If cybersecurity concerns set your hair on fire, you should be bald by now — and lacking eyebrows and any other facial hair (perhaps even be denuded to the waist). A relentless increase in cyberattacks is prompting a reassessment of responses and an increasingly popular option is going on offense.
The list of significant cyberincidents in 2021 compiled by the Center for Strategic and International Studies includes 71 items through June. In addition to the Microsoft Exchange hack that penetrated 250,000 networks worldwide, there were the ransomware attacks on Colonial Pipeline, which shut down the U.S.’ largest fuel pipeline; the attack on the world’s largest meat processing facility, JBS; on Acer, the Taiwan computer manufacturer; as well as a North Korean attack on South Korea’s Atomic Energy Research Institute; and intrusions at water processing facilities in Norway, Israel, Florida and California. The list doesn’t include the July 4 hack by REvil, a suspected Russian government supported group of cybercriminals, that hit as many as 1,500 companies in what has been called the largest ransomware attack ever.
Security protocols aren’t working and there is a new readiness to consider offensive operations. Gen. Keith Alexander, a former head of the U.S. National Security Agency, explained the new mindset: “If we are under attack, you can’t just try to catch every arrow. You have to take care of the person shooting the arrows at you.”
That’s new thinking. Western governments have been strong opponents of offensive action. U.S. government officials physically recoiled when it was suggested in a meeting a few years ago that offensive tactics be on the table. When that same person proposed the same idea a few years later to another group of U.S. officials, they were much more receptive.
The reluctance to play offense stems from several considerations. Offensive actions are usually designed to deter — to keep an adversary from attacking. Deterrence aims to manipulate that adversary’s cost-benefit calculation of behavior so that the person or persons believe the costs will exceed expected benefits. Success requires an accurate assessment of that calculation: Can we get inside the head of the adversary, weigh factors as they do and appreciate how they interpret our signals?
In the digital space, problems multiply. Attribution is the most famous. Can we be certain of the identification of the source of the disruption? Are those criminal gangs working on their own or do they enjoy government support — and support from who in government?
At least 30 countries can play in this space, but it’s hard to be sure. Secrecy shrouds all such activities. Gen. Mike Hayden, former head of the NSA and the CIA, noted that in the U.S. until the early 2000s, the phrase “offensive cyberoperations” was classified — not the targets, the techniques or the technologies, but the phrase itself. That produces a paradox: Offensive capabilities that might be used to deter won’t work if the adversary is ignorant of their existence.
Stanley Kubrick got it exactly right when Dr. Strangelove tells the Russians that their doomsday device — which promises retaliation for a nuclear attack even if the leadership is decapitated — is not the ultimate deterrent if no one knows about it.
In addition, there are many motivations for cyberattacks — theft, extortion, activism, terrorism, espionage, preparations for war, sabotage, tests, information operations — each of which requires a tailored solution. Even when the motives of attackers are ostensibly the same — say, extortion or espionage — a response must be crafted to the circumstances of each.
A big problem is that many offensive cyber weapons don’t destruct on use. Once deployed they can be captured and reconfigured. In the book, “This is how they tell me the world ends,” Nicole Perlroth offers a terrifying exploration of offensive cyberoperations and the threat they pose.
In her telling — and several other books echo her account — U.S. hackers are among the best in the world, capable of breaking into, monitoring and if necessary destroying just about any network anywhere in the world. If the U.S. charges a foreign power or one of companies with illicit behavior, it’s often because its hackers have done the same thing. They know well what is possible.
But they — and their leadership — also believed that their work would not be corralled and exploited once introduced into the wild, an appalling mix of arrogance and naivete. Invariably, the zero-day exploits (vulnerabilities unknown to the software maker for which there are no fixes) that U.S. hackers found or bought to attack target machines have been corrupted or used by other actors for their own ends.
U.S. officials downplay responsibility for those mutants, insisting that they never hack for criminal purposes, ignoring warnings that their handiwork would be modified regardless of their intent. Apple used this argument to counter FBI demands that it develop a tool to unlock an iPhone used by a shooter in the 2015 San Bernardino, California, attack that killed 14 people and injured 22 others. Apple insisted that the tool would find its way into the wild, endangering ordinary citizens.
Still, the U.S. is different from other hacking powers on two counts: It doesn’t deputize or ignore criminals who work on their behalf and it doesn’t steal business secrets. The first separates the U.S. from Russia, which has actively recruited cybercriminals and turned a blind eye if they work on its territory as long as they don’t target domestic computers, while Chinese hackers have been repeatedly charged with stealing U.S. intellectual property.
Yet another problem is that it’s hard to distinguish between offensive operations to deter and those for war. Defending forward requires understanding of and access to foreign networks, which must be acquired ahead of time. Those preparations can trigger a response, taking countries down a slippery slope to conflict.
How then should we think about offensive capabilities? One tactic is to observe and track bad guys, making it clear that we have eyes on them. In 2017, Dutch hackers penetrated Russian networks and for over a year watched and filmed Russian hackers as they tried to penetrate U.S. networks.
In another case, U.S. investigators managed to track down and identify the private key for the wallet that received more than $2 million in cryptocurrency paid in ransom for the Colonial Pipeline Hack and retrieved the funds. If the veil of anonymity is pierced and hackers can be held responsible for their actions, they might desist.
If threats don’t work, then governments can act. Being able to put names, faces and addresses on hackers and having the ability to track payments allows for precision targeting. Curiously, the team responsible for the Colonial Pipeline hack reportedly went out of business after that attack, perhaps in recognition of the potential exposure and danger that its members faced. After all, terrorist groups that have been no less disruptive have been the targets of drone strikes.
A third option is escalatory retaliation. In 2014, North Korea’s connection to the internet was cut off days after President Obama promised “proportional retaliation” for its alleged hack of Sony Pictures. Earlier this month, President Biden warned that the U.S. will take “any necessary action” including the imposition of “unspecified consequences” if Russia doesn’t stop ransomware attacks that originate on its territory. Other U.S. officials have warned that China too will be punished for the Microsoft Exchange hack.
The problem with such warnings is that empty talk does even more damage. Russia has been hit with sanctions; China has not. In neither case has the punishment had much effect, which would seem to oblige the U.S. to do more to establish its credibility and the importance of the red lines that both governments seem willing to ignore.
Jack Goldsmith, a former lawyer for the departments of defense and justice, complained in a recent Brookings Institution commentary that repeated warnings and the reporting of government uncertainty about how to respond “sends a clear message of extraordinary weakness” and is “exactly the opposite of the message” we should be sending “to adversaries who are watching and learning from our fecklessness.”
Retaliation creates a problem of its own. A U.S. cyberattack risks setting a precedent, opening the door to similar actions by other governments and the United States is extremely vulnerable to a digital assault. Perlroth, like others, argues that we crossed that Rubicon when the U.S. unleashed Stuxnet on Iran’s uranium centrifuges.
International norms, or a treaty that banned hacking, is one solution but it’s probably unrealistic. The U.S. has objected to a treaty for years, reasoning that it would be most constrained by any arrangement given its advanced capabilities and the fact that its adversaries would ignore any limits. The second assumption may well be true, but the first is increasingly subject to question. Prepare for more cyberattacks and more ash on your shoulders.
Brad Glosserman is deputy director of and visiting professor at the Center for Rule-Making Strategies at Tama University as well as senior adviser (nonresident) at Pacific Forum. He is the author of “Peak Japan: The End of Great Ambitions” (Georgetown University Press, 2019).
By subscribing, you can help us get the story right.