Thinking the unthinkable about responding to cyberattacks

My op-ed in the Washington Post

|The Volokh Conspiracy |

We need better, more aggressive options to deter cyberattacks, since the ones we've come up with so far are clearly not deterring our adversaries. I would like to inspire more ambition, aggressiveness, and creativity in the American response. As the first stage in that effort, here's an op-ed I published today in the Washington Post:

The United States may have pioneered the idea of fighting wars in cyberspace, but it's our adversaries who are using cyberattacks most effectively. To deter them, the country needs creative new ways to punish nations if they launch the devastating attacks that are within their grasp.

The need for options to strike back at cyber-aggressors is obvious — and urgent. Despite the sanctions and indictments provoked by Russia's attack on the 2016 U.S. presidential election, Russian President Vladimir Putin is doubling down on cyber-intrusions. In recent months, Microsoft reported that Russia was trying to infiltrate the computer networks of multiple congressional campaigns.

Worse, the Department of Homeland Security says Russia is making a major push to infiltrate U.S. power-plant control rooms.

The only debate is over Putin's intent: Is he planning to shut off power in the United States, as he is accused of doing in Ukraine in December 2016, or does he simply want to show that he can do so whenever he wants?

Other adversaries are also delighting in cyberweapons' leveling effect. U.S. intelligence agencies believe that China is cheating on its Obama-era pledge not to engage in commercial cyberespionage. North Korea has dramatically improved its capabilities, moving its best hackers to China and other countries where Internet service is better, and using them to steal from banks, as well as to threaten the United States. And Iran, which wielded its willingness to attack U.S. corporations, banks and even dams as leverage in nuclear arms talks, remains one of the most active of all the nation-state hackers followed by the cybersecurity firm FireEye. No wonder Director of National Intelligence Daniel Coats recently said of these cyberthreats: "The warning lights are blinking red again."

U.S. officials have often said the United States has unrivaled offensive cybercapabilities. Why hasn't that deterred anyone? It's simple. The United States is so reliant on computer networks that we're afraid to launch a tit-for-tat exchange in cyberspace. It was true during the Obama administration and remains true today. As Army Lt. Gen. Paul Nakasone said during his confirmation hearing in March to be the nation's top cyberwarrior, our adversaries "don't fear us."

Instead, they're gradually upping the ante, looking to impose as much pain as possible without triggering serious consequences. The longer we go without an effective response, the more pain we'll suffer. And if we wait until enemy hackers manage to kill lots of Americans, as they could, we risk a U.S. response so sudden and harsh that it sparks a war.

The country has tried "naming and shaming" attackers by indicting government-sponsored hackers from China, Iran and Russia. That's fine, but the United States is unlikely ever to arrest those hackers, and, over time, attribution without retribution just advertises weakness. Sanctions have more bite and should still be employed, but their impact is delayed, hard to target and clearly insufficient. These inadequate options are about all the interagency process has coughed up.

We need to get tougher and more inventive. In the hope of inspiring others' imagination, I offer a few options that belong in the U.S. tool kit:

?The next time North Korea uses its cadre of expatriate hackers in Kenya, Mozambique and other countries to attack the United States, we should demand that the host government expel the hackers. If officials don't comply, U.S. Special Operations forces have plenty of experience taking action in countries that are unable or unwilling to stop terrorists operating from their soil; they could be sent in to seize the buildings, probably hotels, being used by the cyberattacks and take the hackers into custody.

? Russia has allegedly loaded U.S. electrical control systems with tools that could shut down the grid. Putin's threat is clear, but two can play that game. It's possible to build electromagnetic pulse weapons the size of a large copy machine that can fry electronics for a few miles around. Why not install several such weapons in high-rise office spaces around Moscow, including a few places where they'll be found? Like with Putin's implants in our grid, he'll never be sure he has found them all, and there's no need to use them — unless Putin uses his.

? Iran has shown a willingness to use malware that leaves victim networks irretrievably damaged. If Iran did that to U.S. systems, Iran's remarkably vulnerable offshore oil platforms would be good targets for payback, from simple interruption of gas flows to complete destruction of as many platforms as are necessary to end or deter an attack.

These options may seem extreme; they were once unthinkable. But, frankly, so was Russia's playing a major role in a U.S. presidential campaign. If we don't want to suffer more extreme injuries at the hands of our adversaries, we need a few unthinkable responses of our own.

