The Trump administration is preparing to conduct aggressive action against foreign nations that hit the United States with cyber attacks, a White House policymaker said Thursday.
Tom Bossert, assistant to the president for homeland security and counterterrorism, said China, Russia, Iran, and North Korea have not been deterred from conducting cyber attacks using the internet.
"They are right now not paying enough—they're not paying anything," Bossert said, noting that sub rosa cyber actions, whether stealing data or destroying computer systems, are "a very cheap exercise from them and a very high reward."
The first step in a new cyber policy being drawn up by the White House is to better protect American infrastructure—such as the electrical grid and financial networks—from attack, Bossert told a security conference in Aspen, Col.
The new policy, set to be unveiled by the White House next month, will seek to create cyber deterrence—making hostile actors pay a steep price for attacking through the cyber realm.
Bossert said he opposes the idea of simply abandoning the use of the internet as an inherently unsafe technology.
"I'm ready to put some policy changes in place that are going to increase the cost to the bad actor and unify the like-minded so that we can throw the people that are not on that page out of the internet, if necessary," Bossert said.
The administration continued sanctions imposed on Russia by the Obama administration for its election campaign activities, and continued the national emergency that resulted in the expulsion of 39 Russian intelligence officers and seizure of two diplomatic compounds.
Bossert said those steps were not an adequate response in using what he termed a "20th Century tool" for a 21st Century problem.
But before tougher measures are taken against foreign cyber attacks, more needs to be done to protect U.S. networks that remain highly vulnerable to cyber attacks.
"What we need to do, living in the largest cyber glass house in the world, is figure out how to increase our defenses and put in place a rational strategy before we go out and do things that are going to make us and private and critical infrastructure owners more vulnerable," Bossert said.
Asked how the Trump administration would respond if it found further attempts by Russian hackers to get into voter registration systems, or another North Korean cyber attack similar to the Sony Pictures Entertainment attack, Bossert said a first step is to clearly define acceptable and unacceptable behavior on the internet.
"We need to have some norms and agreed upon standards and expectations," he said, adding that Trump made clear in a recent meeting with Russian President Vladimir Putin that Moscow's campaign hacking was unacceptable.
The Obama administration failed to take a strategic approach and instead adopted an ad hoc policy toward the Russian activities, he said.
The new policy will seek to clearly define rules on when cyber actions are unacceptable and "then move forward with punishing it when we find evidence of its abuse."
The administration will also seek international support for a set of rules for cyber space in the new policy.
"And we need to codify that in some way that we all find acceptable as a nation, and then we have the terra firma to go forward and say 'you have violated that rule and its time for you to be punished,'" he said.
Bossert then said he opposes policies that would rely on the United Nations or other multilateral institutions for approval for counter cyber attacks, since opposition within the organizations can stifle action.
"Once those rules are in place, I think history has taught us that that multilateral approach to action is a fools errand," he said.
"If we have a U.N. Security Council vote on what we're going to do to punish a bad cyber actor, it will likely be, inevitably be held up with a vote and an objection on whether you have enough proof, whether you've shown your evidence and revealed your classified programs and all the things we've seen in the past as nonstarters in cyber attribution."
Instead, the administration would prefer a bilateral approach to punishment in cyber space. That would entail the U.S. government working with a single friendly country to assess the evidence of nefarious cyber activities and confirm that it violated established rules and then take action.
"And here's where we're playing jazz music, by that I mean we're improvising," Bossert said. "There is no playbook for what is [a] proportionate [response] in cyber."
That will require conducting counter attacks—whether by cyber means or in some other form such as diplomatic, economic, military, or intelligence action—to determine what brings about the desired effect, he said.
Bossert also does not believe that conducting retaliatory cyber attacks will work toward creating deterrence. He instead prefers other means of retaliation.
"There's no evidence to suggest that offensive cyber is a deterrent," he said. "Nobody's sitting around saying 'They might hack us so don't hack them.'"
That applies to non-government hackers and nation states with robust cyber attack capabilities.
Instead, Bossert said he would like to use secondary sanctions that would prevent hostile cyber actors from using the international financial system.
"We haven't figured out yet what we want to do in terms of punishment," he said.
One nation that is cooperating with the United States in bilateral cyber activities is Israel, which recently concluded an agreement on the subject.
Bossert said he agrees with intelligence assessments about the Russian hacking but noted there was no evidence Moscow was able to affect voting machines or ballot boxes.
Bossert also defended the U.S. government's handling of software vulnerabilities that are used for cyber intelligence gathering. Ninety percent of the software holes are made public and about 10 percent are used for cyber penetrations.
Giving up the use of the vulnerabilities would be "intentional disarmament," he said.
On other issues, Bossert also said the administration has decentralized its counter terrorism policies with the goal of to giving more authority to commanders on the ground to take action.
"We have just decentralized authority," he said.
Instead of focusing on terrorist leaders, the new approach will be focused on terrorist groups. If someone joins ISIS or al Qaeda they are considered enemy combatants and will be targeted, he said.
Bossert was also critical of the slow process of conducting military tribunals for terrorists held at the U.S. prison in Guantanamo Bay, Cuba.
For example, Khalid Sheikh Mohammed has a 25-person legal team and yet his tribunal has been delayed for years.
The administration also will continue to hit Iran with sanctions since Tehran remains the leading state sponsor of terrorism and continues to take hostages.
Additional financial sanctions are likely to be imposed on Iran, Bossert said.