What will it take for cybersecurity policy to finally catch up to the digital age?
I get this question often, and increasingly I worry that it will take a true “black swan” event to shock the system. Black swan events are rare, come as a surprise, and have a major impact. However, in 2017 alone, we seem to have already spotted a few black swans: WannaCry ransomware disrupted 300,000 machines, and just weeks later we saw NotPetya, both of which continue to cause disruption.
CrashOverride/Industroyer emerged as a highly customizable malware aimed at disrupting power grids (and succeeding in Kiev), and elections across the globe have experienced interference and hacked data dumps. Any one of these might have seemed to be enough of a black swan to warrant attention on the policy front, and yet almost nothing has changed.
This is simply not sustainable. Both public and private sector organizations are increasingly caught off-guard with each new digital attack and are left with almost no policy-informed recourse. The majority of current U.S. cybersecurity legislation is 30 years old and best suited for Cold War technologies and adversaries. For decades, the focus has been on technical solutions to block and deter threats. While technological innovation remains extremely necessary for defense, it’s time to move beyond additional reviews and progress toward a cybersecurity strategy relevant for today’s threats.
Given just how far policy lags behind, there is a lot of work to do, and it will require creativity and input from both technologists and policymakers. There are the obvious recommendations, such as improved cyber hygiene and education, and workforce and pipeline development. But as Homeland Security Advisor Tom Bossert noted in his speech in June at Cyber Week, these would have been the same recommendations as 15 years ago. Moreover, last month’s announcement that Chris Painter, the State Department’s lead for cyber policy, will be stepping down, and the decision to shut down the State Department’s office in charge of cyber policy, does not bode well for the modernization that American cyber policy so desperately deserves. Instead of treading water, progress towards a coherent international cyber strategy is likely to grind to a screeching halt.
At a strategic level, there are three focal areas that could dramatically impact the U.S. defense posture, alter adversarial behavior, and take a big step toward adding some structure to the wild west of cyberspace.
Declaratory policy and deterrence
Declaratory policy is essential to deterrence, as it clearly specifies the repercussions for malicious behavior. This does not necessarily mean concrete red lines, but more so a playbook that addresses the range of U.S. responses when specific damage is inflicted or attempted. Just as Department of Defense response campaign plans are tailored, the same is necessary to ensure the U.S. is not stuck flat footed following a significant cyber attack. Furthermore, consequences must not only be clarified, but also credible. Deterrence relies entirely on whether the adversaries believe the consequences are real.
This is not easy, and, unlike in many other domains, it requires the entire suite of diplomatic, economic, military, and information tools of statecraft to counter the broad range of adversarial objectives. Due to this cross-domain nature of targets and responses and the sheer number of responders involved, it’s that much more important to integrate specific roles, responsibilities, and authorities under one central lead. For instance, during a Senate Armed Services Committee hearing earlier this summer, Admiral Michael Rogers said the NSA is not optimized to handle information operations. But if not the NSA, then who should take the lead in counter-messaging to ensure a coherent strategy? We are getting there domestically with the Department of Justice taking lead on some areas, but offensively, we don’t have a coordinated strategy. That will be crucial for national security for years if not decades to come.
Getting this playbook right is a critical first step, because other nation-states will likely follow suit, which can shape the global narrative and signal what is and is not acceptable behavior in cyber behavior. For instance, after U.S. Executive Order 13694 enabled sanctions in response to malicious cyber behavior, the EU moved in a similar direction, offering sanctions in response to cyber attacks to deter intervention ahead of the upcoming German elections and beyond.
Private/public partnerships are nothing new, but the role of the private sector in the cyber domain is. As the owners and operators of much of the digital infrastructure and data, the private sector is both a prime target and on the front line of defense, meaning that a strong partnership will be critical to delivering sustainable, smart solutions.
The public sector, industry, and academia have all begun floating various ideas, ranging from building out a cyber national guard to letters of marques that would allow the private sector to retaliate, but few of these proposals have gained much traction. Given the frequency of major cyber attacks, both public and private calls for hacking back have understandably grown (including a new UK market of companies that provide these tools), but this kind of retaliation is concerning, to say the least, and can have many unanticipated consequences, including escalating global tensions. It’s just one example of a lack of policy giving way to dangerous private sector “solutions.”
The private sector also plays a key role in cutting down on the criminal use of public virtual safe havens, in which criminal actors can move almost freely between networks to access and spread cyber weapons and coordinate their agendas. Whereas certain ‘cyberweapons’ and approaches have found success against state actors, safe havens can provide non-state actors a shelter from these same approaches, which has caused the U.S. to rethink its cyber strategy against these groups. As UK Prime Minister Theresa May noted in June, the government is looking to the private sector to help eliminate these virtual safe havens for criminal and terrorist activity.
This will require significant coordination across many of the tech giants and governments, with special concern over the balance security and privacy. From the UK Investigatory Powers Act to U.S. Rule 41 to Germany’s new surveillance law, there is concern this balance is tipping heavily away from privacy and individual liberties. However, this balance is crucial and will require new thinking from a private/public collaboration well beyond debates over encryption and information sharing.
Lost in the focus on the latest cyberattacks, the United Nations Group of Governmental Experts (GGE) failed to reach a consensus in their June meeting on a framework for how international law applies to cyberspace, including establishing cyber norms. International cooperation is extremely difficult, and despite this setback, it does not mean multilateral efforts should be abandoned. In fact, the converse is true. Though U.S. leadership on the issue will go a long way, international cooperation is essential to broadly establish those rules of the road for what is and is not acceptable behavior.
Multilateral efforts should continue, but the U.S. is also pursuing bilateral agreements, and should continue to do so, as they help to foster replicable norms. For instance, following the U.S.-Sino agreement in 2015, which prohibited digital espionage for commercial gain, both Canada and Australia formed similar agreements with China. While many may question the impact, these are important initial steps as the countries work towards a broader, more long-term set of solutions. That is why the recent announcement of a U.S.-Israeli bilateral working group is so important, as it too will be closely watched by other countries around the world. The U.S. should continue to push forth areas focused on international cooperation, and ensure global leadership in this realm, or risk the vacuum being filled by countries who may not share the same democratic values of a free and open internet.
For too long, the steady yet precipitating pace of breaches has been treated as a series of independent attacks, if not anomalies. We need policies that reflect the shifting world order and technological dynamism, while remaining tailored to specific actors and collateral damage. This includes but surpasses a whole-of-government approach toward a whole-of-society and technology approach. Unfortunately, it just may take a true black swan to instigate impactful changes, leaving both the public and private sector ill-prepared and the barrage of wake-up calls unanswered.