The Obama administration policy of avoiding assertive action against foreign hackers came under fire from Congress last week, and is raising concerns that the White House is failing to protect the country from large-scale cyber attacks.
Christopher Painter, the State Department’s coordinator for cyber security, defended the administration’s strategy for deterring massive data breaches, like China’s pilfering of sensitive personnel records on 22 million federal workers, known as "deterrence by denial."
This strategy bears no relationship to the strategic doctrine of deterring foreign nuclear attacks by threatening to inflict massive nuclear blasts against any state that threatens to use its nuclear arms on the United States or its allies.
Instead, "deterrence by denial" refers to a defensive effort to protect information networks against an onslaught of increasingly sophisticated and innovative cyber intrusions in the hope that foreign data thieves will eventually give up trying—rather than any effort to actually deter such attacks before they occur.
The policy fits the overall Obama administration approach of limiting the use of assertive or offensive action against foes and doing as little as possible against those undermining U.S. interests. Instead, the administration uses only diplomatic and law enforcement means that have had little or no effect in deterring massive hacker attacks, primarily from China, along with those originating in Russia, Iran, and North Korea.
China’s cyber attacks continue unabated, despite an announced agreement last year in which Beijing promised to curb some cyber spying. Vice Adm. James D. Syring, head of the Pentagon’s Missile Defense Agency, revealed to Congress in April that Chinese military hackers are relentless, conducting cyber attacks on his agency’s networks "every day."
Painter defended the current policy, claiming it is producing results he could not specify, other than claiming that progress has been made in international talks on establishing norms of behavior in cyber space. "Our policy, as I think you know, is to look at law enforcement and network security aspects, where we're talking about cyber defense before going to other tools," he told a Senate hearing May 25.
Proponents of more robust cyber deterrence within the military and intelligence community want a better policy. They argue that without demonstrations of American cyber power, such as counter-cyber attacks or operations to steal back or destroy stolen data residing inside foreign networks, attacks will continue, and will increase in both sophistication and levels of damage they impose.
China’s impunity remains the most serious result of the current failed policy. The administration in 2014 indicted a small group of Chinese military hackers with little or no prospect of ever prosecuting them. To date, there have been no sanctions imposed for China’s hack on the Office of Personnel Management. Obama was ready to sanction the Chinese government for the OPM attack in September, but backed off after a promise from Chinese leader Xi Jinping to curb government-backed cyber economic espionage—a promise that does not cover the Big Data intelligence gathering that took place in the OPM hack, and which is beginning to affect U.S. intelligence personnel.
Russia too has evaded sanctions for the cyber mapping of U.S. critical infrastructure networks, and for being linked to the first destructive cyber attack against a nation’s major infrastructure, an attack that targeted Ukraine. A sophisticated cyber strike temporarily shut down electrical power for more than 220,000 Ukrainians in December.
Iranian hackers, too, were indicted recently for hacking a waterway control network used to regulate a dam in upstate New York. A few North Korean officials were hit with meaningless sanctions for the Sony Pictures Entertainment hacking, but no real effort was made to punish Pyongyang.
In all these cases no significant cost was imposed, leading many to observe correctly that the current policy is not working.
A recent Pentagon report to Congress on cyber deterrence includes the phrase "deterrence by denial," defined as efforts "to persuade adversaries that the United States can thwart malicious cyber activity, thereby reducing the incentive to conduct such activities." It does not explain how thwarting attacks reduces the incentive to conduct further attacks.
In reality foreign government hackers are extremely sophisticated and conduct attacks relentlessly and through multiple channels and methods. Stopping one type of attack often drives innovative hackers to find new vulnerabilities and methods of attack.
The idea of deterring future attacks by denying current ones is like saying "we stopped your attack so don’t try it again." The Pentagon report also says the United States seeks cyber "deterrence through cost imposition"—another questionable assertion as there has been no cost imposition on China despite at least two decades of large-scale cyber attacks.
Senate Armed Services Committee Chairman John McCain (R., Ariz.) dismissed the current cyber deterrence strategy report as weak and lacking detail. "It mostly reiterates steps taken and pronouncements made over the past few years, all of which we know have failed to deter our adversaries or decrease the vulnerability of our nation in cyber space," he said.
The administration also minimized the role of offensive cyber capabilities and failed to clarify current policy ambiguities, such as what would trigger a U.S. response to a cyber attack. The shortfalls are undermining the credibility of a cyber deterrent strategy.
"Make no mistake, we are not winning the fight in cyberspace," McCain said. "Our adversaries view our response to malicious cyber activity as timid and ineffectual. Put simply, the problem is a lack of deterrence. The administration has not demonstrated to our adversaries that the consequences of continued cyber attacks against us outweigh the benefit. Until this happens, the attacks will continue, and our national security interests will suffer."
Concerns about the weak cyber deterrence policy are bipartisan. "I'm concerned that there's too much ambiguity in our current cyber deterrence policy which leaves our adversaries confused about what behavior in cyberspace the United States is willing to tolerate," said Sen. Ben Cardin (D., Md.) at last week’s hearing.
Subcommittee chairman Sen. Cory Gardner (R., Colo.) asked Painter if the State Department had blocked Pentagon requests to take retaliatory action against foreign hackers. The State Department official refused to say.
"Our efforts have not deterred China and Chinese actors from continuing to conduct massive commercial espionage against the United States," Gardner said.
Russia also remains undeterred from attacking critical infrastructure, as seen in the Ukraine electrical grid attack and the targeting of U.S. critical infrastructure, Gardner added, noting that despite indictments of Chinese and Iranian hackers, the White House has failed to impose sanctions under a 2015 executive order.
Feckless Obama administration cyber security policies already have produced massive losses of U.S. data to foreign states, including valuable intellectual property from the private sector, and sensitive strategically valuable sensitive data from U.S. government networks.
The current policies likely will face close scrutiny from the next administration in January.
A realistic cyber deterrence strategy based on demonstrations of American cyber power, including offensive counter-cyber attacks and cyber operations to recover or destroy hacked American data, are an urgent need.
The Cyber Threat column will be co-published on Flash//CRITIC Cyber Threat News at flashcritic.com.