When will we decide to hit back on cybersecurity?

The recent cyber intrusions into Sony and the U.S. Office of Personnel Management have highlighted to the general public a festering weakness: America’s cybersecurity policy framework is wholly inadequate. We continue to fumble the creation of a coherent strategy supported by clear operational guidelines and meaningful response capabilities. 

Because we have not effectively addressed the problem, we’ve unwittingly raised the stakes in a way that will ultimately lead to a trigger event for which we’ll have no legitimate alternative beyond publicly declaring that  “now you’ve gone too far,” followed by kinetic retaliation.
Our adversaries, our allies, and our nation deserve something better than this know-it-when-we-see it strategy that currently guides our thinking.

{mosads}Finding a solution to this challenge is no easy task. First, there is currently neither a domestic agreement nor an international norm against which we can measure a proportional response to a cyber-intrusion. 

A generation ago, the federal government executed people for revealing nuclear secrets to our Cold War adversaries. But today we hardly notice when the Chinese government steals plans for our most advanced weapons systems, as has been widely reported, or exfiltrates the personnel files of tens of millions of federal employees. 

Clearly our definition of proportional response to espionage has changed, leaving us vulnerable to the perception – never mind the reality – of arbitrary rules of engagement.

Therefore, the first order of business in crafting a solution is to define what constitutes a cyber-attack: Ostensibly, it is one that converts any kind of information into an action or event that either:

•          interferes with individual liberty or personal choice;
•          disrupts an activity of daily living or costs money to remediate; or
•          destroys or handicaps a physical asset, irrespective of ownership or use.

These categories can help discriminate what matters more from what matters less.

Next, the U.S. should remove the destabilizing ambiguity of how we will protect ourselves domestically, and what would trigger a response overseas. The current impasse diminishes any deterrent because we are a rule-driven society, and it’s difficult to justify the use of force without clear rules. Importantly, such a framework could be designed to maintain flexibility and choice regarding individual privacy, corporate participation, and military response. These goals are not mutually exclusive; they just need to be clear.

When it comes to the actual response, the U.S. is well equipped to interfere with, economically disrupt, or kinetically harm an enemy. And while the U.S. government is widely believed to have successfully launched the Stuxnet virus on Iran’s nuclear program in a digital attack, we have been reluctant to actively respond to either that country or any of our other three largest digital antagonists – China, Russia, or North Korea – when it comes to internet mischief, data exfiltration, or outright theft.

So what, then, would constitute a proportional (re)action?    

Establishing expectations is complicated because the international community has lost its confidence in U.S. leadership on this topic. They publicly complain of our broad definition self-defense, regardless of the physical hazard. Even our friends privately raise concerns that we do not follow our own rules. But that does not mean we should not make them

Our response to cyber intrusions should be subtle, dynamic, and known. It could range from slow degradation of a foreign network to more dramatic expressions of proportional discouragement. Our actions can be geographically scaled, penetratingly deep, and vaguely attributable. Their execution should be sanctioned and structured, not extra-legal or impulsive.

The U.S. government urgently needs to consolidate and rationalize its cyber capabilities. This will require muscular executive leadership as well as congressional collaboration and approval. Our cybersecurity policy apparatus is fragmented and fractured, with overlapping responsibilities, self-negating authorities, and internecine rivalries that handicap authentic defense at the expense of agency interest or prestige.  The situation has gotten worse, even as the need has become more urgent.

But to do nothing, and to claim nothing, is to evince an unwise defensive posture of forbearance or inability, even as our adversaries ratchet up and test their capabilities as if it were a benign military exercise.  We simply cannot continue to offer a well-lit terrestrial landing pad, easily accessed from borderless reaches of cyber-space.  It’s high time we put some defenses around it, and made intrusion a more risky and expensive proposition.

Levin is CEO of Amida Technology Solutions and a visiting senior fellow at the Center for a New American Security (CNAS). During the first Obama term, he was the CTO at the U.S. Department of Veterans Affairs.