A recent Defense Department report to Congress warned that foreign nations run a “grave risk” if they threaten or launch a large-scale cyberattack on the United States, and it announced for the first time that the Pentagon possesses cyberweapons the president can deploy in the face of such an attack. The report aims to bolster U.S. deterrence against cyberthreats but, in fact, highlights weaknesses in our deterrence policy.
The Pentagon’s threat applies to “significant” cyberattacks. It does not purport to deter small-scale ones. Nor does it address “cyber exploitations” that — in contrast to cyberattacks,which damage or disrupt a computer system — copy or steal information on a computer system. Cyber exploitations of valuable government and business secrets are vastly more pervasive than cyberattacks and, at present, are a more serious national security threat. They are also significant because they often cannot be distinguished from cyberattacks, at least until an attack begins. Passivity in the face of cyber exploitations thus encourages cyberattacks.
The government has not done much in response to foreign cyber exploitations because the United States itself engages in them extensively abroad and because cyber exploitations do not violate international law, and thus would not justify a large-scale military response, kinetic or cyber.
The bottom line, then, is that the government has yet to threaten a response to the most common and currently damaging cyberthreats and has limited its public threats to low-probability, large-scale attacks. It is unclear whether any nation with the means to carry out such attacks possesses the incentive to do so. But even if it did, the Pentagon’s new policy won’t change these incentives much.
To see the real-world concerns, consider the recent report of an Illinois water plant pump disabled by cyberattack. Had the attack been carried out with kinetic bombs attributable to a foreign country and had it disabled water pumps across the Midwest, significantly disrupting the water supply, the United States would have quickly responded with kinetic military force. But if a cyberattack brought down multiple pumps, a military response, by cyber or kinetic means, would not be as fast or as bold because the attack’s author can hide its tracks and would be much harder to identify.
The recent Pentagon report says that the government is making progress on this “attribution problem,” but it has a long way to go. Issues the government must consider include: Where did the attack originate? Was the computer in a suspected country in fact controlled by a computer in a third country? If the attack originated in, say, Russia, did a Russian agent operate the computer or was it someone else? And even if the government knows who is behind the attack, is its evidence disclosable in a way that would permit the United States to justify a large-scale response to audiences at home and abroad?
Such challenges were underscored by The Post’s report Friday that the supposed “foreign hacker” of the Illinois plant turned out to be a contractor of the plant, who was traveling in Russia. Similarly, a 2009 cyberattack widely reported to originate in North Korea was later reported to originate in Miami.
Because attribution for cyberattacks takes time and is sometimes impossible to determine with certainty, a military response of the type promised in the Pentagon report will be slow and uncertain to avoid mistakenly initiating war with the wrong country. Our adversaries understand this. They also know that even when the government can attribute an attack, its lawyers place tight constraints on the use of offensive cyberweapons. Gen. Keith Alexander, the head of U.S. Cyber Command, says he needs “more authority” to defend national interests in cyberspace. All of these factors undermine the credibility of the government’s threatened response to large cyberattacks.
The government can begin to improve deterrence for large-scale cyberattacks by taking concrete retaliatory steps against cyber exploitations and low-level cyberattacks. When attribution is not a hurdle, it can engage in small-scale anticipatory or retaliatory attacks on the threatening foreign computer systems in ways that would not violate international law. It can also use non-military weapons, such as political and diplomatic sanctions and the publication of embarrassing secrets about foreign governments. These steps would demonstrate resolve and increase the credibility of retaliation for large-scale attacks that the government can attribute. They would also constitute the beginnings of a strategy to deal with the more serious contemporary problem of cyber exploitations.
Some argue that such retaliation will adversely affect diplomatic and economic goals, especially in relations with our chief cyber adversaries, Russia and China. But if the cyberthreat is as serious as the government says, it must respond concretely when it has decent attribution, and Congress must give the administration the authorities it needs to do so. Events of the last decade have shown that, in the absence of concrete retaliation, complaints and vague threats will only embolden our adversaries.
The writer is a law professor at Harvard and a member of the Hoover Institution Task Force on National Security and Law. He served on the National Research Council committee that produced the study “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.” The views expressed here are his own.