NEXT: 15 Times Trump Hit a 'Turning Point' Before Yesterday's Cohen Revelations

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. The United States may have pioneered the idea of fighting wars in cyberspace, but it’s our adversaries who are using cyberattacks most effectively.

    Question, how do you know this to be true? Please provide us with documentation that US cyberattacks against adversaries have not been more successful?

    1. This article does seem to sort of blithely presume that we don’t have malware in Russian power plants.

      1. It’s Stewart Baker. Its just assumed he has absolutely no idea what he is talking about and just speaking out of his ass.

        (some of us actually work in the infosec industry and insulted by the guy)

  2. Creating deterrence is a good idea, but I’m skeptical that any of these options substantively further that goal in a way that is proportionate to the risks incurred.

    All three proposals represent significant escalations. Given their overtness, all are likely to be used against the US by enemy propaganda (admittedly a sometimes overplayed concern). Further the first two include the dangerous possibility of the capture of US personnel. Then there’s the secondary and tertiary political effects.

    On the whole a proportionate response is probably better for the moment (and likely many actions toward that end have already been undertaken), but it is true we can only mirror our opponents so far.

    1. The whole concept of “proportionate response” has never made any sense to me. From the perspective of deterrence, the promise of a “proportionate response” doesn’t deter any aggressor who might deem such a response worth it. If you really want to deter aggression, promise an unknown and DISproportionate response. If the aggressor has no idea just what the response will be, only that it will be disproportionate and highly damaging, calculations of “will it be worth it” become much more difficult, and significantly increase the risk of firing the first shot, so to speak. Maybe just announcing the new policy of “disproportionate and devestating response” will have the desired deterrence effect. Maybe it is necessary to give a demonstration – the cyberattack equivalent of dropping a nuclear bomb on Hiroshima, as it were. But let’s just give up on the whole concept of “proportionate response.” It is the policy equivalent of unilateral disarmament.

      1. From the perspective of deterrence, the promise of a “proportionate response” doesn’t deter any aggressor who might deem such a response worth it.

        This is true, if they are willing to accept consequence X and you are not then you need to respond asymmetrically, at which point proportionality becomes harder to judge. That said a mutual extortion strategy situation is generally more stable if the things of value being threatened are of roughly equal (perceived) value to each of the parties involved.

        Stability aside, a more fundamental problem with ‘disproportionate and devastating’ is that threats have to be credible to be effective. We could threaten to nuke Tehran if Iran does not immediately cease all cyber operations against us, but no one will take this seriously so it is ineffective.

        The question then becomes where do you have that credibility, or what legal/ethical lines you are willing to cross in a demonstration to create it.

        This isn’t to say that stability is always desirable (in the long term you do want to minimize the threat, and will seek to shift the equilibrium in that direction) but I think a degree of caution is warranted under the circumstances.

        1. Of course, if we followed up and actually nuked Tehran, the next bad guy would have to take us seriously.

        2. Note that I did not suggest an ACTUAL nuclear attack, just the cyberwar equivalent. For example, if, in response to a cyberattack from Iranian hackers, we attacked the Iran State Bank with a cyberattack that completely destroyed its data files and its capacity to send or receive any funds transferred, essentially freezing and throwing into chaos the Iranian economy, there need not be any immediate human casualties, but the ability of Iran’s political leaders to govern would be severely tested.

          1. AND, if we were to stage such a counterattack on the Iran State Bank, causing economic chaos and massive anti-government protests, Russia, China, and North Korea would undoubtedly rethink any plans for cyber attacks.

          2. I went with an actual attack both as an extreme example (in the best traditions of dialectic), and because if we are going select a ‘disproportionate and devastating’ option why mirror their cyber move with one of our own when a less proportionate response obviously suggests itself from your phraseology, but I digress.

            In response to your above suggestion we need to consider the following

            How likely is escalation to follow (not just by the US or Iran but in general)?

            What is the risk of a wider conflict, particularly if China or Russia lends assets to help Iran sub silento where attribution is difficult?

            What countries will support us in this operation? oppose?

            Who has more to lose in the long run from a crippling series of attacks on worldwide information technology systems?

            What does our desired end-state look like, what resource expenditure (both in terms of actual expenditures and foregone opportunities) will be needed to achieve this?

