Time for a doctrine on cyberspace defense?
As American citizens, businesses and government agencies come under increasingly disruptive attacks in cyberspace, a change in our approach to defending this relatively new domain is long overdue. As they undertake this effort, policymakers can find some helpful lessons in the history books.
Before we get into those lessons, it’s important to discuss some of the assaults our enemies are unleashing on America’s corner of cyberspace.
There were 203 million ransomware attacks targeting U.S. entities in 2020. These are attacks that lock a computer network and then demand ransom money to allow the network’s owner to regain control.
In May, Colonial Pipeline, which administers the major fuel arteries serving much of the East Coast, was hit by ransomware from a group called DarkSide. As Emily Harding of the Center for Strategic and International Studies explains, DarkSide is “a Russia-based entity…no cyber-group operates there without Moscow’s knowledge.” The attack triggered a spike in gasoline prices, gas-station closures and panic hoarding, as the food supply, livelihoods and freedom of movement of 100 million Americans were held hostage.
Less than a month later, a ransomware attack targeted meatpacking giant JBS, which processes much of America’s beef, pork and chicken. Again, the ripple effects were widespread: Plants were idled; wholesale meat prices jumped; livestock deliveries were delayed; slaughterhouses were forced to slow production; restaurants and families faced higher retail prices. And again, a Russian hacking group was behind the attack.
These are just the most recent examples.
In early 2020, hackers working for Russian intelligence piggybacked onto a software update issued by IT management firm SolarWinds. Unbeknownst to SolarWinds or its customers, the sophisticated Russian malware reached into 100 companies and a dozen U.S. government agencies, including Microsoft, Intel, Cisco, and the departments of Defense, Treasury, Justice and Energy. It’s been described as a “nightmare” attack.
The Department of Homeland Security discovered in March 2016 that “Russian government cyber-actors … targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors.”
China has used cyberattacks to infiltrate subcontracting systems related to the development of the F-35 and C-17. China launched “spearphishing” attacks against Westinghouse, Alcoa, Allegheny Technologies and U.S. Steel. And according to IT security firm Mandiant, a cyber-force within the People’s Liberation Army (PLA) known as “Unit 61398” has stolen “hundreds of terabytes of data from 141 companies.”
Equally worrisome, China penetrated the Office of Personnel Management and compromised the financial and personal data of 21.5 million Americans. U.S. officials describe it as “the most devastating cyberattack in our nation’s history.”
North Korea has launched cyberattacks against U.S. companies conducting COVID19 research.
Iranian cyberattacks have siphoned intellectual property from 144 U.S. universities and 36 U.S. companies.
What America is weathering in cyberspace is nothing less than economic warfare: China alone steals between $225 billion and $600 billion of American intellectual property — every year.
Yet the cyber-siege extends far beyond espionage and intellectual-property theft. We learned during the JBS and Colonial hacks that disruption of services and supplies caused by cyberattack represents a serious threat to U.S. interests. Such cyber-disruptions can lead to real-world destruction of wealth, property, health and civil order.
For instance, cyberattacks against hospitals in Oregon, New York and Nevada — all emanating from a group called Ryuk, which is tied to Russian intelligence — crippled their ability to deliver critical care.
North Korea’s WannaCry attacks triggered chaos in Britain’s hospital system. Pyongyang’s DarkSeoul attacks destroyed 32,000 computers at South Korea’s largest banks and broadcasting companies.
In early 2021, the water treatment plant of a Florida town was hacked, and its sodium-hydroxide levels remotely altered. If not for an alert technician, 15,000 people would have been poisoned.
Iran’s Shamoon computer virus destroyed 30,000 computers supporting the Saudi oil industry.
In 2015, Ukrainian utilities were hit by a Russian malware attack, leaving 80,000 people without power in the dead of winter. There are indications China conducted a cyberattack against India in 2020 that triggered blackouts in Mumbai.
Since these attacks are largely confined to that invisible realm of terabytes and code, rather than the realm of blood and bullets and bombs, most Americans have overlooked this new form of warfare. That mindset may finally be changing.
“There’s a growing awareness now of just how much we’re all in this fight together,” FBI Director Christopher Wray said after Colonial and JBS.
Indeed, there’s broad support across the political spectrum for going after state-sponsored cyber-groups.
“They’re terrorists,” President Obama’s defense secretary Leon Panetta says of the hackers striking U.S. infrastructure. “They’re operating out of Russia, and they are going after some very important infrastructure in this country…it is weakening the United States.”
“We need to go on offense,” Sen. Lindsey Graham, R-S.C., said after the Colonial hack. “It’s time for the Russians to pay a price here because none of this would happen without their looking the other way or actively encouraging it.”
“They can’t allow international criminals to operate with impunity within their borders,” Sen. Angus King, I-Maine, says of Putin’s intelligence services.
Panetta, Graham and King are pointing Washington in the right direction, and there’s evidence U.S. agencies are beginning to punch back.
A large portion of the ransom Colonial paid to unlock its network was seized by the U.S. government. Plus, “Within a week of the Colonial Pipeline attack, DarkSide disappeared,” Harding reports. Perhaps this was the result of a decision within DarkSide’s leadership aimed at self-preservation. Perhaps the Kremlin stepped in. Or perhaps DarkSide’s disappearance was the result of a U.S. cyber-strike.
