The U.S. intelligence community is the most powerful entity operating in cyberspace, yet policymakers seem to be increasingly confounded by the central question surrounding America’s nascent cyber strategy: When is a cyber attack against the United States serious enough to warrant a physical or cyber response?
That debate has been at the heart of U.S. cyber deterrence strategy for years, but has been reignited by the recent state-sponsored data breach targeting security clearance investigations at the Office of Personnel Management. The reluctance of the White House to publicly name China as the attacker and to respond either through sanctions or other actions is evidence to many national security experts that America’s cybersecurity doctrine remains woefully inadequate.
“After all these hackings we still do not have a policy as to when there is an attack or we anticipate an attack, whether we act to prevent it or whether we just try to simply defend against it or [if] we retaliate,” said Senate Armed Services Committee Chairman Sen. John McCain, R-Ariz., speaking Saturday at the Aspen Security Forum.
“There is no policy yet,” McCain said. When asked if the U.S. should retaliate for the massive data breach at the Office of Personnel Management, which many in the intelligence community have blamed on China, McCain did not mince his words. “I absolutely do. By any definition, this is an act of war,” he said. “Now does that mean that we declare war? No, but it is something [for which] we should have a policy.”
It’s been more than two years since President Barack Obama signed Presidential Policy Directive 20, or PPD-20, a classified directive that established guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber attacks. PPD-20 is considered the government’s first step toward laying a foundation upon which a national doctrine governing cybersecurity could be devised.
But it has been the lack of consistency in responding to cyber incidents that has many current and former senior intelligence and defense officials acknowledging that much more has to be done to clarify exactly what U.S. policy is on responding to the use of cyberspace for state-sponsored espionage. Critics point to the obvious differences between the Obama administration’s response to the North Korean attack on Sony Pictures Entertainment and the reported unwillingness of the White House to publicly blame China for the data breach at OPM.
In the Sony case, senior officials said it was the combined impact of the attack’s destructive nature — it physically wiped out nearly 70 percent of the company’s computing and telephone capability — as well as the use of cyberspace as a tool of coercion to squelch free speech that compelled the government to respond.
In the OPM hack, which compromised more than 22 million security clearance investigations, the damage is much more significant but the public response has been muted. Intelligence community officials acknowledged that the OPM hack is simply the price of participating in the game of international espionage.
There’s a need for cyber norms and “a deterrent, which we don’t have right now,” Director of National Intelligence James Clapper acknowledged. “And until such time as we come up with a form of deterrence that works, we’re going to have more and more of this.”
Centuries-old norms within the world of espionage are “part of the problem” when it comes to deciding when, how and if the U.S. should respond to a hacking incident, acknowledged Clapper. “There has been the tendency or the practice, I think, to acquiesce when it’s passive. We all do it.”
Among the primary concerns of U.S. national security decision-makers is devising a response that does not set off a cyber war, according to Clapper.
“We’re always mindful of the state of our defenses — if somebody wants to counterattack, what are the implications of that? I think the next wave will be data deletions and data manipulation. But as this progresses … we’re going to see more aggressiveness until such time as we can create both the psychology and the substance of deterrence,” he said.
NSA Director Adm. Michael Rogers said what made the Sony attack unique was the physical destruction of computing infrastructure, along with the coercive nature of the attack and the potential precedent that not responding publicly could set for future attacks an blackmail attempts.
There’s a “perception, I believe, that to date there is little price to pay for engaging in some pretty aggressive behaviors, whether it’s stealing intellectual property, whether it’s getting in and destroying things like we saw in the Sony attack [or] whether it’s going after large masses of data,” Rogers said.
“We’re trying to generate policy and try to figure out more broadly what’s the right way to deal with this challenge. A one-size-fits-all approach probably isn’t optimal,” he said. “We need to look at each situation for its specifics and make a decision on what makes the most sense in that particular context.”
Lisa Monaco, the assistant to the president for homeland security and counterterrorism, agreed that when it comes to the doctrine of response “every case is going to be different.”
According to Monaco, several factors influence the decision to respond. “Do we have an understanding of who did it? There’s going to be a question of, even if we know or think we know, what’s our level of confidence in that judgment,” Monaco said. “Then there’s a question of what can we say about what we know … what can we show to the world to substantiate our attribution.”
The key to devising proportional responses to attacks in cyberspace remains attribution. It is extremely difficult to pinpoint who was siting at a particular computer and was responsible for particular attacks. It is even more difficult to obtain solid evidence pointing to motive or state sponsorship.
“We’ve got to get better at figuring out who did it,” said Assistant Attorney General for National Security John Carlin. “Second, after we figure out who did it, we can’t be afraid to say who did it like we do in other areas or we’re not going to be able to deter. Third, after we say who did it there needs to be a consequence.”
Although he declined to discuss the OPM hack, Carlin said he is a strong believer in ensuring attackers incur a cost.
“And we need to continue to look across the full range of our legal authorities to see what we can do to increase the cost when we have high confidence of who did a specific intrusion,” he said. “I strongly believe in this approach.”