Carlin: U.S. is looking to unite on cyber deterrence

The assistant attorney general provided additional insights into what a whole-of-government strategy in cyberspace might look like.

Deterring cyber threats is a team sport. Government officials from the White House to individual agencies have been peddling the notion that a cyber deterrence strategy involves the whole of government and the response to a cyber incident might not necessarily occur in cyberspace. 

This policy was enshrined in the White House’s long awaited cyber deterrence document released late last year. The document listed several approaches agencies can bring to bear, from the State Department’s ability to coordinate responses with foreign governments, to economic costs imposed by the Treasury or Commerce departments, to even a military response. One tool that has been gaining prominence is law enforcement’s ability to attribute perpetrators of attacks, build cases and eventually indict those responsible.     

For the Justice Department, this tactic folds into a larger picture of trying to build and enforce norms in the emerging cyberspace domain. “This is about trying to build a world that we want to live in when it comes to cyber threats and part of that world is going to mean being able to detect, disrupt cyber threats and therefore deter would be cyber actors,” Assistant Attorney General for National Security John Carlin said at the Center for Strategic and International Studies June 28. 

Other officials within the federal law enforcement community have noted that they are interested in bolstering attribution capability to ultimately bring hackers that violate American laws to justice.  These types of approaches can help deter malicious activity, Phillip Celestini, senior executive FBI representative to the National Security Agency and Cyber Command for the FBI’s Cyber Division, said recently.  

Carlin said that, similar to the way government has responded to terrorism threats, the interagency approach could develop a response to a cyber incident within the broader deterrence framework.  With regard to terrorist threats, representatives from relevant agencies such as Treasury, State, Justice, FBI, DOD and CIA would meet in the situation room and be briefed on the threat intelligence. Agency officials would then present what their potential response options were. “You’re starting to see that same mentality or approach on cyber,” he noted. 

Carlin pointed to the Cyber Threat Intelligence Integration Center, or CTIIC, a new center that will gather information from cyber threat analysts and disseminate it among the 17 agencies within the Intelligence Community and military services. CTIIC was modeled after the National Counterterrorism Center, which would take the whole community’s view on what the intelligence showed a terrorist threat and compile it for a singular view, Carlin said. “I think you’re starting to see some of the structures put in place that allow for the execution of this whole-of-government, all-tools, disruption, deterrent strategy,” he added. 

In a military sense, Cyber Command Commander Adm. Michael Rogers has talked previously about the need for a proportional response in line with international law. “I look for the same kind of broad trends – proportion of response, appropriateness of response, the specificity and discreetness, so to speak, of the response,” he said last summer.  

Carlin did warn, however, that deterrence involves treading carefully as to not escalate beyond necessity. “One thing you always worry about as you’re developing a new deterrence strategy is you don’t want to encourage [bad actors] to make a mistake and then you’re up in an escalated space because they didn’t realize they had crossed” established red lines, Carlin said. The clearer the red lines are, the less adversaries will try to test the boundaries to see what they can get away with. This has been one of the cornerstones for public indictments as well as naming and shaming campaigns such as the public identification of North Korea in the Sony Pictures hack. “It sends a message to all the other countries and some of the non-state actors who are figuring out what this new world looks like,” Carlin asserted. 

According to Carlin, threats in cyberspace such as those posed by North Korea are becoming what he described as “blended.” This is evidenced by groups that might be working for their own personal, financial gain but could also be proxies of nation states. 

In Russia, China or elsewhere, someone who might have access to advanced cyber tools in their day job working for the state could use those tools corruptly during their nighttime hours to do a hack for their own personal gain, he said. 

While this complicates the threat landscape, he noted that actors with the intent to inflict serious injury, harm or even death do not possess this capability. “I think certain nation states and very sophisticated criminal groups have that capability, so at least to date it hasn’t ended up in the hands of those terrorists,” Carlin said, “because we know they would use it if they had it [and] to date they haven’t been able to acquire the capability to match their intentions.”         

These terrorist groups, for the most part, are unable to be deterred through traditional means. To combat these threats, a stronger defensive posture is imperative along with doing everything to prevent groups from the ability of getting the tools to commit destructive cyber attacks.