The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Crime

Thinking the unthinkable about responding to cyberattacks

My op-ed in the Washington Post

|

We need better, more aggressive options to deter cyberattacks, since the ones we've come up with so far are clearly not deterring our adversaries. I would like to inspire more ambition, aggressiveness, and creativity in the American response. As the first stage in that effort, here's an op-ed I published today in the Washington Post:

The United States may have pioneered the idea of fighting wars in cyberspace, but it's our adversaries who are using cyberattacks most effectively. To deter them, the country needs creative new ways to punish nations if they launch the devastating attacks that are within their grasp.

The need for options to strike back at cyber-aggressors is obvious — and urgent. Despite the sanctions and indictments provoked by Russia's attack on the 2016 U.S. presidential election, Russian President Vladimir Putin is doubling down on cyber-intrusions. In recent months, Microsoft reported that Russia was trying to infiltrate the computer networks of multiple congressional campaigns.

Worse, the Department of Homeland Security says Russia is making a major push to infiltrate U.S. power-plant control rooms.

The only debate is over Putin's intent: Is he planning to shut off power in the United States, as he is accused of doing in Ukraine in December 2016, or does he simply want to show that he can do so whenever he wants?

Other adversaries are also delighting in cyberweapons' leveling effect. U.S. intelligence agencies believe that China is cheating on its Obama-era pledge not to engage in commercial cyberespionage. North Korea has dramatically improved its capabilities, moving its best hackers to China and other countries where Internet service is better, and using them to steal from banks, as well as to threaten the United States. And Iran, which wielded its willingness to attack U.S. corporations, banks and even dams as leverage in nuclear arms talks, remains one of the most active of all the nation-state hackers followed by the cybersecurity firm FireEye. No wonder Director of National Intelligence Daniel Coats recently said of these cyberthreats: "The warning lights are blinking red again."

U.S. officials have often said the United States has unrivaled offensive cybercapabilities. Why hasn't that deterred anyone? It's simple. The United States is so reliant on computer networks that we're afraid to launch a tit-for-tat exchange in cyberspace. It was true during the Obama administration and remains true today. As Army Lt. Gen. Paul Nakasone said during his confirmation hearing in March to be the nation's top cyberwarrior, our adversaries "don't fear us."

Instead, they're gradually upping the ante, looking to impose as much pain as possible without triggering serious consequences. The longer we go without an effective response, the more pain we'll suffer. And if we wait until enemy hackers manage to kill lots of Americans, as they could, we risk a U.S. response so sudden and harsh that it sparks a war.

The country has tried "naming and shaming" attackers by indicting government-sponsored hackers from China, Iran and Russia. That's fine, but the United States is unlikely ever to arrest those hackers, and, over time, attribution without retribution just advertises weakness. Sanctions have more bite and should still be employed, but their impact is delayed, hard to target and clearly insufficient. These inadequate options are about all the interagency process has coughed up.

We need to get tougher and more inventive. In the hope of inspiring others' imagination, I offer a few options that belong in the U.S. tool kit:

?The next time North Korea uses its cadre of expatriate hackers in Kenya, Mozambique and other countries to attack the United States, we should demand that the host government expel the hackers. If officials don't comply, U.S. Special Operations forces have plenty of experience taking action in countries that are unable or unwilling to stop terrorists operating from their soil; they could be sent in to seize the buildings, probably hotels, being used by the cyberattacks and take the hackers into custody.

? Russia has allegedly loaded U.S. electrical control systems with tools that could shut down the grid. Putin's threat is clear, but two can play that game. It's possible to build electromagnetic pulse weapons the size of a large copy machine that can fry electronics for a few miles around. Why not install several such weapons in high-rise office spaces around Moscow, including a few places where they'll be found? Like with Putin's implants in our grid, he'll never be sure he has found them all, and there's no need to use them — unless Putin uses his.

? Iran has shown a willingness to use malware that leaves victim networks irretrievably damaged. If Iran did that to U.S. systems, Iran's remarkably vulnerable offshore oil platforms would be good targets for payback, from simple interruption of gas flows to complete destruction of as many platforms as are necessary to end or deter an attack.

These options may seem extreme; they were once unthinkable. But, frankly, so was Russia's playing a major role in a U.S. presidential campaign. If we don't want to suffer more extreme injuries at the hands of our adversaries, we need a few unthinkable responses of our own.