We Can’t Just Respond to Cyber With Cyber

Rhea Siers
Former Deputy Associate Director for Policy, National Security Agency

The Russian hacking of the Democratic National Committee (DNC) and subsequent leaking of sensitive internal communications has remained front and center in the U.S. consciousness. President-elect Donald Trump has consistently dismissed the U.S. intelligence community’s unanimous conclusions on Russian culpability, creating a deep rift between the incoming administration and those agencies fundamental to the nation’s security.

On Thursday, the Senate Armed Services Committee held a hearing with the nation’s intelligence chiefs over the growing challenges presented in cyberspace. The Cipher Brief sat down with Rhea Siers, the former Deputy Associate Director for Policy at the National Security Agency (NSA), to get her take on everything from the impact of the incoming administration to deterrence and international norms within an overarching cybersecurity strategy.

The Cipher Brief: The recent Senate Armed Service Committee hearing with the intelligence chiefs seemed to emphasize the many challenges the United States faces in cyberspace, from critical infrastructure to foreign government interference in the U.S. election. Do you have any recommendations to address these issues?

Rhea Siers: In a sense, we have some of the answers in front of us. We have been following adversaries like Russia and China in cyberspace for a long time. We understand the nature of the threat. The question is when and how are we going to engage in cyber deterrence in a coherent fashion that protects critical infrastructure in this country, including the private sector, which bears a huge cybersecurity risk. Right now there are presidential memos and government strategies, many of which remain classified. But it is uncertain how strong and effective our deterrence is.

Furthermore, we have been set back by President-elect Donald Trump. We are arguing – in public – about attribution, instead of working together on the next stage of our cyber strategy.

Director of National Intelligence James Clapper put it perfectly: it is okay—in fact important—to be skeptical of any analysis presented, and to ask good questions about it. But to take the path that the President-elect has, in denigrating the intelligence community consistently, from the beginning of this whole mess with Russia, is a serious issue. We are going to suffer significant damage to our intelligence community and national security if we have a President who is publically casting aspersions on everything briefed to him.

This is just as dangerous as some of the threats enumerated at the Senate Committee hearing. Hopefully the President-elect has senior officials that help him change his course as soon as possible, or somehow the briefings he receives will stop this negative twitter storm.

TCB: The President-elect has spoken of emphasizing cybersecurity in his administration. But has his dismissal of the intelligence community’s findings hampered the development of some of the key tenets of an overarching cyber strategy?

RS: Yes, because now we essentially go back to square one. It’s normal to have a learning curve for some members of an incoming administration and it’s incumbent on the intelligence community to provide as much as possible to lessen the learning curve. It is normal for an incoming administration to look towards potential areas of change. One would sincerely hope that the intelligence and cyber transition teams for the Trump administration are in and outside the intelligence agencies speaking with everyone they can; reading the thick briefing books that have been prepared, and asking good questions.

But as I previously discussed, the intelligence community is also dealing with an incoming administration that appears to not only be questioning everything they are told, but also denigrating the intelligence community’s efforts publically. So we are stuck in a situation where we have to gain the confidence of people who may disdain the intelligence community. That sets us back, not just on cyber, but also in every other intelligence-related activity. It is really disconcerting, and anybody who has spent time in the intelligence community will tell you this is a very unhealthy development.

TCB: Senator Lindsey Graham made the point in the hearing that the U.S. response to Russian interference should be to “throw rocks” rather than “pebbles.” How does this relate to an overarching deterrence strategy in cyberspace?

RS: Deterrence in cyberspace means that our adversaries have to absolutely believe that we are going to do what we say we will do.  Obviously, some operations responding to the Russians are classified—so we can only see the public “tail” of sanctions and we don’t know how big those rocks are that Senator Graham refers to. 

We have a deterrence policy. The Obama administration released it in 2015. But the Russians have to believe that we are going to do something that is effective and not just for window-dressing. Of course, Russian President Vladimir Putin may simply be willing to take the damage and continue on his path. It would be even better if the response to Russia could be accomplished multilaterally, rather than just unilaterally.

Cyber deterrence is not just intended for nation-states, but also for non-state actors like cybercriminals. To have a successful deterrence effort requires the private sector to cooperate with government. We have still not reached the point where we have adequately synced the private and public aspects of cyber, but we are doing better. Meanwhile, the private sector is also in the crosshairs of a potential retaliatory cyber response from our adversaries.

Where does that fit in in the transition right now? The transition team must be speaking with cyber experts in all disciplines, both within the intelligence community and the private sector. If the transition is relying on their own echo chamber of people who will only tell them what they want to hear on cyber issues, or anything else, then we have a bigger problem.

