Top Cyber Diplomat: US Needs Allies’ Help to Punish Cyberattacks

The U.S. could do a better job deterring cyberattacks if international allies were on board to punish the perpetrators, the nation’s top cyber diplomat said Tuesday.

In recent years, the U.S. and its allies have gotten less afraid of attributing cyberattacks to adversaries like Russia, Iran and North Korea, but their attempts to punish those online aggressions are far less united, according to Rob Strayer, the State Department’s deputy assistant secretary for cyber and international communications and information policy.

To prevent those countries from launching attacks in the first place, the international community needs to make it clear that the costs of such actions outweigh the benefits. According to Strayer, that calculation is a lot easier when multiple countries are threatening retaliation.

“We all know that we share common values about human rights and fundamental freedoms that can be expressed online,” he said during a panel at the Atlantic Council’s International Conference on Cyber Engagement. “If we don’t stand together to continue to defend our vision and our values online, then [they] will continue to be undermined by nation-state actors.”

The most obvious benefit of this unified approach is that punishments are a lot stronger when they’re brought by multiple countries, Strayer said. If all of NATO slaps sanctions on Russia, for example, its economy would suffer a lot more than if only the U.S. did so.

But beyond strengthening the punishments themselves, bringing countries together to levy consequences would help legitimize rules of the road for cyberspace, according to Strayer. The unified front would help enforce clear expectations for how nations should behave online, he said, and also define what exactly violates those norms.

“We need to message to nation-states that if they take these actions that we view as malicious, that we will bring consequences against them,” Strayer said. “We want to establish ... that if they undertake certain activities, there will be timely and costly consequences that come afterward.”

And depending on the attack, those consequences could include everything from sanctions and indictments to military action, he said. Today, the Trump administration is in discussions with a number of “like-minded governments” to build a coalition around retaliation, Strayer said, and there’s an open invitation for any country to join the group.

However, unifying countries’ responses to cyberattacks won’t be an easy task, said Chris Painter, a fellow at Stanford University’s Center for International Security and Cooperation who previously held the State Department’s top cyber position before it was eliminated by a reorganization. During his tenure, it was hard enough to get U.S. government agencies to agree on sanctions, and building consensus on an international level will be a much heavier lift, Painter said during the panel.