            Assuming wider conflict is avoided in the short term what do we do when say China or Russia undertakes a similar action (crippling cyber-attack) against a minor nation in Asia, Africa, or Latin America, using the justification we just gave? Do those considerations change if the country generally supports us?

            How does this precedent play into the long game in general?

            I could on, a lot of this comes down to risk tolerance, there are many possible paths not all of them look very inviting.

      2. Yea, I thought “proportionality” was judged against the end goal, not the enemy’s actions e.g., you can’t nuke a city to kill a single sniper, but you can send 100 marines to kill him.

  3. “U.S. officials have often said the United States has unrivaled offensive cybercapabilities. Why hasn’t that deterred anyone?”

    Nothing says we have fight with like weapons.

    We can use (and do use) our immense economic and diplomatic powers.

    We can also use our enormous economic size to minimize the affect of attacks.

    Also, tit-for-tat reprisals will never fix the problem.

  4. Do whatever we want but just deny it no matter how obscene and obvious it is. That’s what everybody else does…

    1. Rare that I agree with Amos, but here . . . um, yep.

  5. I didn’t realize this was sarcasm until he stated that Russia played a MAJOR role in a U.S. Presidential campaign.

    1. On a second look, I guess I should have noticed that he wrote in the Washington Post.

    2. They affected it by telling the truth…how dare they.

      1. LMAO.
        Thanx Amos, I needed a good laugh.

  6. Leaving such devices where they’ll be found may have some PsyOps value, but it also facilitates our adversaries’ efforts to reverse engineer those units.

    1. Not to hard to create devices with key parts missing. We could also insinuate that all our embassies and consulates have fully functional devices.

  7. Whenever a new agency of conflict and destruction comes along, it’s wise, before deploying it, to ask, what are the relative vulnerabilities? If use of this agency becomes general, does my side have more at stake, and more to lose, than the other side does? If my side does have more to lose, think long and hard before advancing and normalizing the use of any such agency.

    The problem, which seems to be making Stewart Baker itch, is that owning a preponderance of power is a good thing, but not in any way equivalent to being all-powerful. That can mean that sometimes, despite a preponderance of power, wisdom will nevertheless choose restraint, even in the face of notable annoyance.

  8. (1/4) As someone who has worked in IT security for over two decades, all I can say is “Holy shit this is stupid.” Not just garden-variety stupid (which we see in political punditry all the time), but deeply and dangerously stupid. I’ll go through a few of the top reasons:

    1. (2/4)
      1) It’s almost impossible to know with reasonable certainty who the attacker was. Boris and Natasha don’t launch attacks directly from the computers at their Kremlin office desks where we can just trace it back. They’ll hack a computer at a school in Pakistan, and then from there access a botnet they leased access to and connect from a little old lady’s Windows XP machine in London, and then bounce through a few other places. It’s bordering on fantasy to believe that these are traced back to the source with any degree of accuracy. Besides geolocation, investigators look at code fingerprints and other technical bits involving how the attacks were carried out – but these are all spoofable. None of the agencies investigating these attacks have anywhere near the competence or capabilities you see in movies and TV shows. Blame for attacks involves a lot of guesswork and circumstantial evidence. If the attackers are extremely sloppy (script kiddies) then you might be able to point a definitive finger, but stuff done at the nation-state level is fairly well obfuscated. All of the blame that gets laid by various government agencies should be taken with a dump-truck full of salt. That’s not to say they’re always wrong but I wouldn’t even bet a small civil suit on their analysis, let alone a retaliation that might be considered an act of war. Heck, these agencies can’t even secure their own networks and systems, as insiders and criminal hackers have proven over and over again.

      1. (3/4)
        2) It’s bottom-feeding blame-shifting. It’s the system owner’s responsibility to make sure that all aspects of a system – especially security – are appropriate to the task at hand. It’s nice to be able to do things with computers and it’s certainly often far more convenient and efficient to do things with computers – but that doesn’t mean everything should be done with computers. Computer security is, in general, almost a compete oxymoron. With a lot of high-quality effort you can make things difficult and / or expensive for attackers, but you cannot make intrusion impossible. The key is “a lot of high-quality effort,” and this is something virtually never seen in government-run computer systems. Quite the opposite: it’s difficult to find any effort whatsoever, to the point where it’s not hard to imagine these systems being designed by the potential attackers themselves to make breaking in a complete laugh. You think I’m kidding? Lately at DefCon Vegas (one of the biggest hacker/security conferences) they’ve had areas where people can try breaking into election equipment and reporting web sites. That the voting machines will be absolutely eviscerated each time can be taken as a given, but this year the election web site hacking was considered so easy that they limited participation to children only – in one case a site’s security was defeated in ten minutes by an 11-year-old. Link: https://bit.ly/2N72IBi

