Opinion: Will 2015 be the year we shoot back in cyberspace?
This could easily be the year the White House approves a Department of Defense counterattack to disrupt an ongoing cyberattack on a US company.
It has been US policy that 鈥渢he US response need not be limited to criminal prosecution [and] reserves the right to respond in an appropriate manner.鈥澨
Statements by the White House and military leaders have only become stronger since. For example, when he was head of US Cyber Command,听Gen. Keith Alexander testified to in 2012 that 鈥渁ny actor threatening a crippling cyberattack against the United States would be taking a grave risk.鈥
Still, despite the bluster and stated range of policy options, such retaliation hasn't happened 鈥 yet.听
After the incredibly dangerous and sophisticated US Stuxnet attack on the Iranian nuclear enrichment program, few nations can doubt the US capabilities to conduct such a counteroffensive. But听the last few years of attacks without a military response听may give them reason to doubt the听US willingness听to do so.
The idea of US reticence on counterattacks will strike some observers (say,听in Germany or Silicon Valley) as not fitting the facts. But in reality, the eagerness to use cyberspace for spying and covert action is not matched by hawkishness to counter such actions against the US.
Given the North Korean dismantling of Sony Pictures (and have no doubt, Kim Jong-un's online brigades were responsible) the White House is probably sorry they didn鈥檛 take a stronger stand against the in 2011 and 2012.听听
These attacks 鈥 which only affected individual banks 鈥 were not devastating to the financial sector as a whole, so they were allowed to continue with little official response. Despite repeated requests from the banks under attack, the US government provided no digital bailout (the words 鈥渕oral hazard鈥 were sometimes used), and it was left up to banks to defend themselves.
In the aftermath of the incidents, the US government never called out Iran specifically and the White House didn鈥檛 authorize US Cyber Command to disrupt the computers coordinating and carrying out the attack. The government was possibly self-deterred because of ongoing negotiations with Iran or a perceived lack of legitimacy after Stuxnet was revealed.
Perhaps, if the US had taken a more muscular stand, North Korea might have had second thoughts, though that might be asking too much of that particular regime. At least the military would have had some practice in how to respond to nation state disruptive attacks.
It is no surprise, on the other hand, that there was no outgoing cyberfire to suppress the Sony assault. The worst damage was done as soon as the attack became apparent, with all the information already stolen, while the most likely targets to retaliate against were located in China. There鈥檚 no way the US would take that shot for such limited gains.
We might not have to wait so long for the next state-sponsored disruptive attack, and it may be far more dangerous. Russian President Vladimir Putin perceives a deep conflict with the West and if his economic back is against the wall, he may unleash a just-deniable-enough attack, covering the West in flagless 鈥渓ittle green bytes鈥 so that we feel concomitant economic pain.听听
Iran might also feel it has little to lose and much to gain if the nuclear talks fail. Should talks break down and Congress take action, the ratcheting of sanctions (and the possibility of military strikes) could entice them to lash out in cyberspace.
Either Russia or Iran would present a far more dangerous adversary than North Korea鈥檚 against Sony. That was a one-off attack on noncritical infrastructure while Russia and Iran would almost certainly bring a full campaign of attacks, a string of Sonys, but directed against more economically important targets.
Post-Sony, it is likely the White House will feel compelled to support US companies by authorizing the Pentagon to at least disrupt the incoming attack. In fact, US Cyber Command is already for exactly that mission and you can bet they will be chomping at the bit.
Prior to that day, the National Security Council will need a decision matrix on when to authorize a counterattack to disrupt a foreign nation鈥檚 disruptive attacks against US entities.听
Such a matrix must incorporate at least the following criteria:
- Criticality of the target to the US economy, security and society;
- Possible impact of a successful attack (for example, attacks on a bank鈥檚 trading system are in a far different class than attacks on its websites);
- Likely identity of the attacking nation;
- Geopolitical context, especially if a counterattack will cause further escalation;
- Likelihood a counterattack will cause collateral harm either in the adversary nation or in bystanders鈥; and of course,
- Likelihood that a counterattack would succeed.
Nations are increasingly choosing to actively fight in the grey space between all-out war and true peace. The scope, duration, and intensity of cyberconflicts have consistently increased for over two decades.听
US counterattacks might be just the thing to raise the costs for adversaries who feel they can attack US companies with impunity. Of course, it might also spur on others to counter attack against our own cyberoperations and continue the spiral of escalation.听
Planning for the next, more dangerous Sony is the first step towards ending up on the best side of that equation.
Jason Healey is the director of the Cyber Statecraft Initiative of the Atlantic Council and editor of the first history of cyber conflict, "A Fierce Domain: Cyber Conflict, 1986 to 2012. You can follow his thoughts and analysis on cyberissues on Twitter .
听
