Defense Systems

Intelligence officials: Cyber domain is still the 'Wild West'

IC leaders and members of Congress tussle over the slow progress toward defining the terms of engagement in cyberspace.

Mark Pomerleau

|

There appears to be two glaring trends in cyber policy today—the lack of defined terms and the lack of deterrence. Government and military officials say that operating in and defining the cyber realm is not easy for several reasons and that it will take a few years to build up the cyber mission force and develop norms – something also incumbent on the international community.

With regard to definitions, lawmakers on Capitol Hill seem to be most concerned with what constitutes “cyber war” and how other activities in cyberspace are different. “Any type of malicious activity, which causes either damage or a theft of materials, theft of information or [intellectual property] – all of those are under either cyber, malicious cyber activities, it might be espionage – in each case, there’s no defined red line for what would constitute an act of war,” Deputy Secretary of Defense Robert Work told Sen. Deb Fischer (R-Neb.) when asked in a Tuesday Senate Armed Services Committee hearing if the administration had a definition for what constitutes a “cyber attack.” 

“We’re still working our way through that,” NSA director and commander of the U.S. Cyber Command Adm. Michael Rogers told lawmakers this week regarding cyber definitions of war. While talking about the parameters that could define an cyber act of war, he said the that building on conventional war frameworks is a useful exercise – something he elaborated on in greater detail this spring at the Aspen Security Forum. “What [the hack of the Office of Personnel Management databases] represents is a good question … so what are the parameters we want to use? Is it as [Director of National Intelligence James Clapper] has said, is it the intent is within the acceptable realm, is it scale, is it you can do espionage at some level for example but if you trip some magic threshold – hey is 20 million records, is 10 million records – is there some scale component to this?” said Rogers this week.

Clapper and Rogers have previously warned lawmakers about using the proper terms for operations in cyberspace. “Terminology and lexicon is very important in this space,” Rogers told the House Intelligence Committee earlier this month. “And many times I’ll hear people throw out ‘attack’ and ‘act of war’ and I go, ‘That’s not necessarily in every case how I would characterize the activity that I see’.” Clapper agreed with Rogers, saying that although the OPM hack has been characterized as an attack, it actually wasn’t, given its passive nature and the fact that did not result in destruction. (Although that hack, which exposed detailed information on 21.5 million current and former government employees and contractors, has prompted the United States to pull spies from China over fears that they could be identified.)

Things become much more complicated when it comes to espionage. “And so what this represents of course is espionage – cyber espionage,” Clapper told the Senate Armed Services Committee this week. “And of course we too practice cyber espionage…we’re not bad at it.” 

The fact that the U.S. engages in these practices—and a recent cyber agreement the White House entered into with China does not address or prohibit continued espionage—makes responding to such incidents difficult. “So when we talk about what are we going to do for, to counter espionage or punish somebody or retaliate for espionage, well we, I think it’s a good idea to at least think about the old saw about people live in glass houses shouldn’t throw rocks.”

This statement drew ire, and likely to some degree, frustration from the committee’s chairman Sen. John McCain (R-Ariz). “So, it’s OK for them to steal our secrets that are most important…because we live in a glass house – that is astounding,” McCain said.

Several lawmakers have been quick to point out—on a bi-partisan basis—that U.S. acceptance that cyber espionage happens doesn’t do much to deter attacks. The key point is imposing some kind of a cost for operations in cyberspace, something in which the lines between espionage, hacks and even damaging attacks (something that has only occurred in rare and limited circumstances) continue to be blurred. Given how secretive U.S. cyber operations are, lawmakers say a deterrent must be transparent, physical and flaunted as a means of demonstrating said cost – something akin to nuclear weapons during the Cold War.

“I think the contrast with the Cold War is a good one to think about in that…the concern that people are raising is, Should there be red lines on spying?” Clapper said this week. “That’s really what this gets down to. We didn’t have red lines during the Cold War – it was free-wheeling as far as us collecting intelligence against the Soviet Union and vice versa. There were no limits on that – it was very difficult for both sides. And of course, underlying it – the backdrop to all that was the deterrent, the nuclear deterrent, which of course restrained the behavior even though it got rough… We’re sort of in the Wild West here with cyber where there are no limits that we’ve agreed on, no red lines – certainly on collecting information, which is what the OPM breach represented.” 

Work told members of the House Armed Services Committee on Wednesday that “at this point we don’t believe that our deterrence policy has been effective up to this point or as effective as it should be and that’s why we want to strengthen it” citing attribution as a big hindrance in striking back.

