Editor's Note: This security-focused assessment is one of many such analyses found at Stratfor Threat Lens, a unique protective intelligence product designed with corporate security leaders in mind. Threat Lens enables industry professionals and organizations to anticipate, identify, measure and mitigate emerging threats to people, assets and intellectual property the world over. Threat Lens is the only unified solution that analyzes and forecasts security risk from a holistic perspective, bringing all the most relevant global insights into a single, interactive threat dashboard.
The administration of U.S. President Donald Trump released its National Cyber Strategy on Sept. 20, which most notably indicated a greater willingness than before to conduct offensive cyber operations against adversaries. Discussing the strategy, national security adviser John Bolton hinted that the administration had already taken steps to bolster offensive efforts in recent weeks, warning that the United States is no longer just playing defense when it comes to cybersecurity. But despite the Trump administration's more hawkish tone regarding cybersecurity, it will continue mainly to rely on traditional measures such as the legal process, regulations and cooperation with the private sector when it comes to cybersecurity.
A More Aggressive Policy
In introducing the new National Cyber Strategy, Bolton also confirmed a Wall Street Journal article from August which reported that Trump had rescinded former U.S. President Barack Obama's guidance on conducting cyber activities, replacing it with a policy that gives more authority to the U.S. Cyber Command. Former National Security Agency contractor Edward Snowden leaked the previous guidance, Presidential Policy Directive 20 of October 2012. He sought to expose how the U.S. government was considering offensive cyber operations, defined as those that could cause physical harm or major property damage. The old guidance made clear that such drastic measures should be taken only as a last resort and with the express permission of the president. Presidential Policy Directive 20 also emphasized that cyber operations should follow the interagency process in order to coordinate the response and ensure a "whole-of-government" approach.
While we do know that Trump issued National Security Presidential Memorandum 13 (ostensibly covering cybersecurity policy) around the same time that he rescinded Presidential Policy Directive 20, likely laying out the new policy, the contents of the new memo remain classified. But though a side-by-side comparison of the two policies is not possible, Bolton's statements regarding the new policy clearly suggest it takes a more aggressive approach.
Little precedent exists for assessing offensive U.S. cyber capabilities. The Stuxnet attack on Iran's nuclear program is one of the few true offensive cyberattacks attributed to the United States available for analysis due to a mistake in its execution. Stuxnet was designed to look like an internal technical failure instead of a cyberattack, and was discovered only because it spread more rapidly than intended.
Clandestine, discreet attacks are certainly already key elements of U.S. cyber tactics. There have likely been more examples of U.S.-launched attacks that have not come to light, perhaps because they were never recognized as cyberattacks. While the less known about U.S. cyber capabilities, the more effective they will be when deployed, this by definition limits the deterrence value of U.S. cyber capabilities.
Traditional Approaches Likely to Remain Dominant
Despite Bolton's implication that offensive operations will form a greater share of the U.S. cybersecurity mix, regulation, cooperation with the private sector and the legal process will still account for the bulk of the mix. For example, regulatory bodies like the U.S. Securities and Exchange Commission can punish (or threaten to punish) firms that do not implement best cybersecurity practices and therefore leave themselves vulnerable to external attack. Government cooperation with the private sector, meanwhile, was on display in recent cases like the September indictment of North Korean cyber operatives, which displayed heavy FBI reliance on private security firms such as Mandiant and Alphabet to collect technical evidence and carry out investigations. Finally, prosecution through the traditional legal process will remain the preferred response to cyberattacks in the United States. Of course, this approach will continue to work better on the domestic front, where U.S. law enforcement agencies have the advantage of jurisdiction.
But when it comes to punishing foreign cyber intrusions, the three tools listed above are much weaker. Certainly, federal law enforcement agencies can continue to indict individuals and groups associated with foreign cyberthreats, but the chances they will ever see a U.S. courtroom are slim.
Indictments against foreign government officials for cyberattacks go back to 2014 when the Department of Justice accused the People's Liberation Army Unit 61398 of engaging in cyberattacks against the United States. Dozens of other investigations have uncovered efforts by foreign governments to gain access to critical U.S. networks. So far in 2018 alone, major indictments have been made against North Koreans, Iranians and 13 Russian individuals directly involved in the campaign to disrupt the 2016 U.S. presidential election. While such investigations are helpful for naming and shaming foreign cyberthreats, they rarely stop them. And this is where the appeal of offensive cyber operations comes into play.
Obstacles to Offensive Cyber Operations
The limitations on the traditional U.S. methods of maintaining cybersecurity can increase the appeal of more aggressive cyber operations to those in charge of U.S. national security. The individuals and groups targeted with U.S. indictments for cyberattacks are primary candidates for the administration's more aggressive cyber policies. Judging by the details available in the latest criminal complaint against North Korean hackers, for example, U.S. investigators were able to piece together a very detailed picture of the networks that targeted Sony Pictures and Bangladesh Bank.
Whereas the U.S. government used that intelligence to name and shame in an indictment, a more offensive-minded administration could use the same intelligence to infiltrate the hostile network and sabotage the group's work. Any such operations would be quiet, and attempts would be made to hide the origin of the attack. A U.S. response on a par with Iranian or North Korean cyber operations is unlikely, if for no other reason than that so public a response would reduce the effectiveness of similar future U.S. attacks.
As Erica Borghard and Shawn Lonergan point out in an article published last month by the Council on Foreign Relations, an offensive U.S. response would not necessarily be immediate. Offensive cyber actions represent carefully cultivated operations involving intensive and tedious intelligence work that requires gaining access to foreign devices and servers, monitoring activity and assessing vulnerabilities to exploit. Sometimes, the tailor-made exploit can be used only once because, to use the Stuxnet example, once the vulnerability has been identified, software developers around the world develop patches that render the weapon useless for future attacks against all but the most vulnerable devices.
Borghard and Lonergan also point out that cyber responses are limited in their destructive power. A best-case scenario for a cyberattack would be disabling computer systems and networks being used against U.S. interests to prevent an attack from happening, or to disrupt an attack that is underway. While this is better than nothing, it still leaves the individuals behind the operation free to learn from their mistakes and mount another attack. While using cyber operations against known threats in conjunction with indictments that name and shame perpetrators — along with specific details on how they carried out their alleged crimes — would certainly make it harder for individuals to reuse the same infrastructure for a future attack, regeneration is always possible, especially with state support.
Perhaps the main challenge to U.S. engagement in tit-for-tat cyberattacks is that the United States is by far the biggest target for such attacks. The number of IPv4 addresses — the standard for identifying unique devices connected to the internet — shows that the United States accounts for over one-third of all the world's connected devices. China, the runner-up, has just one-quarter of the unique IP addresses that the United States has, while Russia, Iran and North Korea are tiny by comparison. The U.S. reliance on and integration with cyberspace simply makes the United States a bigger, and potentially more vulnerable, target.