Photo by Will Morris / Defense One

The US Must Fix ‘A Failure of Deterrence’ in Cyber: Panel

Bold action is required to convince bad actors that they must stop, says former SecDef chief of staff.

The United States needs “bold action” to convince the world’s hackers that they can’t work with impunity, says Eric Rosenbach, once a chief of staff to then-Defense Secretary Ash Carter.

“There’s been a failure of deterrence,” Rosenbach said Thursday at the Defense One Tech Summit in Washington, D.C. “I think the Russians and a lot of other bad guys think they can get away with it, because they have.”

Changing that perception is likely going to require moves beyond the cyber realm, he said: “That’s going to take some pretty bold action.”

Greg Smithberger, the National Security Agency’s chief information officer and chief technology officer, explained why cyberdeterrence is so hard. For example, publicly fingering a bad actor can help deter future acts. But if you make a mistake, you lose a good chunk of accumulated credibility. And “if you wait too long to publicly attribute something, it diminishes the deterrence effect,” he said.

Rosenbach said the consequence of continuing failure will be that the United States is itself deterred.

“Some time, we’re going to say, ‘Well, crap, they have malware in our grid,’ and that will change our decisions on some foreign policy situation,” he said.

Related: Intelligence Leaders Are Practically Begging Trump to Condemn Russian Hacking
Also read: Writing the Rules of Cyberwar
And: Once Stealthy, Russian Hackers Now Go Toe to Toe with US Defender

As for the operational side — improving detection and network defenses — the intelligence community is good and getting better. Stacey Dixon, the deputy director of the Intelligence Advanced Research Projects Activity, said IARPA has a project devoted to better forecast various kinds of hostile cyber activities. Her team is trying to figure out: “How can we really get in front” of them?

Smithberger said NSA is also working hard on the problem.

If another large attack is made on the nation’s electoral systems, “NSA will see the bad stuff coming,” he said. “But if the states can’t protect themselves during electoral campaigns, then it’ll just be more painful. So we as a country need to figure out how to deal with this. Because the North Koreans and others have been watching, and they’ve got all sorts of ideas for 2018, 2020, and beyond.”

That drew a question: How can the federal government get state governments or private companies to improve their network defenses?

There’s a policy aspect to that, Rosenbach said, here there’s also a human aspect. “I’m not sure the state governments or the campaigns of either party welcome the FBI coming through their doors to help” — but they should, he said.

Smithberger acknowledged that there’s some reason for resisting things like security patches for an organization’s systems.

“It’s not a trivial thing. Sometimes the patches break the functionality. But if you don’t keep up, you’re just inviting the riffraff in,” he said. “If you don’t keep up, you can’t keep the average hackers out, much less the advanced persistent threats.”

It’s simpler to get government contractors to accept various security protocols.

“We can can build that into contracts,” he said. “On people working with us, we can impose pretty stiff requirements.”

Rosenbach went further, suggesting that legislation is needed to enforce security standards across society at large.

“You can mandate it in law. That’s not very popular,” he said.