        1. (4/4)
          I’m not trying to excuse bad behavior by nation-states (even though the US has no room to throw stones), but it’s like leaving the doors and windows to your house open when you live in a neighborhood full of crack houses. No, people should not take advantage of this. It does not excuse them. But you’re still a stupid asshole if you live in a neighborhood full of crack houses and then scream and complain when people take your unsecured stuff. There are no good neighborhoods on the Internet. Plan, design, implement, test, and maintain accordingly.

          1. “I’m not trying to excuse bad behavior by nation-states”

            I’m not even sure much of this is really “bad behavior.” As a general matter, spying probably reduces uncertainty, and thus, mistakes. Computer hacking is just a special case of that.

          2. To the degree that the Ron White maxim, “You can’t fix stupid,” is true, then our disproportionate over-reliance on virtually unprotected computer control systems for our critical infrastructure leaves us with our heads crammed irretrievably up our collective ass.

            We’re so fucked.

            On the other hand, the rest of the world would do well remember what happened after Pearl Harbor.

      2. You have no idea what you are talking about. It’s almost as if the people that have billion dollar budgets and staffs of tens of thousands have thought of everything you’ve mentioned – decades ago – and learned to deal with it.

        While you do have points about the responsibility of people to secure their own systems, your ranting about things you don’t understand obscures some otherwise good points.
        Although, your website ‘hack’ at DefCon is a very bad example; it’s a horrible exaggeration of contest designed to be accessible to children.

        Remove post #2 entire, and rewrite #3, and you could have a good and insightful post! Care to try again?

        1. But muh resources! Ironically, your argument would be better if it was a few hundred people and a few hundred million dollars. Anything bigger than that is just another fucked up government bureaucracy, no matter what the Tom Clancy novels say – back-biting, ass-covering, turf-hoarding, etc. There are some very bright and dedicated people there and while they may have found a smoking gun – I doubt it, but let’s go ahead and assume it’s the case – how would you know they really did instead of the usual “pile up whatever information we can scrounge up, no matter how awful, that points to the answer that pleases the people in charge?” You know, the way you “find” weapons of mass destruction in Iraq? Because that’s what giant government bureaucracies do.

  9. I have no basis to argue with any of your points. But, if we accept as true the points you made in Post 2/4 regarding the difficulty of attribution, then we also must believe that the U.S. Intelligence community was doing nothing more than guessing when it attributed to Russia the leaks of DNC emails and interference in the 2016 election.

    1. “we also must believe that the U.S. Intelligence community was doing nothing more than guessing…”

      Technically, aren’t we trusting some Ukrainian IT company for that conclusion? Or am I getting my scandals mixed up?

    2. (1/2)
      Well, here’s the thing. You do your forensics, backtrace things as best you can, and you have a pile of evidence – any bit or all of which could be red (pun intended) herrings. So, assuming you found everything (and that’s an awfully big assumption), you can look at your evidence from this angle or that angle and come up with all sorts of plausible scenarios. But to say that an answer was found with certainty is to say that the opposition royally screwed up their tradecraft somewhere, which I find to be unlikely in a country full of people seemingly genetically engineered for computer science and run by a former spook. There is absolutely motive and opportunity. I wouldn’t put the idea past Putin for an instant, but in the current foreign relations climate you could say that about just about every other country on the planet (even including Canada, sadly enough). Heck, I wouldn’t put it past our own government these days, and I’m the type to throw around the word “conspiritard” quite a bit.