We may never know what caused DarkSide to disappear or how the millions it stole from Colonial was recovered.
What we do know is that Lt. Gen. Stephen Fogarty, commander of Army Cyber Command, says, “We’re using cyberspace to reach out through the electromagnetic spectrum to…deliver effects.” U.S. CYBERCOM adds that its strategy of “continuous engagement” imposes “strategic costs on our adversaries.”
We know the CIA has been given broad authority to conduct offensive cyber-operations.
We know that someone hacked into the operations and hardware of Chinese telecommunications firms.
We now know that ahead of the 2018 midterm elections, CYBERCOM blocked a Russia-based hacking army known as the Internet Research Agency from accessing the Internet. We now know that CYBERCOM “conducted more than two dozen operations to get ahead of foreign threats before they interfered or influenced our elections in 2020,” CYBERCOM commander Gen. Paul Nakasone reports.
We know that North Korea’s swath of the Internet has inexplicably gone dark for stretches of time. We know that “a large number of the North’s military rockets began to explode, veer off course, disintegrate in midair and plunge into the sea,” according to open-source materials, around the time the U.S. conducted cyberoperations targeting Pyongyang’s missile program. One North Korean missile saw failure rates of 88 percent.
We know that Iran was the target of a massive U.S. cyberoperation known as Olympic Games. A key element of Olympic Games was the Stuxnet computer virus, which became the first cyberattack “used to effect physical destruction,” according to former CIA director Michael Hayden.
Even so, clearly more must be done to punish and deter cyberattacks targeting America’s economy and critical infrastructure, which brings us back to those lessons from the history books.
Panetta points us toward one helpful history lesson: State-based hacker networks are very much like terrorists, and they should be treated as such.
Russia, China and their ilk are obligated, as sovereign nation-states and members of the United Nations, to prevent the use of their territory and computer networks as launchpads for cyberattacks against other nation-states — just as the Taliban, Saddam and Qadhafi were obligated to prevent the use of their territory as spawning grounds for international terrorism.
To be sure, we have to be deliberate and careful in dealing with the cyber-terrorists protected by Russia and China. As great powers, they are in a different category than the Taliban’s Afghanistan, Saddam’s Iraq and Qadhafi’s Libya. But by the same token, Russia and China must understand that they should be deliberate and careful in dealing with the United States. So, while Washington should give Moscow and Beijing face-saving alternatives and keep certain targets off limits, U.S. policymakers should make clear that certain actions are considered hostile — and that such actions will no longer go unanswered.
Toward that end, U.S. cyber-assets could preemptively cut off hacker armies from cyberspace, destroy their software and hardware, arrest their footsoldiers when possible, and seize their cryptocurrency assets.
Further up the ladder, the CIA’s cyber-taskforce, CYBERCOM or other agencies (depending on U.S. law) could zero-out the off-shore accounts of Putin’s oligarch cronies; disable the banks and mobile-phone system in Crimea, just as Putin did in Estonia; implant bugs or backdoors in the intellectual property Beijing is stealing from U.S. defense contractors and then activate those digital timebombs to yield defective military hardware for the PLA; disable network pathways used by Chinese nationals to deliver what they harvest in their hack-and-steal operations; create cracks in the Great Firewall of China and thus enable the Chinese people to share information and ideas.
Harvard law professor Noah Feldman offers another relevant history lesson: These hacker groups are modern-day pirates. “Ransomware-piracy comes from states that either don’t bother to suppress the practice or else actively participate in it,” he explains, concluding that the only way it can be curtailed is if the U.S. and other countries use “their power and influence to change the incentives” of those harboring the cyber-pirates.
The weapons in this war on cyber-piracy, according to Feldman, include sanctions against state sponsors, targeted cyber-counterattacks and a clear pronouncement that ransomware-piracy could be considered an act of war.
The State Department is parceling out sanctions. The CIA, NSA and CYBERCOM are carrying out counterattacks. Perhaps it’s time for the White House to let it be known that the actions of cyber-pirates and cyber-terrorists — under the wink-and-a-nod protection of Moscow and Beijing — could trigger real-world military consequences. It’s worth noting that Russian military commanders contend that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.” Related, NATO recently declared that “malicious cumulative cyber activities might…be considered as amounting to an armed attack.”
A U.S. cyber-defense doctrine might sound something like this: “Any use of cyberspace to interfere with, disable or attack U.S. critical infrastructure — including systems that support military operations, military communications, and military command and control; energy extraction, storage, supply or delivery; transportation arteries; financial and banking activities; civilian communications and computer networks; the delivery, storage or supply of water, food and medical care — will be considered a hostile act and will be met with a retaliatory response in a time, place, manner and domain of America’s choosing.”
While Washington goes on the offensive, it’s crucial that American industry and government pursue digital resiliency (the ability to maintain offline backups of data needed to run operations) and non-digital redundancy (the ability to carry out at least rudimentary operations without depending on cyberspace). It pays to recall that not long ago, American government and industry delivered essential services, maintained critical infrastructure, and defended the nation without the Internet.