The notion of a whole-of-government approach to responding to cyber incidents is something U.S. officials have long expressed. “[S]omething I would like to emphasize is, although it’s a cyberattack, we don’t think about the response purely through a cyber lens; it would be all the tools of foreign policy and military options,” former principal cyber advisor to the Secretary of Defense Eric Rosenbach said in congressional testimony last spring.

This idea has also been endorsed by members of academia as well. “When we talk about deterrence today, it is cross-domain,” Bob Butler, adjunct senior fellow for the Center for a New American Security’s Technology and National Security Program said in a House Foreign Affairs Committee hearing on Wednesday. It is the idea of using the economic sanctions, potentially, some other tools in the economic inventory…looking at ways we could restrict travel of individuals into our country based on wrongful acts that are being prosecuted. It is certainly building the capability through our law enforcement activities.”

Additional witnesses at Wednesday’s committee hearing outlined various responses the U.S. could take against actions by nation-state actors. Catherine Lotrionte, director of the Institute for Law, Science and Global Security at Georgetown University, echoed Butler’s cross-domain strategy as a policy toward enforcing Chinese compliance with the recent cybersecurity agreement. “I would activate all those elements at once,” Lotrionte said. “Meaning, I would use law enforcement tools, I would start prosecuting those that are violating our domestic law. I’d pull out all the options on sanctions – whether it’s financial or others.  I would also look at the WTO and I would start…to bring charges or claims against China for violations in the [Trade-Related Aspects of Intellectual Property Rights] agreement. And of course, less spoken of publically, I would have our intelligence organizations actively prepared to do counterintelligence and, in the more covert world, things to counter their actions.” 

“You have a range of options,” James Lewis, senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies, said regarding more the potential responses in cyberspace. “You could, for example, with OPM, you could’ve erased data on some of the Chinese computer networks that held the OPM data…you could leak financial data on the Chinese leadership, you could interfere with the power grid – there’s a whole range of things we could do, but I think the fear is until we do something…people won’t take our threats seriously.”

The Sony hack attributed to North Korea, for example, while not necessarily a terrorist attack, was a coercive measure sought to instill fear in the entertainment company, and the attack violated international law, according to both Lewis and Lotrionte. Lewis added that the improved attribution capability of the United States to so quickly identify North Korea did put scare that country’s leadership. 

Another option, mentioned by Butler, is taking the embarrassment route—naming and shaming.  Rep. Brad Sherman (D-Calif.) noted that China’s corruption fives the United States an advantage in the shame game. “Could we, for example, steal Chinese proprietary company corporate information and just either hand it to an American company, which would raise huge questions—which company—or just publish it?” he asked Wednesday. Lotrionte said the United States could conduct economic espionage if it decided that was a course it wanted to take. She said the United States has the legal authority to publish such information as well as provide this information to private companies.

U.S. officials have described proportionality as the way forward in terms of striking back—similar to the way it responds to kinetic attacks. However, with ill-defined norms in the cyber realm, proportionality can become obfuscated, and deterrence policy can suffer. 

“We don’t play offense. China hacks, we don’t talk about what tariff to put on all Chinese products in order to compensate ourselves for that,” Sherman said, adding that it’s more acceptable to ask for funds for defense rather than offense. Intelligence officials agree. “Personally, and this is not a company policy, this is my own view, that until such time as we do achieve or create both the substance and the mindset of deterrence, that this sort of thing is going to continue – the OPM breach,” Clapper said earlier this month. 

However, as Lotrionte alluded to, there can be covert activity taking place hidden from the public eye, something that lawmakers have taken issue with in terms of a robust deterrent effect. Former NSA contractor Edward Snowden, in a forthcoming PBS interview, appears to refute Sherman’s words. The U.S. Cyber Command, is “an attack agency,” Snowden said. “If you ask anybody at Cyber Command or look at any of the job listings for openings for their positions, you’ll see that the one thing they don’t prioritize is computer-network defense. It’s all about computer-network attack and computer-network exploitation at Cyber Command.”

As they did during the Cold War, international norms will emerge in cyber. It is just a matter of when. 

Lotrionte agreed with the frustration of some lawmakers of how long it has taken to the current situation in term of still-ill-defined terms as they relate to war and attacks in cyberspace. She said the current environment “remind[s] me when I was in the Intelligence Community the years leading up to 9/11 and it was like a good 15, 20 years it took people to understand what would be an armed attack under the law by non-state actors like terrorists that would allow us to use force in response against them and somebody else’s sovereign territory.” 

Sean Lyngaas of Defense System’s sister publication FCW contributed to this report.

NEXT STORY: Air Force wants to go organic for better energy storage

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.