass house – that is astounding,” McCain said.

Several lawmakers have been quick to point out—on a bi-partisan basis—that U.S. acceptance that cyber espionage happens doesn’t do much to deter attacks. The key point is imposing some kind of a cost for operations in cyberspace, something in which the lines between espionage, hacks and even damaging attacks (something that has only occurred in rare and limited circumstances) continue to be blurred. Given how secretive U.S. cyber operations are, lawmakers say a deterrent must be transparent, physical and flaunted as a means of demonstrating said cost – something akin to nuclear weapons during the Cold War.

“I think the contrast with the Cold War is a good one to think about in that…the concern that people are raising is, Should there be red lines on spying?” Clapper said this week. “That’s really what this gets down to. We didn’t have red lines during the Cold War – it was free-wheeling as far as us collecting intelligence against the Soviet Union and vice versa. There were no limits on that – it was very difficult for both sides. And of course, underlying it – the backdrop to all that was the deterrent, the nuclear deterrent, which of course restrained the behavior even though it got rough… We’re sort of in the Wild West here with cyber where there are no limits that we’ve agreed on, no red lines – certainly on collecting information, which is what the OPM breach represented.”

Work told members of the House Armed Services Committee on Wednesday that “at this point we don’t believe that our deterrence policy has been effective up to this point or as effective as it should be and that’s why we want to strengthen it” citing attribution as a big hindrance in striking back.

The notion of a whole-of-government approach to responding to cyber incidents is something U.S. officials have long expressed. “[S]omething I would like to emphasize is, although it’s a cyberattack, we don’t think about the response purely through a cyber lens; it would be all the tools of foreign policy and military options,” former principal cyber advisor to the Secretary of Defense Eric Rosenbach said in congressional testimony last spring.

This idea has also been endorsed by members of academia as well. “When we talk about deterrence today, it is cross-domain,” Bob Butler, adjunct senior fellow for the Center for a New American Security’s Technology and National Security Program said in a House Foreign Affairs Committee hearing on Wednesday. It is the idea of using the economic sanctions, potentially, some other tools in the economic inventory…looking at ways we could restrict travel of individuals into our country based on wrongful acts that are being prosecuted. It is certainly building the capability through our law enforcement activities.”

Additional witnesses at Wednesday’s committee hearing outlined various responses the U.S. could take against actions by nation-state actors. Catherine Lotrionte, director of the Institute for Law, Science and Global Security at Georgetown University, echoed Butler’s cross-domain strategy as a policy toward enforcing Chinese compliance with the recent cybersecurity agreement. “I would activate all those elements at once,” Lotrionte said. “Meaning, I would use law enforcement tools, I would start prosecuting those that are violating our domestic law. I’d pull out all the options on sanctions – whether it’s financial or others. I would also look at the WTO and I would start…to bring charges or claims against China for violations in the [Trade-Related Aspects of Intellectual Property Rights] agreement. And of course, less spoken of publically, I would have our intelligence organizations actively prepared to do counterintelligence and, in the more covert world, things to counter their actions.”