      1. (2/2)
        Start with that notion – that much of this is just a judgement call – and then consider that the parties fingered are almost without exception the international boogieman (boogieperson? boogieperson of color? I’m on another list now…) du jour. It still could be correct, but golly-gee-willikers that is just one heck of a pile of coincidences. Kind of like the Kaspersky drama recently. It’s certainly possible that Eugene Kaspersky is secretly in bed with Putin or was offered an opportunity to maintain a low-Polonium diet if he cooperated, but… that was all fairly unsubtle work by some very bright people, and gee, wasn’t it Kaspersky Labs that fingered the NSA for the Stuxnet worm several years ago that screwed up and did about half a billion dollar’s worth of collateral damage (the US could have denied it for the same reasons outlined, but instead took the high road and gloated about it). So “we need to hate Russians” + giant NSA axe to grind = well, maybe they did and maybe they didn’t. But I’m dubious.

        It’s all a hall of mirrors, and it’s difficult – at least for me – to buy the certainty levels invoked, especially when considering the convenience of who is being accused. I could be wrong, but I doubt it.

  10. People once made fun of right-wing chickenhawks by evoking the “82nd Chairborne Division” or the “Fighting Keyboarders.” Some people seem to have taken those jabs the wrong way.

  11. “Iran has shown a willingness to use malware that leaves victim networks irretrievably damaged.”

    Right! Like worms that actually damage industrial equipment?

    https://en.wikipedia.org/wiki/Stuxnet

    1. If it’s remotely possible for software to drive hard ware to exceed operational specs to the point of mechanical / electrical failure, whoever designed your hardware is an idiot.

      1. I’m with you, and that was the first thing I thought when I heard this claim. But I guess no one has talked to the people at Siemens that made the centrifuges that the Iranians got hold of.

  12. One thing is self-evident. If the USA can’t decide when and how to use its resources to deter bad actors, then the world will (correctly) see us as impotent.

    If we are going to retaliate, then it needs to be done according to The Powell Doctrine.


    The Powell Doctrine states that a list of questions all have to be answered affirmatively before military action is taken by the United States:

    Is a vital national security interest threatened?
    Do we have a clear attainable objective?
    Have the risks and costs been fully and frankly analyzed?
    Have all other non-violent policy means been fully exhausted?
    Is there a plausible exit strategy to avoid endless entanglement?
    Have the consequences of our action been fully considered?
    Is the action supported by the American people?
    Do we have genuine broad international support?

    Powell has so asserted that when a nation is engaging in war, every resource and tool should be used to achieve decisive force against the enemy, minimizing casualties and ending the conflict quickly by forcing the weaker force to capitulate.

    The key word there is capitulate. Our goal is not retaliation or deterrence but capitulation. If we are unwilling to act so boldly, then we deserve the label impotent.

  13. If you are trying to catch your cheating spouse in the act, I strongly recommend you contact this awesome hacker that helped me monitor my husband’s phone. I got virtually every information my hubby has been hiding over the months easily right in my own phone, the spy app diverted all his text messages, Whatsapp, multimedia sent through the phone, social networks on his phone, phone calls and deleted messages. He could not believe his eyes when he saw the evidence because he had no idea he was hacked.. Visit Dylan Cyber Company on his website w w w . procyberhelp . com , very affordable and reliable, thank me later
    Contact : P R O C Y B E R H E L P @ G M A I L . C O M or Whatsapp, +1 620 203 5003.

  14. If you are trying to catch your cheating spouse in the act, I strongly recommend you contact this awesome hacker that helped me monitor my husband’s phone. I got virtually every information my hubby has been hiding over the months easily right in my own phone, the spy app diverted all his text messages, Whatsapp, multimedia sent through the phone, social networks on his phone, phone calls and deleted messages. He could not believe his eyes when he saw the evidence because he had no idea he was hacked.. Visit Dylan Cyber Company on his website w w w . procyberhelp . com , very affordable and reliable, thank me later
    Contact : P R O C Y B E R H E L P @ G M A I L . C O M or Whatsapp, +1 620 203 5003.

  15. If you are trying to catch your cheating spouse in the act, I strongly recommend you contact this awesome hacker that helped me monitor my husband’s phone. I got virtually every information my hubby has been hiding over the months easily right in my own phone, the spy app diverted all his text messages, Whatsapp, multimedia sent through the phone, social networks on his phone, phone calls and deleted messages. He could not believe his eyes when he saw the evidence because he had no idea he was hacked.. Visit Dylan Cyber Company on his website w w w . procyberhelp . com , very affordable and reliable, thank me later
    Contact : P R O C Y B E R H E L P @ G M A I L . C O M or Whatsapp, +1 620 203 5003.

Please to post comments

Comments are closed.