Coming Soon: A Supreme Court Ruling on TikTok, China and National Security
EXPERT INTERVIEWS — Does Chinese ownership of the wildly popular TikTok app pose a national security risk to the United States? And if so, what should […] More
OPINION — The most recent Cipher Brief Threat Conference was better than ever, providing a unique opportunity to get a full sense of what’s truly “top of mind” for intelligence community thought leaders. Every speaker’s central concern was cybersecurity, threats posed by our most dangerous antagonists, mainly China, and the three other usual suspects, Russia, North Korea and Iran. For example, for his “top of mind,” to quote General Michael Hayden, former Director of both the NSA and the CIA: “It’s China, China, China.”
I was especially alarmed hearing about stealthy intrusions into our public utilities, such as our water supplies. Our most basic survival systems could easily be shut down, leaving us unable to conduct our daily lives, much less survive a war. Government agencies as well as private sector companies make enormous efforts to build protective defenses against these multiplying hacks and intrusions. It’s become a vast game of Whack-A-Mole with threat actors inserting their malicious code everywhere they please and we can barely keep up.
By the end of the second day of the conference, I became bothered by something more—and it finally came to me. Close to the entirety of our efforts to counter cyberattacks are devoted exclusively to defensive measures, with almost no discussion of offensive measures.
I brought up my concern with a few high-level conference participants. I was surprised that several immediately and enthusiastically agreed with me. But in these brief conversations, I also felt that I had somehow violated an unspoken rule by bringing up an unmentionable topic.
Our current posture has limited us primarily to tactical defensive measures when we really want strategic results: Decisively stopping damaging intrusions that—let’s be honest—are roughly equivalent to blatant kinetic attacks that threaten our very survival. Staying honest, we must admit that we cannot take a moral stance against cyber espionage, the gathering of classified secrets because we do it ourselves to everyone else. But gathering classified information is different than inserting malicious code that can wreck our critical life support utilities.
I found myself thinking about a new strategic mindset that would move beyond perfectly “proportional” responses to malicious intrusions that continue to leave us harmed, exposed and vulnerable. We’re reduced to mostly playing a passive waiting game—until we discover often just by luck—the next malign intrusion.
Our adversaries are happy with our self-imposed limitations. We predictably respond to cyberattacks almost entirely with defensive measures. They know we believe if we can’t prove beyond a shadow of a doubt that a specific actor was the cyber intrusion perpetrator, we’ll complain, but reliably fall back on our usual policy of just sitting on our hands. This brings to mind the Cold War worry about our nation in danger of becoming “a pitiful, helpless giant.” That’s because in the cyber world our adversaries are playing by different rules. And they are winning. We are losing. Our passive policy means programmed failure.
A metaphor for our cybersecurity dilemma
Imagine a city with a well-trained and well-managed police force. Newly elected city leaders, devoted to their moral and humane concerns, decide to change their city’s police firearms policy. Police may still visibly carry handguns, but starting now, under no circumstances are they permitted to draw their weapons. And police are absolutely forbidden, for any reason, to actually fire their weapons. Very high-minded.
Over time, what will happen?
Inevitably, word will get around to the city’s criminal class about the new gun policy and it will get tested in real-life situations on the streets. Eventually, criminals will discover that the new gun policy is actually being followed by city police officers. Soon, wonder of wonders, the crime rate will shoot up for armed robberies and other felonious attacks. Criminals will come to realize there is no risk associated with their malign activities, so why not take full advantage?
What’s missing?
Changing our current mindset is key. To improve cybersecurity, we must make the leap from passivity to proactivity, from a strategy that doesn’t work and never will, to a strategy that can and will work. From exclusive reliance on defensive measures, a fundamentally passive posture, to adding a proactive strategy that uses offensive measures too. Accepting that although adding offensive measures can get messy and has its own costs, carefully crafted offensive postures have been historically able to solve extremely difficult problem sets and bring about success.
When we discover a hacking intrusion, what do we do?
We always strive to keep the peace. In that spirit, our main cyber agencies’ default position has been limited to defense. How nice we are. After all, we don’t want to make our enemies angry with us. They may escalate. As though they haven’t already. There’s serious weakness in this posture because this outworn policy merely kicks the can down the road and increases our long-term national security vulnerability.
We frantically try to patch over what we are lucky enough to find. Even if we engineer a quick fix, it’s only partially reassuring because we know almost certainly that countless other intrusions remain undiscovered, silently lurking. Must we rely on luck, hoping and praying to discover critical intrusions in good enough time before they bite us?
We may be holding our civilian values too dear such that it’s become unthinkable for us to properly face up to ruthless foes making true existential threats.
We have to change our overly passive mindsets and strike a better balance between defensive and offensive responses to cyberattacks.
Our occasional offensive measures
Rarely, we do hear that we launched an offensive cyber operation, like Stuxnet, which targeted the Iranian nuclear weapons program. Pretending to plausible deniability, Stuxnet quietly became public, as though we were ashamed of stooping to such a low level. But these days, who seems to care? Better for our enemies to know what we’re capable of and what they have to fear. Isn’t that what makes for real deterrence in our jungle world of international affairs? It’s always been that way and always will be.
Our top IC agencies, such as NSA, DOD and FBI, have certainly developed a variety of robust offensive cyber capabilities. But near as I can tell, they mostly sit on the shelf, waiting for a rainy day. Our agencies are too quiet about their occasional offensive cyber operations because otherwise we would already know about them. The absence of such actions misses a key opportunity for highlighting the importance of calling out malign cyber intrusions—ideally coupled with how we can reply to them—with forceful counterstrikes.
What our message should be
Our message should be that crossing our red lines is unacceptable and we will push back. There will be repercussions. Better for our warnings to be publicized so that our actions possess moral clarity. Punishments will be directly tied to the crimes that triggered them. This will help make our warning messages clearer and more justifiable—we always attach our responses to the moral point we want to make.
If and when we do choose to initiate cyber counterstrikes, public diplomacy principles require that they must make sense to publics at large, both within our country and in the country that attacked us.
A revised proactive policy that adds offensive measures needs to become our new modus operandi because our nation has become infamous for declaring red lines, but when they get crossed, we’re nowhere to be found. We must change our reputation for being weak at the moment of truth and hold accountable those who cross our redlines. If not, we become enablers of bad behavior that will worsen over time. Enabling bad behavior risks escalation to fully kinetic responses, because when things finally reach the point of being intolerable, nothing else will work. We prefer conflicts not to literally go nuclear.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Cybersecurity threat sources: Criminal gangs and state sponsors
Until recently, it used to be there were two main cybersecurity threat sources – criminal gangs and state sponsors, such as the usual four suspect nations mentioned above. We always suspected there were overlaps between these two main sources of threat but now we know for sure they have converged. Most non-state cybercriminal gangs have previously operated under the implicit protection and even encouragement of the states where they resided, but now many appear to operate under the full direction of their state sponsors.
Private criminal cyber hacking companies
These companies openly sell to any and all comers. They work to discover Zero Day vulnerabilities and then sell them for astonishing amounts of money to other criminal gangs or state actors, which then exploit them before any protections can be put in place, often within hours or even minutes.
Ten million dollars is not unheard of as the price for a Zero Day exploit when it can cause the disappearance of literally billions of dollars in less than a day. Money is the top driver for these activities and this hidden world is hugely lucrative. That’s why it draws the best and the brightest within the hacker realm and the top players are paid very handsomely.
To add more complexity, their motivations are often not just for the money. They inhabit a unique culture where you earn your reputation by the brilliance of your exploits. Notice the parallels with male teenager gangs and how importantly individual reputation is valued. Cyberpunk novels are filled with such characters. The very best hackers are true computer geniuses who also possess the social and business skills to promote and grow their enterprises.
How can well-intentioned but comparatively sleepy government agencies stay ahead of these formidable competitors?
State sponsors of criminal hacker groups
Often the strategic aim of state sponsors is not so much to launch specific attacks but rather to more generally degrade and disrupt the West, especially their main enemy, the United States. State sponsors do not care which side of any social conflict gets targeted with disinformation that inflames our citizenry, because provoking any dissension serves their larger purposes.
Hostile states can also benefit by directing more narrowly focused cyberattacks with plausible deniability, their fingerprints missing from the weapons they used. We are not children. We can pierce the veil and see they are acting as surrogates.
However, deniability is often not desired by hostile states, because they actually want their targets to know who attacked, which demonstrates their versatility and strength.
All these nefarious motivations are at work within the busy subterranean cyberthreat universe, a kind of parallel and invisible Matrix world.
This permissive worldwide gray zone cyber regime exists because our current cybersecurity posture is fundamentally toothless.
We are universally known to be constrained by our self-imposed passivity, our lopsided set of incoherent guidelines, denying our ability to meaningfully fight back. They laugh at our Department of Justice placing a few names on a Bad List and calling it a day. There’s no Sherriff in this Wild West town to set any limits.
Where the two worlds meet
Conventional cybersecurity specialists, whether in the private sector or in government, lead different lives and gather in different spaces. We participants at the Cipher Brief Conference and similar events are, shall we say, the decent folk who wear white hats and come together in the sunlight with our own kind, where we mainly talk about how, here and there, we proudly overcame our antagonists. Yes, it does happen now and then.
The other elements, the black hats, the hackers, the Zero Day players, and similar ilk, gather more openly than you would imagine, and meet around the world for their own conferences. We are talking about two very different cultures. Some white hat good guys attend these black hat world conferences to try to pick up what they can, clues that may strengthen their defensive efforts. Their guiding principle for showing up: Know your enemy. They meet the exploiters and study their intrusions, to hopefully protect their private sector clients or governments. At these conferences, they rub shoulders with the other types described who are in it for the big score with no concerns about constraints or repercussions. They’re in it for their fun and big paydays. Black hat hackers have a different moral compass: If I don’t build it, someone else will.
At these conferences, nobody knows anyone else’s full story. Picture the bar scene in Star Wars, where a motley group of strange looking menacing characters gathers, eyeing each other, sizing each other up, all aware no one is to be fully trusted. Now and then you hear about so-and-so who has accumulated numerous government sanctions or blocked visas. Not a problem. It’s almost a point of pride as to how many of these he’s racked up.
This is the party we need to crash.
Otherwise, given the current state of play in cybersecurity, how can we good guys ever prevail?
Three key concepts
Attribution has failed
Our habitual way of thinking about attribution has failed us. Attribution implies figuring out who the guilty party was who harmed us before we can feel justified taking retaliatory action to punish the offender. Our cultured assumptions about needing to be perfectly correct requires us first to be absolutely certain about attribution. This longstanding mindset is at the heart of our legal justice system. I wouldn’t have it any other way. But in international affairs, especially in the gray ungoverned spaces of cyber where we face ruthless enemies who want to destroy us and everything we value, we’ve stretched our cherished attribution requirements too far.
We have overvalued attribution certainty. As an example of excessive rectitude, we’re all familiar with what often happens in large bureaucracies—paralysis through analysis. However, in real life, attribution certainty is frequently lacking. We’re forced to make decisions anyhow, as best we can, with limited or “fuzzy data.” In many challenging life situations, there is no option to avoid making decisions despite uncertainty. No decision is still a decision. Talk to any emergency room physician at three a.m.
Pulling back from absolute attribution certainty is often necessary for making survival-level decisions. While it’s not perfect, it’s better than paralysis through analysis when decisions must be made right now to deal with serious, even life-or-death threat situations.
Our adversaries are happy with our self-imposed limitations due to our ever-so-civilized mindsets related to attribution. As a matter of policy, our adversaries predictably deny responsibility for any intrusion anyhow—to the point of it being comedic.
We have to rethink attribution.
OODA Loop Lessons
Air Force Col. John Boyd invented the concept of the OODA Loop. OODA stands for Observe-Orient-Decide-Act. In a jet fighter dogfight, the pilot possessing the fastest cycle time between maneuvers will win. Let’s say you as the pilot think you have figured out your opponent’s current moves and intentions, so you can take proper advantage. Based on your assumptions, by the time you set up for the winning kill, if your opponent suddenly and unexpectedly shifts to an entirely different maneuver, you’re out of luck because you’ve already committed yourself to your outdated maneuver. If your opponent continues to rapidly cycle through his next maneuvers faster than you can adjust to them, you’re doomed to lose. Utilizing his OODA concepts, Col. Boyd famously didn’t lose a single one of his many simulated dogfights.
As things stand now with cybersecurity, we expend enormous time, energy and financial resources trying to block the latest intrusions we happen to detect. However, by the time we’ve caught on to them, our antagonists have already changed their attack vectors, rendering worthless our frantic and expensive defensive solutions. We’re always on the back foot. We’re the OODA loop losers. We’re One-Trick Ponies. We only know defense.
We can never keep up with antagonists who cycle faster. We are doomed to fail.
FAFO: Real-world deterrence
FAFO is an acronym that has appeared more and more frequently online. Do you know what it means? I didn’t until I googled it. The first F stands for the F Word. FAFO means F Around, Find Out. In other words, “Don’t F Around with me! Otherwise, soon enough, you’ll Find Out your consequences!”
FAFO is the ideal retaliation warning to employ because it leaves the exact nature of the retribution to the imagination of your antagonist. Ambiguity works best because your tormentor knows better than you do what is the worst retaliation they really don’t want to face. They’ll magnify their worry all on their own, better than you can, which is the essence of the best deterrence.
By the same token, your retaliatory action must be commensurate with your FAFO warning. The scale and timing of it must be carefully considered. If it’s insufficient, or if it takes too long, you lose credibility. In effect, you made an empty threat, you’re a bluffer, and now you’re in a worse position.
After an attack, being exquisitely proportional with your retaliation is better than nothing, but it can often lead to a drawn-out climb up the escalatory ladder. Better to counter with a disproportional punitive response so as to bring about a quick and decisive halt to the threat. Retaliation that is disproportionally large has its risks but sends a clearer message that you really meant what you said.
In the real world, in international affairs, in business, or in the school yard, FAFO rules. No need to always be liked. A little fear is useful. That’s why they give tests at school. Of course, every specific situation has its own complexity, nuances and subtle cultural features. The longer the back-and-forth exchanges go on, the more costs increase, with some costs not obvious at the outset. Therefore, getting it right also requires decent judgement. The sooner the exchanges end, the sooner all parties obtain relief.
In the ungoverned gray space of cybersecurity, from our side, the most important missing piece is FAFO.
The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access by becoming a subscriber.
Architecture of the current cyber threat scene
The architecture of the current cyber threat scene is similar to the illicit drug trade. They are both structured with many layers of control and distribution, too many to count. Targeting the lower levels, down to pushers on the street, is a fool’s errand. They are expendable and easily replaced. For any significant impact against a drug cartel, you have to take down the topmost layer, the kingpins.
Getting back to the cyber world, the evolving architecture, the merger of private criminal hacking groups and state actors may ironically simplify the problem. We know precisely where the topmost cyber threat level resides—inside the vaulted rooms of the topmost policymakers, the leaders of the four main hostile states. All that’s left is to figure out which tools we need to use to force hostile state leaders to throttle back their malign cyberattacks.
For authoritarian leaders to keep their populations under control, their national economies have to work well enough to sustain their overly ambitious and aggressive goals. If things do not go right, if implied promises of economic success are not maintained and life is actually getting worse, stability erodes. Control starts to wither, which is the key threat to these regimes. This dependency provides a useful target for weakening population confidence, forcing these leaders to pay attention and adjust their behavior. Otherwise, their population may rebel. This is the classic purpose of imposing sanctions. The problem with sanctions is that they can be worked around so easily by clever stratagems.
What tool remains? Economic pain.
Limiting responses to cyberattacks mainly to defensive measures has been a dismal failure for the reasons described. Defenses are hard to build, they do not stay effective for very long, and most of all, they do not bring pain to the perpetrators. The important missing element is pain. But this does not mean resorting to kinetic counterattacks. Painful economic measures are lower down the escalation ladder, but in many ways more effective than kinetic responses against authoritarian regimes.
If the right economic measures are chosen, they can disrupt the narratives of the subject country’s leaders because they reveal the regime’s fragility, powerlessness and vulnerability. These leaders correctly understand that their reputation depends on belief they possess supreme brilliance and infallibility. But if things are openly failing, the question that gets whispered throughout the country becomes: “How could this have happened with our perfect, glorious leader in power?” And more important: “What will happen to all of us now?”
Thought experiment: Example of an offensive cyber pushback
How can discovery of a dangerous code intrusion attack within our water supply infrastructure be handled?
Immediately upon its discovery, it would get called out and it would get attributed to the likeliest perpetrator, say, China. The next thing that would happen is the water supply of a mid-size Chinese city gets shut down by us. For 24 hours. A mosquito bite. Accompanied by this demand: “You have 24 hours to deactivate it, and remove your intrusive software from our water utilities. If you do so, we will turn your water supply back on. Don’t try anything cute by trying to intrude some other way into our water supply. We’ll find it. If that happens, next thing, you’ll be stung by a bee. Still not paying attention? Next thing, you’ll be gored by a rhinoceros…”
This story will make the news throughout China. Everyone will know their government was called out for a specific malign intrusion and soon after, things got very uncomfortable in the targeted Chinese city. But just for one day. This message was sent:
“We could have shut down your water supply for a week if we wanted to. Your government couldn’t protect you from that. But this time, we chose not to shut off your water for a week. Get the picture? We could have done worse. We could pick other targets. We could shut down other utilities, not just your water. You think you’re clever but you’re not as clever as you think you are. Here’s the deal: We’re not putting up with this kind of thing any more. We’re done.”
This is only one example of an imagined tool. There are many other comparable tools that could be used. Use your imagination.
Our big cybersecurity dilemma has to be addressed first at the level of our top policymakers. They need to give up exclusive reliance on defensive measures. They must become more realistic. Experience has shown that defensive measures alone don’t work well. They cost us too much, they’re overtaken by events quickly, they are a losing proposition. We need countermeasures that have teeth, that impose pain on those who attack us. That’s more like how things operate in the real world.
Pain must be experienced at the topmost level of our antagonists’ leadership because they are the ones controlling all the levels below. Preserving their regime is their number one priority. That’s more important to them than having fun harassing us with cybersecurity attacks from a distance. If we credibly threaten their regimes with economically painful measures that are disproportional, they will start to pay attention.
Towards a new cybersecurity strategic mindset
I am writing this article as a wake-up call. I am advocating for a rethink of our whole strategic approach to cybersecurity. Staying the present course, amounts to “Whack-A-Mole forever.” Isn’t it time to acknowledge the truth that our current strategy is a programmed failure? Diplomacy has not worked. Placing a few names at the Department of Justice Wanted List is only providing short-term amusement to the Chinese. Appealing to the better nature of our adversaries is an exercise in futility. For us, it has become a death of a thousand cuts.
Our current cybersecurity situation, left unchanged, dooms us to lose ever more ground. Given our present course, we are constrained by overreliance on perfect attribution and our reputation for abiding by rules the bad guys ignore with impunity. Let’s take off the gloves. Let’s quit fighting with one hand tied behind our backs.
Forever turning the other cheek will not work given the present status of the ungoverned domain of cybersecurity. Always taking the high road, turning the other cheek, makes for great theology, but not for survival in our jungle world. We must stiffen our spines.
We seem to be aware of these points in other domains of conflict, such as in maritime affairs. We seem to be OK with the U.S. Navy sending missions into the South China Sea for freedom of navigation cruises. Why not in cyberspace?
Let these kinds of offensive actions be our warning shots across the bow.
Let’s open up the debate. Let’s initiate free discussion of these issues and toss around ideas with more latitude to employ offensive measures, not just defensive measures. Both measures are needed in a proper balance. I trust we have enough smart people with smart ideas so we can come up with workable, real-world tools and strategies to achieve what we all want—cybersecurity success instead of failure.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to [email protected] for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
Related Articles
EXPERT INTERVIEWS — Does Chinese ownership of the wildly popular TikTok app pose a national security risk to the United States? And if so, what should […] More
EXPERT INTERVIEW — The race between China and the U.S. for tech supremacy gets fiercer by the day. In the latest salvo, the U.S. this […] More
EXPERT INTERVIEW — The U.S. starts the new year with a daunting set of challenges in the national security space – from global conflicts to terrorism […] More
EXPERT INTERVIEW — The U.S. Treasury Department closed 2024 with the announcement that state-sponsored hackers from China had breached its systems in a “major incident.” The hackers […] More
SPECIAL REPORT — In 2025, technological advances will continue to reshape industries, transform national security strategies, and fuel global competition. Artificial Intelligence (AI) will expand its […] More
EXPERT VIEW — 2024 has brought multiple reminders of the threats – real and potential – posed by the People’s Republic of China (PRC). Over the […] More
Search