New US cyber policy suggests more active response to state threats
US cyber policy is shedding the overly-careful approach favored during the Obama era, becoming more activist and increasingly likely to reach into foreign networks for the sake of defense. While this carries an increased risk of escalation, it’s necessary in a cyber arena of bad actors and poorly-defined norms.
In August, The Wall Street Journal reported on Donald Trump’s reversal of another Obama-era policy, this one relating to cybersecurity. Articulated as Presidential Policy Directive (PPD) 20, the document was classified but widely studied after its unauthorized release by NSA leaker Edward Snowden. Disliked by most stakeholders, the policy proscribed a slow-moving interagency approval process for offensive cyber operations, broadly defined, on foreign networks that included a final decision, in many cases, to be made by the President himself.
Cyber policy failures
Focused on defense and deterrence, concepts still poorly understood as relates to the cyber arena, the policy was largely a failure – unsuccessful in warding off IP theft from Chinese infiltrators, and worse still in mitigating the threat posed by Russia. As regards the latter specifically, 2018 has been informative in revealing exactly how extensive Russia cyber operations have been. Two reports earlier this year raised the alarm of hundreds of successful infiltration attacks against American critical infrastructure (where infiltrator were found to have been “inside the control room”), while the discovery of a malware known as VPNFilter, described in May and also attributed to Russia, is thought to have infected some 500,000 routers and other devices worldwide.
While in both cases there was little reported damage, the potential for catastrophe remains – for the problems persist to this day – a very serious concern. Further, this difference between attack and potential for attack is not trivial but goes to the heart of understanding evolving risk in the cyber arena. Part of the concern driving Obama’s very careful cyber policy was for unintended consequences and escalation in an arena where norms are still not formally codified and operational concepts – such as intelligence gathering, active defense, deterrence and hold-at-risk – are poorly delineated.
The gloves come off
While Trump’s replacement for PPD 20, if any, is unknown, there are indications that the policy direction is empowering the US to take the gloves off, despite the poorly understood legal environment, and bring the fight to its adversaries on their networks in a bid to improve national cybersecurity.
Several events over the course of this year and 2017 provide evidence. First was President Trump’s elevation of US Cyber Command to Unified Combatant Command, originally announced in August of 2017 and taking effect in May of this year. Second, also in May, the White House scrapped its cybersecurity coordinator role after its incumbent, Rob Joyce, left the roll. Eliminating the role can be understood as part of a trend, favored by National Security Advisor John Bolton and Secretary of Defense Jim Mattis, of eliminating high-level bureaucratic roles in favor of pushing decision-making to lower levels of government and increasing reflexibility and responsiveness.
Most tellingly, in September the US Department of Defense released an unclassified summary of its 2018 cyber strategy. In contrast to a corresponding Obama-era document from 2015 and earlier, the latest summary is notable for at least two concepts it mentions.
The first refers to “preparing military cyber capabilities to be used in the event of crisis or conflict,” and is thought to suggest a willingness to execute battlespace preparation operations on foreign networks – potentially analogous to the same sort of cyber operations described above and attributed to Russia. The second is a new resolve to “…defend forward to disrupt or halt malicious cyber activity at is source, including activity that falls below the level of armed conflict.” This new concept of “defense forward” is mentioned several times throughout the summary and plainly states that American Cyber defense will become more active and occur on foreign networks.
Potential risk
Considering the more-activist language from the DoD and White House efforts to push decision-making down the chain of command, it’s reasonable to conclude that there will be an uptick in cyber operations in the short-to-medium term.
The immediate concern in the new policy environment concerns the increased risk of cyber escalation. The problem, as mentioned above, is that it becomes difficult to discern between what is considered an intelligence operation vs. (for example) battlespace preparation. Even more tricky is intelligence gathering vs. hold-at-risk strategies. Additionally, these activities reside “below the level of armed conflict”, another problematic term in the cyber arena. Take the Russian meddling in the 2016 elections: while the activities never amounted to armed attack per se, the operation was none the less a highly-damaging attack on a sovereign nation by a foreign actor.
As any legal framework to define the cyber activities of foreign adversaries would also be reflexively applied on the US and NATO allies, there is little rush to define the space at the risk of limiting options and actions by allies in an international order ostensibly maintained by norms of conduct.
Additional risk arises when considering a key stakeholders of Obama’s PPD 20 that did favor the policy – the US Department of State. PPD 20 better allowed DoD to coordinate with State to ensure that potential cyber activities considered diplomatic and political risks. As the interagency process falls by the wayside, DoD can make decisions (at a lower level), without involving the State Department, potentially upsetting sensitive political considerations and resulting in unknown risks.
Finally, risk of unintended collateral damage to civilians will increase. In this regard, last year’s NotPetya attack is instructional: attributed again to Russia, the malware originally targeted networks in the Ukraine (thought by some to be a testbed for Russian cyber warfare), only to spread across the world and result in hundreds of millions of dollars in damages. If expanded US cyber operations resulted in unintended economic damages it will also impact the ability of the US and its allies to act as an example in setting new international norms with regards to cyber governance.
Potential reward
With the DoD’s new ‘defense forward’ stance and apparent willingness to take the fight to its adversaries, the US will be better able to defend against attackers at the source, before they infiltrate and occupy domestic networks, and more responsive in preventing and rooting out bad actors sitting inside critical infrastructure. Given the extent of foreign infiltration, it’s critical that networks be better defended.
With US Midterm elections approaching, there is a high potential – and already some evidence – for Russia to meddle and influence the outcome, which would further erode public confidence and weaken a fundamentally important democratic institution. In this climate, the ability to defend forward will be critical in preventing the influence campaigns and fake news that was a sinister hallmark of the 2016 elections.
Under the old policy, international bad actors were not deterred by the United States – this must change. The US is still likely to be in possession of the world’s strongest cyber resources and if it can better mobilize those resources, it will be better able to establish deterrence, push back against bad actors and protect its networks, Essentially, absent an international framework for state conduct in the cyber arena, the US can still provide policing and much-needed leadership that will help to set norms for all nations to follow, and hopefully create a safer cyber arena for all nations.
