October is National Cyber Security Awareness Month and The Cipher Brief is pulling together a Cyber Advisory Task Force made up of public and private sector professionals who are coming together to help create a blueprint that will address critical and emerging cyber threats.
Our goal is to help educate the public, bring together differing views and leverage the difference in experience to produce credible frameworks from which we can develop options for addressing future threats.
We wanted to share the notes from our inaugural meeting. It took place last week, in our Georgetown Headquarters, as we gathered together a group of 15 experts, some of whom have led intelligence agencies and others who have been at the cutting edge of companies working to develop technologies that will help both governments and private businesses defend against cyber attacks.
We’d like to thank our participants and guests as well as extending a special thank you to General Michael Hayden, who moderated our discussion.
Let’s get to the summary. We’ve left out specific attribution in the hopes of focusing solely on the issues, but we welcome your feedback about what you’d like to see in future summaries to help keep the conversation moving forward.
Introduction: In cyberspace, there are three categories of actors: nation states, criminal gangs, and the unhappy and the lines between state actors and non-state actors is blurring, in part, because nation states hire proxies to do their bidding, often tasking mercenaries with carrying out their objectives and these actors have no boundaries.
Take the latest breach of the Democratic National Committee, and the statement by the Obama Administration that they “believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”
Three major themes dominated the exclusive roundtable: the challenges that come with attribution, the role of state power politics, and the paradigm shift in the responsibilities of both the government and the private sector.
Topic: Is Attribution Really a Problem?
Who is attacking you? The answer to this question can determine the response. And the ability to prove the answer – the art of attribution – is often difficult. The question of ‘intent’ also has to be addressed in order to validate a response. Even governments, which have the intelligence capabilities and resources to commit to attribution, do not often directly attribute an attack to a nation state, in part because intent and response are important aspects of the overall equation.
Attribution has never been a problem, according to one of our participants. Instead, what’s missing is the political will to act on the information. It’s not a question of not knowing – it’s a question of not acting, in his view.
But another participant argues that knowing is not enough to dictate action. There has to be enough proof to convince others beyond a reasonable doubt that the attribution has been correctly assigned before there is a will to implement a response. Think of a United Nations for cyber. Is that what is needed in order to collect enough support to absorb the consequences of a counter attack?
Another participant argues that they don’t believe this is the reason the U.S. Government doesn’t act, but rather it is the unintended consequences and potential for escalation that inhibit response to other nation states.
According to a former counterintelligence official seated at the table, attribution is also a problem for intelligence, not just in cyber.
The hardest part of assigning attribution is “the last mile”, just as it is in the physical space. For example, experts can say the GRU attacked the Democratic National Committee, but connecting the action directly to Russian President Vladimir Putin himself would require specific intelligence and information that is incredibly difficult to obtain. At the same time, our participants pointed out that this can be determined based on the same processes the intelligence community uses for non-cyber issues: if it is known that in country x, say Russia, where the intelligence agencies do not act without approval from the very top levels of government, then based on U.S. Intelligence, an attack attributed to the GRU, is likely to have been approved at the highest levels.
Topic: Traditional Nation-state Power Politics Still in Play
Once attribution is made, what responses are available to the victim of a nation-state cyber attack? Our roundtable spoke extensively about the role that traditional state power politics plays in the cyber realm. After all, cyber is merely a tool – or weapon – being used by the same actors we are used to in other, more standard realms of international security.
In the words of a leading cybersecurity professional, “we don’t have a cyber problem, we have a Russia problem.” He pointed out that the U.S. ability to respond to a cyber attack is hampered by Washington’s unwillingness to jeopardize its relationships with specific countries. The nation states involved are helped – and hindered – by the same power dynamics in play in the non-cyber realm.
China is an example – the People’s Republic is currently trying to “regularize” its cyber actors, because of the threat to its economy posed by increasing financial sanctions – themselves a response to hacking.
But we do, of course, have a cyber problem when it comes to both the U.S. public and private sectors. Overall, the participants agreed that the U.S. must get its act together in both building more defensible systems and then providing better defense.
So in the “ungoverned space” of cyber, state power politics are still in play, but unlike the world of armed conflict, there are no ‘rules of the road’ here and the use of cyber by nation states isn’t going away.
Looking forward, large scale attacks such as those executed against Sony, the DNC, or OPM may no longer be actions accomplishable only by nation-states. The Yahoo hack was one of the largest hacks to date and was carried out by criminals. The mercenary space is growing and becoming more impactful with the level of attacks. The problem is compounded when realizing that there are no “rules of the road” when mercenaries are at play, or a mutually agreed upon system of actions and consequences is not agreed on. In short, a lack of consequences has consequences.
Topic: The Changing Roles of Government and Industry: the Public-Private Partnership
This led the conversation to the question of proper response to a major cyber attack – who is responsible for responding, and what is the relationship between the public and private sector?
So who delivers the cyber equivalent of a drone strike and what does that look like? According to our experts, this is where attribution becomes key – attribution information is used to both justify the response and to ensure it is proportional.
But if the government is to be the leader in the response to a cyber attack, which government model do we apply? The model of law enforcement, armed conflict, first responders or the CDC or do we need a new model?
Or, our panelists asked, is it possible that in cyberspace, the government will not be the main actor in defending individuals and U.S. based businesses? Would there be value in inverting the traditional roles of support and leadership between the government and the private sector from the current armed conflict model?
Traditionally, private industry builds national security tools and the government executes using those tools. But currently, private companies are bearing the national security costs of their countries when they fall victim to the actions of another nation state.
Cyber is an instrument of state power, and it is being used against the U.S. private sector. But should individuals or companies have to defend themselves against entities with the power and resources of nation-states? When the experts project out over what we will be facing in the next five years and the development of the Internet of Things and the cascading effects of that, companies will most certainly need to do more to defend themselves.
And if you think businesses can rely on a traditional catastrophic risk insurance model, its important to note that it doesn’t include a cyber component because there is no government backstop similar to the Terrorism Reinsurance Act.
What’s more, are companies even doing the basics to protect themselves from cyber attack? According to our experts, companies need to be doing a better job of raising the basic cost to hackers – the way a locked car or a house with an alarm system pushes a thief to try an easier target.
Companies also should re-think what hackers might find valuable – which will frame how they protect those targets. Perhaps the real value in information sharing is not public-private, but rather among private sector companies on best practices and shared cyber threats. The real value is in sharing actionable intelligence, which means understanding context. That requires the government to share more classified context and companies need to share more as well. Today, a ridiculously small number of companies share back data with the Department of Homeland Security. It’s a serious issue that needs to be addressed.
NEXT STEPS: The Cipher Brief is working with a wide variety of experts to craft a cyber blueprint that will help address the critical issues of:
- Attribution and context
- Creating a new response model for cyber attacks
- Building an information sharing system that is trusted and effective
If you’re interested in either participating in, or sponsoring future Task Force Sessions, please contact us at feedback@thecipherbrief.com
We’d like to thank our sponsor, Raytheon for their generous support of our inaugural conversation and for their commitment to help find solutions to current and emerging cyber threats.