According to the Justice Department, a team of hackers sponsored by North Korea spent years infiltrating American companies to steal trade secrets and intellectual property. We know from the investigation of former special counsel Robert Mueller that Russian military intelligence groups hacked computer systems in the United States and spread social media disinformation to impact the 2016 election. More recently, we learned of a campaign by hackers backed by the Chinese government to spy on individuals through cyberattacks on global carrier companies.
These may not be traditional acts of war. But make no mistake, they are hostile military grade actions against our companies, our government, and the public by foreign adversaries, and they are only getting worse. The United States is in a de facto state of war that is no less real for it being fought on a digital rather than a traditional battlefield. If a foreign army killed American citizens at home or abroad, there is no question that a conventional military response would be called for. Every nation has the right to defend itself against an armed attack under the United Nations charter. Similarly, if a foreign country was found to have supported a terrorist group in carrying out a violent assault against Americans, most would agree that some form of military retaliation would be warranted.
Yet when it comes to state sponsored cybercrimes, cyberespionage, and other offenses in the digital world, whether and how to confront these actions become a lot murkier. There is the issue that, unlike identifying a foreign uniformed enemy, definitively attributing a link between a foreign state and a hacking group can be extraordinarily difficult. Then there is the problem of proportionality, whereby international law does not permit a violent response to cyber operations which, while they are politically and economically damaging, do not rise to the level of an armed attack. While cyber countermeasures are available and justifiable, retaliation in the form of stealing corporate secrets from Chinese or Russian companies is not something the United States has any interest in pursuing right now.
Traditionally, the United States has relied on the criminal justice system to bring charges against foreign cyber criminals. As part of his wide ranging investigation on Russian meddling, Mueller indicted more than two dozen Russian nationals as well as three Russian entities on conspiracy charges for interfering with the 2016 election. However, with no legal mechanism of arresting these people, there is no chance any of them will be tried or face consequences for their actions against us.
Foreign policy by indictment does little but broadcast the limitations that the United States system imposes when dealing with countries who will never hand over their citizens to face American justice. Another option is to designate hacking groups as foreign terrorist organizations, which would cut them off from financial markets and provide broader tools with which to pursue them. However, the designation process is slow, and the end game is ultimately criminal prosecution, which poses the very same limitations of having no likelihood of ever getting them into federal court.
President Trump can impose sanctions to punish nations that support “significant malicious cyber enabled activities,” which could include cyberterrorism and other attacks on our economy. This is likely the most effective way to exert pressure on American adversaries without resorting to kinetic military action. But sanctions will no doubt prompt retaliatory trade and economic actions, the brunt of which are ultimately felt by American companies and consumers. This is less of an issue with nations already facing severe sanctions such as Iran and North Korea, but the Treasury Department has been loathe to impose meaningful sanctions on China presumably out of fear for how that would impact our economy.
Unfortunately, despite our American military and economic might, these state sponsored cyberattacks have gone largely unanswered. As long as we remain in a strictly defensive posture and allow foreign states to act with impunity, these attacks will only become more brazen. None of Iran, China, Russia, or North Korea would ever take on the United States in a total armed conflict. But the digital world provides them with a near level playing field from which to probe our weaknesses, shake our confidence in our institutions, and prepare for any debilitating attacks in the future.
We have already witnessed the severe damage and discord resulting from Russian interference with the 2016 election. American companies, critical infrastructure, and government institutions are under attack every day by foreign enemies trying to gain a strategic advantage. The United States may not be facing a traditional enemy with weapons and tanks on the battlefield, but we are fighting a host of adversaries in the digital space. Unless we work with our international allies, develop a new set of cyber norms, and devise a better strategy to confront this threat, it is far from certain that we will emerge victorious in this modern international battle.
Joseph Moreno is a former federal prosecutor with the Department of Justice, a former staff member with the 9/11 Review Commission of the Federal Bureau of Investigation, and a United States Army combat veteran. He is currently a litigation partner with Cadwalader Wickersham & Taft. You can follow him on Twitter @JosephMoreno. Sam Curry is the chief security officer for Cybereason. He previously held leadership positions at McAfee, Computer Associates, and other technology companies and startups. He holds more than 20 patents in cybersecurity and also sits on the board of the Cybersecurity Coalition. You can follow him on Twitter @SamJCurry.