In warfare, rules of engagement are a fundamental necessity to curtail violence against non-military targets. But with millions of Americans already victim to cyber attacks perpetrated by nation state actors, lawmakers question if a response with conventional weapons is appropriate to stop future online attacks.
The U.S. government must design “an effective strategy not only to limit the impact of cyberattacks, but to meaningfully deter cyber attackers,” Rep. Will Hurd, R-Texas, told a House Oversight Subcommittee hearing Wednesday.
Hurd and other lawmakers asked a star-studded panel of cybersecurity officials and experts what they believe constitutes a “cyber act of war.” The hearing, Hurd explained, is the first step in launching a more comprehensive debate about who should and how one would define a “red-line” in cyber space.
The panel — comprised by former NSA Director Keith Alexander, State Department Coordinator for Cyber Issues Chris Painter, Department of Defense Deputy Assistant Secretary of Defense for Cyber Policy Aaron Hughes and New America Senior Fellow Peter Singer — made several recommendations on what should be considered when evaluating a cyber attack against the U.S.
Until now, the Obama administration’s general policy has been to handle the response of significant attacks on a “case-by-case basis” with a “whole of government approach” — one that includes consultation with leaders from the U.S. defense and intelligence agencies.
“If you think about Sony being attacked, Sony has no capability to fire back. In fact, if we think about Sony firing back, we quickly get to the realization that if Sony fires back that could get us into a war on the Korean peninsula. We don’t want that to happen. That is an inherently government responsibility,” testified Alexander.
Attacks that cause major loss of life, destruction or incapacitation of significant portions of key infrastructure, or even attacks that cause “massive economic damage” fall within the parameters of what the U.S. should be prepared to call acts of war, Alexander wrote in prepared testimony.
Even so, a military strike may not be the best way to counter a cyber attack attributed to a specific actor, the panel said.
‘Incidents described as cyber attacks or computer network attacks are not necessarily considered armed attacks for the purpose of triggering a nation’s right of self-defense,’ said Aaron Hughes.
The U.S. boasts a “large toolbox” to choose solutions from in responding to cyber attacks, explained Painter. They include, he said, but are not limited to: diplomatic outreach, economic sanctions, law enforcement oversight, offensive cyber operations and a military strike. Additionally, there may be a strategic advantage to consider when choosing whether or not to publicly disclosing the attribution of an attack — as was the case following the now historic Sony hack, orchestrated by North Korea.
However, one of the biggest challenges in deciding a response remains the issue of accurate attribution, the panel unanimously agreed.
According to Sean Kanuck, formerly a national intelligence officer in the Office of the Director of National Intelligence, attribution is a difficult challenge. And timely attribution — vital to a quick response, whether political or military — is even more difficult.
“In response to particular incidents, they are usually ad-hoc [cyber forensics] investigations dealing with a particular set of circumstances,” Kanuck told the committee, “It is very difficult to define the intentions of would be adversaries or actors in specific instances. Often you might derive that information from other sources of information — intelligence collection, other areas — in order to know what an actor’s objectives might have been.”
He added, “in the realtime context of an ongoing incident … that would be a very high challenge … It is not a certainty that you will always know who did it and why.”
Nonetheless, both formal and informal boundaries already exist in cyberspace between nations, said Painter, who leads a division within the State Department that implements the President’s International Strategy for Cyberspace. At the center of this effort, Painter explained, is “international norm building,” focused on cyber — the promotion of rules and standards to guide nations’ conduct.
“The norms we’ve been promoting are, for instance, don’t attack the critical infrastructure of another country — absent wartime — that provide services to the public; don’t attack CERTs, don’t attack the computer emergency response teams, use them for good not for bad; and an expectation that if you get a request from another state and there is malicious code coming from that state, you’re going to mitigate it by technical or law enforcement means. And finally, don’t steal the intellectual property using cyber means of another country for your commercial benefit,” said Painter.
When Hughes was pressed by Rep. Jody Hice, R-Ga., to directly describe when the DOD believes a cyberattack warrants military action, Hughes explained: “not to be cliche, but it really needs be decided on a case-by-case basis” — which, in this context, is also a fair summary of the panel’s overall recommendation.