US aggression risks deepening cyber conflict

Analysis

The National Cybersecurity Strategy (NCS) permits the use of "all instruments of national power" to "prevent, respond to, and deter" malicious cyber activity, including "diplomatic, information, military (both kinetic and cyber), financial, intelligence, public attribution, and law enforcement capabilities".

The Obama-era 2015 approach focused on building norms of appropriate action in cyberspace and advised US restraint. The new strategy permits aggressive action.

This shift is attributable to criticisms that the United States has failed to tackle recent cyberattacks, most notably the Democratic National Committee hack and 2016 election interference, and the 2017 NotPetya ransomware attack, which cost about 10 billion dollars.

The NCS does not specify precisely what US actions may now ensue, but some implications are clear.

External vendors

It requires that federal contracts contain provisions authorising the government to assess and test contractors' cybersecurity protections. Previous policy relied on contractors to evaluate their systems.

There is greater focus on supply-chain security and to exclude "risky vendors, products and services". Details are unknown, but the NCS envisions a "supply-chain risk-assessment shared service" to help government agencies share information.

Government contractors, therefore, likely face more robust contracting standards and requirements.

Risk management

The NCS places more emphasis on cybersecurity risk management, ie, preventing problems and preemptively mitigating systemic risks that affect companies and individuals. The US government will also review contractor risk-management and incident-response practices.

DoD Cyber Strategy

Unlike the Department of Homeland Security, which released the NCS, the DoD published only a summary of its new Cyber Strategy; details are classified.

A stark departure from previous policy is evident in key areas.

Offensive cyber activity

It demotes deterrence as the foundation of US cyber strategy and moves towards a policy of "persistence" and "defending forward". The aim of "defending forward" is to "disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict". The goal is to stop threats from reaching their targets.

This shift is important. Previously, states have found it challenging to determine proportional response to offensive cyber operations such as alleged Russian election interference in 2016. While sanctions have been criticised for their leniency, a military reprisal would have been excessive.

The DoD can now intrude into US adversaries' networks, beyond US geographic boundaries, and degrade adversarial cyber capabilities. This may involve manipulating the adversary's devices and infrastructure to prevent their cyber unit from accessing the internet, as opposed to a reactive strategy like hack-backs.

Identifying adversaries

The document names China and Russia as adversaries engaged in "persistent campaigns" as opposed to individual cyberattacks. This departs from the 'whack-a-mole' policy of reacting to individual attacks and allows US action in cyberspace "during day-to-day competition".

This entails more intelligence collection, developing military cyber capabilities, disrupting malicious cyber activity in adversaries' networks, and strengthening the resilience of US networks and systems.

Risk of escalation

The new aggressive stance risks conflict escalation (see INTERNATIONAL: Cyber conflict will be more destructive - April 25, 2018).

As the 2017 WannaCry and NotPetya attacks showed, malware quickly spreads beyond its intended target due to the interconnectivity of cyber-physical systems.

The NotPetya attack was meant to target Ukraine, but it ended up incapacitating an array of companies and organisations globally. Here there were clear indicators, notably tensions between Ukraine and Russia, that the attack had spread unintentionally.

However, such indicators may not always be present. Upon detecting an intrusion, the victim may not be able to distinguish between an accidental breach of an interconnected system, routine intelligence collection and sabotage.

The risk of a victim misinterpreting intent and responding strongly is, therefore, high. At worst, a cyber stand-off could spill over into conventional warfare.

Adversaries' response

Both documents serve as a powerful signalling mechanism to US adversaries, especially Russia, China, Iran and North Korea, that their actions in cyberspace have consequences -- not just in terms of defensive action but also offensive campaigns.

If the new approach is implemented, China, Russia, Iran and North Korea will find it harder to launch successful cyber campaigns. However, the outlook for overall cybersecurity depends on whether US cyber aggression provokes caution or escalation.

In the former scenario, states such as China and Russia could reduce offensive cyber actions, and possibly work on creating international norms of appropriate behaviour in the domain, which lies between war and peace.

Alternatively, offensive US action and intrusions into Russian and Chinese networks may lead both states to develop more targeted, sophisticated operations for strategic gain, and harder to trace operations to impede attribution efforts. This would trigger an escalatory spiral and could involve, for example, cyberattacks on US critical infrastructure. In 2015 in Ukraine, which often serves as a testing ground for Russian cyber operations, Russia targeted energy providers, leading to blackouts.

Midterm test

Cyber activity around the US midterms in Novemebr will indicate these states', especially Russia's, response to the new US posture.

It will also help clarify how the new US policy is to be implemented while there is still doubt about the identity of the perpetrators of a cyberattack at the highest levels of government.

Attribution of cyberattacks is often more feasible than commonly acknowledged, but Trump has frequently raised doubts about the US intelligence agencies' assessment of Russian interference in 2016 (see RUSSIA: US charges designed to prove hacking - July 27, 2018). Without decisive attribution, it might be difficult to launch more assertive campaigns or even signal resolve to do so.

Five Eyes alliance

The other four members of the 'Five Eyes' intelligence-sharing alliance (the United Kingdom, Australia, Canada and New Zealand) are unlikely to replicate Washington's aggressive approach. Australia has not suffered destructive cyberattacks, neither have Canada or New Zealand.

The UK National Cyber Security Centre, possibly in coordination with US counterparts, today attributed six high-profile cyberattacks, including the Democratic National Committee hack, to Russia's military intelligence service, the GRU, and listed several Kremlin-linked cyber actors.

Such public attributions are not unprecedented, but the statement is unusually detailed and strong. Absent concrete retaliatory action such as additional sanctions, the statement is a deterrence strategy, which has thus far proven ineffective.

There are no signs that the United Kingdom, like the others in the Five Eyes alliance, will join forces on (publicly known) offensive actions in cyberspace; they have cooperated previously on attribution statements. In turn, this means that possible retaliation from adversaries for aggressive US cyber actions will be targeted narrowly at the United States.