TCB: Some have argued the sanctions announced last week are largely symbolic, especially the ones against the Russian intelligence agencies. Would you agree the sanctions held purely symbolic value without a likely tangible impact?

RS: We can certainly push a little harder if we pursue a broader set of sanctions when talking about an economy like Russia’s. The question is, who will suffer from them? President Putin certainly will not. Therefore, sanctions need to be targeted and they need to be part of a multifaceted response—we can’t just respond to cyber with cyber. It is very important to have a complete strategy and, even better, have some idea of a strategy in place before an incident occurs, which the United States does to a certain extent.

It is very similar to a private companies operating in the cyber world but on a much larger scale. They have an incident response plan and know what they are going to do if they experience a serious intrusion. They know how to communicate and the actions they are going to take in response. The U.S. government does have that kind of contingency plan as well.

TCB: It seemed that Senator Graham’s comment on “throwing rocks” was hinting at either further sanctions or retaliatory cyber operations. Hypothetically, which agency in the U.S. government would conduct such retaliatory cyber operations and how could they go about it?

RS:  In this case, it may come down to a coordinated covert action. One would guess that if done properly, it would involve all intelligence agencies, integrating all assets.   But no matter which agency is running the primary role—whether it is the CIA, NSA, or the Department of Defense—there is still a clear-cut path for approval and authority for the operation, be it the President or the Secretary of Defense—especially if it involves damage to an adversary. 

This kind of cyber or integrated operation demands that level of attention because—depending on if there is any form of retaliation from the other side—it could get serious. Therefore, we have to very carefully think through what we are going to do, which may explain the hesitancy of the current administration under certain circumstances. What is the course of action? What is the potential blowback? What purpose does it serve? All of these factors must be first considered rather than just going in cyber guns blazing—even if it can be done covertly with the hope of plausible deniability.

TCB: Many of the issues regarding Russian hacking and influence operations are more about broader norms in cyberspace, but in the past, the U.S. has blocked attempts at international treaties—supported by Russia—on international cyber conduct. If not through international treaties, how does the United States hope to create norms in cyberspace?

RS: It is really hard to enforce treaties when countries deny their involvement even after it has already been attributed to them. The Russians can say “oh yeah, we didn’t interfere with the DNC, it was some cybercriminal.” If they are not going to even acknowledge the fact that there is attribution leading back to some of their proxies—it is a fairly well known that the Russians run operations that depend on criminal or surrogate elements in Russia and elsewhere—then why would a broad international treaty work at all? Also, where is the line between normal intelligence activity and interfering in an election? This is a critical aspect of any conversation on this issue.

Those attempts at international treaties for cyberspace can be simply a smoke screen. We have a model for international cyber norms in the Tallinn Manual—both versions one and two. It is an outstanding work authored by legal experts—not a treaty—and can certainly serve as the basis for multilateral and bilateral agreements. 

If we want to have an impact on norms, look at the Chinese example. Even though many were quite dubious of the memo the United States signed with China about cyber economic espionage, there have been reports that there has definitely been some change—at least in terms of private entities in China. Of course, its long-term impact remains to be seen. If we are serious about this, we need to choose an issue where we can come to a consensus, like cybercrime. For example, the Budapest Convention on Cybercrime, from the Council of Europe, is the kind of norm that can be successfully created, but there will always be “cyber outliers” who will not sign on or simply do not adhere to a treaty. How do we deal with them?

TCB: There is allegedly new evidence found after the November election that Russia leaked the material to WikiLeaks through a third party. Would this indicate the hacking of the DNC was also accomplished through a proxy group rather than directly by Russian military?

RS: There are three separate reports to be presented this week and next on Russia’s culpability—one unclassified, one classified, and one compartmented. This will contain the clearest attribution of the DNC breach and related Russian operations based not solely on technical data, but other intelligence as well.

It is the integration of intelligence that provides a confident conclusion, not solely technical data. However, there is certainly a history of the Russians—and Chinese among others—using proxy and surrogate groups, but we can’t say for sure unless evidence is provided in the report.

The Author is Rhea Siers

Rhea D. Siers is a Senior Expert in Cybersecurity for the Risk Assistance Network and Exchange (RANE) and the Scholar in Residence at the GWU Center for Cyber and Homeland Security. She is co-author of "Cyberwarfare: Understanding the Law, Policy and Technology" (Thomson Reuters).  She worked in the Intelligence Community for 30 years, and served as the Deputy Associate Director for Policy at the National Security Agency.

Learn more about The Cipher's Network here