The Cipher Brief is taking a look at different expert perspectives on cyber threats this week. As one of those perspectives, we spoke with Nick Rasmussen, the former Director of the National Counterterrorism Center (NCTC) about the current cyber threat environment ranging from terrorism to nation state threats, to deterring attacks against the government and private industry.
The Cipher Brief: Has the U.S. done an adequate job in using offensive cyber operations to disrupt terrorist messaging? Are there opportunities and advantages to taking a more aggressive posture? Are there risks?
Rasmussen: There’s no doubt in my mind that we could have done a better job in recent years of disrupting terrorist messaging using cyber tools. During my period of government service, no set of terrorism-related issues was more complex, more controversial, and ultimately, more frustrating. In my mind, we often found ourselves debating the merits of various courses of action without all of the information — or even the informational framework — we needed to make good decisions. The challenges were many: how do you define and measure success in the cyber domain? Can you craft a widely accepted cost/benefit framework that allows you to have rigorous, data-driven discussions about what will be gained in terms of disrupting terrorist activities, as against what will be lost in terms of intelligence collection opportunities with specific proposed operations? Is it appropriate to “just do something” because you do have offensive capability, even if you can’t measure success or engender lasting effects on the “target”? On the other side of that coin, is it appropriate to “sit there and do nothing” when you can’t measure effects with precision, or reach consensus on a cost/benefit evaluation? Are those two poles the right way to think about the debate? In the realm of “process”, is it acceptable to have any one department or agency able to exercise veto power over prospective operations in order to protect particularly important equities? How do you adjudicate interagency disputes in this domain? As I was departing government service, I felt we had made progress in developing the operational and information framework needed to make good decisions, but we still had not reached the point where we had all of the pieces in place to do so at the speed that our terrorist adversaries were operating. My hope is that progress toward this set of objectives has accelerated.
The Cipher Brief: There were concerns after the U.S. walked away from the JCPOA agreement, that there might be retaliatory cyber attacks from Iran and that those attacks might target private industry. How concerned are you about that and what would an effective public-private defense look like on that front?
Rasmussen: It has been my belief that walking away from JCPOA raises the near term prospects for conflict with Iran, which could take many forms. As a result, there is a greater likelihood that Iran could turn to its cyber took kit in the context of a “gray zone” conflict. Much like with its set of conventional terrorism tools, this affords the Iranian leadership the capability and the opportunity to attempt to carry out asymmetric and potentially deniable operations against U.S. interests around the world, thereby putting pressure on U.S. decision makers about how to respond, whether to respond in kind or with other capabilities at our disposal. All of this suggests to me that U.S. officials should be planning for these contingencies, much as we have planned for years to prepare for other Iran-related contingencies. As for public-private defense against potential cyber attacks from Iran, that seems to be a no-brainer, but in my view no more or no less so than with respect to other threat vectors in the cyber world. The government’s engagement with the private sector on cyber issues surely must include a discussion of potential hostile state action against cyber targets in the U.S., including critical infrastructure owned and operated by the private sector.
The Cipher Brief: The United States often does not talk about its responses to cyber attacks – from the OPA hack to Sony – the mantra is that not all cyber attacks warrant cyber retaliation, but then there are few details made publicly available about response. How important is it to get more information out in the public arena about the U.S. government’s response to cyber attacks aimed at either against government or the private sector?
Rasmussen: One of the things that will contribute to effective defense and response against cyber attacks is enhanced deterrent capability — making clear to potential adversaries, and particularly to state actors, that cyber operations directed at the U.S. will result in unacceptable cost to the aggressor. Clearly having a more public profile to our cyber capabilities contributes to that enhanced deterrence. Of course, there are limits as to how much detailed information we should put out in the public domain on our cyber strategy and doctrine, but clearly the objective should be “just enough” information so that our adversaries choose not to engage against us in the cyber domain. Defining what constitutes “just enough” disclosure is a task that falls to those in government who know both our capabilities, and those of our adversaries, the best.
