19 July 2018

Waging cyber war without a rulebook

By Derek B. Johnson 

However, in interviews with former White House and executive branch officials as well as members of Congress and staffers involved in cyber policy, many expressed more concern about the potential for a Cyber Gulf of Tonkin: a misunderstanding or misattribution around an event that precipitates or is used as a justification for war. "I think we should all be concerned about a [misunderstanding] or something that is made to look like someone else took action," said Rep. Jim Langevin (D-R.I.), a co-founder of the Congressional Cybersecurity Caucus. "Attribution is very difficult, although we are getting much better at it. There's no doubt there could always be a level of uncertainty."

The U.S. government is currently engaged in disputes with at least four other countries -- Iran, North Korea, Russia and China -- over a series of recent hacks, intrusions and cyberattacks dating back five years. In cases like Iran and North Korea, some worry the situation is potentially one precipitating incident away from breaking out into military conflict.

Furthermore, members of Congress have increasingly agitated for a more forceful response against nation-state- led cyberattacks, while providing little in the way of statutory guidance around rules of engagement for offensive cyber operations, including which agencies should take the lead and how brightly the lines should be drawn between private sector, civilian government and military response.

Blurred lines

The federal government lacks a commonly understood framework for the type and scope of actions that would or would not qualify as an act of war in cyberspace.

"There isn't [a document] -- to my knowledge at least when I was in government -- where it's like 'this is our list' and if it's one of these things then we're going to declare war," said Megan Stifel, a former director of international cyber policy on the National Security Council. "It's not very helpful and reassuring to many to say that we'll know it when we see it, but that has been a bit of the philosophy because we haven't seen it yet."

Stifel pointed to many of the most high-profile attacks against United States assets – such as the 2016 election disinformation campaign, the 2017 WannaCry attacks, the 2014 Sony hack and the Office of Personnel Management hack -- and questioned whether any of them could truly be interpreted as a genuine act of war by the nations who supposedly carried them out.

In its new command vision on information warfare, U.S. Cyber Command noted that nation-states have taken advantage of this ambiguous policy landscape to conduct aggressive cyber campaigns to harm or destabilize U.S. interests and infrastructure.

"Adversaries continuously operate against us below the threshold of armed conflict. In this 'new normal,' our adversaries are extending their influence without resorting to physical aggression," the vision statement reads.

Some have argued that such direction would allow policymakers to clearly communicate which kind of attacks and targets are beyond the pale and require an in-kind cyber or even kinetic military response. Alternatively, the absence of such a framework carries the risk of fostering confusion and misunderstandings on the international stage that could precipitate a larger conflict.

"There are these questions of 'what was the intent?' and I think we need to be careful not to go [like the metaphorical hammer] looking for nails," Stifel said. "Because of the way western democracies have the private sector own most of the communications and information technology infrastructure, the lines are very blurred."

A shifting policy landscape

That ambiguity has left some perplexed as to how best to respond to a series of cyber-focused operations against the United States.

Langevin is one of 12 members of Congress to co-sponsor a bill introduced this year by Rep. Ted Yoho (R-Fl.) that would require the president to single out as a "critical cyber threat" any foreign persons or entities determined to be responsible for a cyberattack as well as any person or organization that "knowingly materially assisted or attempted such activities." Those actors would then be subject to a range of potential economic and travel-related sanctions. Yoho's bill recently passed the House Foreign Affairs Committee and has garnered support from a bipartisan group of cybersecurity-focused lawmakers in the House.

The legislation is meant to codify many of the strategies employed during the first 18 months of the Trump administration to respond to high-profile cyberattacks against the United States, pairing "name and shame" tactics with economic and political pressure in a way that results in meaningful consequences for those who step over the line.

The problem is many policymakers are unsure where those lines actually are, and some question whether it's even a good idea to draw them in the first place.

Langevin believes that legislation like Yoho's bill will help to better police "the grey zone" around nation-state cyberattacks, but said he worries that being too specific could feed the potential for a Gulf of Tonkin-like misunderstanding.

No comments: