OPINION — As America nears the home stretch of the 2024 election, the sound and fury of political discourse has obscured a national security matter that should be at the top of the next administration’s agenda.
As a former Department of Defense (DoD) counterterrorism intelligence officer, I have watched with concern the sharp increase in cyber breaches of US critical infrastructure by nation-state actors. The Chinese and Russian governments are actively targeting energy, telecom, information technology, and water utility sectors with objectives that reach beyond cyberespionage. Investigations of these incidents have shown that these governments are pre-positioning cyber weapons within these networks with the intent of launching devastating attacks capable of threatening civilian lives.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) officials have warned that the Chinese compromise of civilian critical infrastructure has permanently altered the cyber threat landscape. In April, FBI Director Christopher Wray characterized this activity as a “broad and unrelenting” threat to U.S. security. This clear and present danger deserves greater attention given that many critical infrastructure organizations are modestly sized, poorly resourced, state-and-local institutions whose meager cyber defenses are outmatched by nation states.
Unfortunately, the U.S. presently lacks strategies and policies for responding to these threats.
A vulnerable private sector
From my time supporting the DoD, I am familiar with government response planning for physical attacks on the U.S. The concept of retaliation as deterrence is central to geopolitical sovereignty. Would the U.S. not openly retaliate in the event of a planted cyber bomb, no matter the ultimate intent of the cyberattack?
In response to attacks on the healthcare sector, the 2021 Colonial Pipeline breach, and other potentially life-threatening vulnerabilities caused by compromised passwords, government guidance now emphasizes using complex, unique passwords.
But the private sector needs more from the U.S. government than regulations and recommendations. The next administration must clearly state that civilian critical infrastructure is under its protection, and that continued targeting of these organizations will be met with overt responses.
Drawing red lines on critical infrastructure attacks
Following a spate of high-profile intellectual property thefts, then-U.S. President Barack Obama pushed for more active U.S. responses to these breaches. In 2015, Obama and Chinese President Xi Jinping announced an agreement to refrain from such attacks. The agreement led to a two-year decrease in Chinese cyber theft of U.S. corporate data.
The U.S. has also drawn red lines on the placement of weapons of mass destruction within America’s geographic sphere of influence, most notably during the 1962 Cuban Missile Crisis. Cyber weapons are of course not nuclear weapons, but today’s cyber infiltrations within our infrastructure constitute the military preparation of a future operational environment. They are aimed at mass disruption and destruction, pure and simple.
The keys to successful cyber deterrence would be clear red lines for unacceptable cyber transgressions, assured retribution, and a general consequence model that would be followed without exception.
Deterrence – backed by rules and norms
The next administration must go beyond the all-too-common practice of “naming and shaming” cyber actors to utilizing the so-called DIME tools of statecraft, including diplomatic, information, military, and economic measures.
Diplomatic measures could start with Cold War-style persona non grata declarations, ejecting known foreign intelligence operatives and diplomats and then the closing of entire consulates and other diplomatic facilities.
Information measures would go beyond the joint U.S.-allied disclosure of forensic evidence of cyber-attacks. To bring international outrage upon cyber adversaries and rally new allies to deterrence efforts, these measures must include more timely attack data and clear assessments of these operations’ impacts to human life should they ever be fully enacted.
In lieu of kinetic military measures, cyber responses could range from in-kind responses to escalation. As Ben Buchanan outlines in his superb book The Hacker and The State, these responses would be carefully calibrated to differentiate “signaling” cyber actions that send a message from “shaping” cyber actions that could provoke an escalation of hostilities and inadvertently spiral into the kinetic realm.
Economic measures could include sanctions against particularly egregious offenders. Former U.S. government official Richard A. Clarke has proposed sanctions on adversaries’ energy and financial sectors and embargoes restricting access to technologies used in cyber operations.
International agreements are critical in these efforts because they could clearly define red lines and acceptable rules and norms for cyber operations. The Tallinn Manual, initially published following the 2007 Russian attacks on Estonia, seeks to apply existing international laws to cyber warfare. NATO has acknowledged that a serious cyberattack could justify triggering an Article 5 “attack on one is an attack on all” action. Unfortunately, the alliance leaves the determination of that threshold to each member government.
These and other proposed frameworks lack strongly defined, binding rules and norms with the weight to seriously deter U.S. adversaries. This must be remedied with an alliance of like-minded nations, a consensus around such rules and norms, and the collective members’ weight as signatories committed to enforcing a new status quo.
The start of a conversation
A clear and overt policy of U.S. government retribution on behalf of the private sector would be no small shift, but the stakes of cyber warfare have now moved well beyond espionage and military system disruptions to putting American citizens at risk of physical harm.
Regardless of which party takes the White House in 2025, the next U.S. president must draw the necessary red lines of deterrence, and Congress must stand with the administration shoulder to shoulder.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to [email protected] for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief