Whether it be meddling in a U.S. presidential election or accessing the fingerprints of some 6 million federal workers, American officials are warning a cyberattack on the United States may be met with more than a retaliatory cyberstrike.
Instead, nation states, terrorists and other adversaries attacking the U.S. though cyberspace likely will face “real world” consequences under a doctrine being developed by President Donald Trump.
“I think what we’ll do on the deterrence side is end up figuring out a means and method to apply elements of national power outside of cyber to punish bad behavior,” the president’s homeland security adviser, Tom Bossert, told a national security conference Wednesday in Washington.
“There’s very little reason to believe that an offensive cyberattack is going to have any deterrent effect on a cyber adversary,” he added. “In fact, it’s going to encourage them to hurry up and become better hackers and develop better defenses.”
Perhaps more importantly, to this point the U.S. sees little evidence to support the idea that a cyber response will do much to change an adversary’s behavior.
“You see how difficult a problem it is to apply pressure to the Venezuelan dictator or the North Korean regime,” Bossert said.
Russia, China, Iran and North Korea are all seen as threats to the U.S. in cyberspace, looking to steal money or intellectual property rights, or just create havoc.
“We have nation-state actors, whether you go back to the Sony attack by North Korea. You have Iran incursions, Russian incursions, Chinese cyber actors, all of which are using the easiest methods to get at businesses,” said Joshua Skule, executive assistant director for intelligence at the U.S. Federal Bureau of Investigation (FBI). “Ransomware is on a huge upswing.”
Bossert on Wednesday warned China not to use its government resources to spy on U.S. companies, a practice Beijing had agreed to curtail under a 2015 agreement with then-President Barack Obama.
“We want to remind the Chinese so that they remain within the spirit of that agreement,” Bossert said. “That’s something we cannot tolerate and that’s something that they’ve pledged to not do.”
Protecting U.S. networks
U.S. intelligence officials warn that the United States’ information and communication networks are vulnerable to attack, and likely will be for years.
“The cyberthreats have exponentially increased on the homeland,” said David Glawe, undersecretary for intelligence and analysis at the U.S. Department of Homeland Security.
The current administration says it is taking steps to address this vulnerability.
Just last month, Trump approved a long-talked about plan to create a fully independent U.S. Cyber Command, with the goal of improving the country’s cyber operations against a range of adversaries, including the Islamic State terror group.
Currently, U.S. Cyber Command is joined with the National Security Agency, which is primarily responsible for collecting telephone, internet and other intelligence data from around the world.
“This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our nation’s defense,” Trump said in a written statement at the time, saying the change “will help reassure our allies and partners and deter our adversaries.”
One persistent hurdle, though, has been establishing norms for behavior in cyberspace, something that remains a challenge.
“We first have to decide what it is that we think is and is not acceptable, and what we can live by in terms of a golden rule,” Bossert said Wednesday. “Then we can think through what it is we will do to those who violate those rules.”
Edging ahead of US
There also are concerns that countries like Russia and China may be edging ahead of the U.S.
“When it comes to cyberwarfare capabilities, I think we may be behind,” said David Kennedy, chief executive officer at TrustedSec, an IT security consulting firm, who previously served with the NSA and with the Marine Corps electronic warfare unit.
“I think we are behind not from a pure technology perspective, but how we can actually apply technology,” he said.