You are here

Trump's cyber security strategy is reckless

His administration's new policy of striking first at online attackers might invite cyber attacks, not deter them.

BT_20181004_JWCYBER_3580118.jpg
When North Korea compromised Sony Pictures in 2014 and stole the company's data, the US experienced a national disruption to its Internet connectivity in the following month. Nearly every major known online intrusion perpetrated against the United States has had significant and unpleasant consequences.

AT first glance, it would be easy to confuse the Trump administration's new National Cyber Strategy with its predecessors: the Obama administration's 2009 Cyberspace Policy Review and George W. Bush's 2003 National Strategy to Secure Cyberspace. All three documents emphasise strikingly similar goals: the importance of hardening critical infrastructure, working with the private sector, securing government networks and establishing more robust partnerships for sharing information about online threats.

Despite its similarities with previous administrations' plans, however, the National Cyber Strategy represents an abrupt and reckless shift in how the United States government engages with adversaries online.

Instead of continuing to focus on strengthening defensive technologies and minimising the impact of security breaches, the Trump administration plans to ramp up offensive cyber operations. The new goal: deter adversaries through pre-emptive cyber attacks and make other nations fear the US' retaliatory powers.

The framework for this shift to an offence-first strategy is found in three recently announced pieces of policy. The first, the National Cyber Strategy outlines a broad vision of how the administration plans to approach online issues and emphasises the importance of imposing "swift, costly and transparent consequences" on online attackers.

sentifi.com

Market voices on:

The second is the new Department of Defence cyber strategy, a more detailed plan for how the military will approach cyber security. It outlines a plan to "defend forward" by going after threats "before they reach their targets" and disrupting "malicious cyber activity at its source".

And the third is the classified National Security Presidential Memorandum 13, which makes it easier for the military to launch offensive cyber operations by largely eliminating a lengthy interagency approval process put in place by the Obama administration.

The idea of using offensive cyber attacks for defensive purposes is not a new one - discussions about the potential risks and rewards of "hacking back", especially in the private sector, go back more than five years. But for the American government to embrace this strategy is a sharp change from the cautious, defence-oriented approach of the past decade.

President Barack Obama was notably restrained in his authorisation of offensive cyber missions. When deciding whether to use the Stuxnet worm to compromise uranium enrichment facilities in Iran in 2010 - this was his administration's most famous use of offensive cyber capabilities - he reportedly expressed repeated concerns about the precedent it would set for other countries. The Obama administration's forbearance and careful decision-making around cyber attack authorisation aligns with the 2015 Department of Defence cyber strategy, which identified controlling the escalation of cyber conflicts as a key strategic goal. That goal is conspicuously absent from the Department of Defence's new strategy.

The Trump administration's shift to an offensive approach is designed to escalate cyber conflicts, and that escalation could be dangerous. Not only will it detract resources and attention from the more pressing issues of defence and risk management, but it will also encourage the government to act recklessly in directing cyber attacks at targets before they can be certain of who those targets are and what they are doing.

NEW ATTACKS

One of the advantages of the slow, unwieldy approval processes put into place by previous administrations is that they gave the government ample time to ascertain who was behind a cyber attack. That is not always easy to do: Many adversaries route cyber attacks through compromised third-party machines in other countries, such as university computer systems. Rushing to retaliate may make it more likely that the United States will lash out at the wrong target, which may invite new attacks rather than deter them.

It could also lead to more attacks from existing adversaries like Russia and North Korea, from whom the US already faces substantial online threats. These countries have demonstrated their considerable online capabilities in cyber attacks directed at hospitals and power companies. If the US pre-emptively attacks their servers and online infrastructure, it will only provoke greater and more damaging shows of force. And what these countries are capable of will be every bit as terrifying and harmful as what the US can do.

There is no evidence that pre-emptive cyber attacks will serve as effective deterrents to this country's adversaries in cyber space. In fact, every time a country has initiated an unprompted cyber attack, it has invariably led to more conflict and has encouraged retaliatory breaches rather than deterring them. Nearly every major publicly known online intrusion that Russia or North Korea has perpetrated against the United States has had significant and unpleasant consequences.

When North Korea compromised Sony Pictures in 2014 and stole the company's data, it experienced a national disruption to its Internet connectivity the following month. More recently, Russia has faced sanctions, indictments identifying their key online activities and personnel, and possibly covert cyber operations as punishment for a series of online intrusions and computer compromises. While nobody knows where these counter attacks originated, experts believe some of them came from the United States.

Under the new attack-first policy, it is likely that North Korea or Russia will retaliate against the United States in similar ways if threatened. For the United States, this is an especially risky approach, given how much of its infrastructure - from energy distribution to financial systems to voting - is digitised and how vulnerable that dependence on computer networks makes this country to cyber attacks.

A smart national cyber strategy would focus on securing the US' computer systems, data and networks by allocating more money for their protection and by allocating more time and energy to regularly update, measure and test their security. It would charge the government with attacking its own servers and systems domestically to identify potential vulnerabilities before foreign adversaries have a chance to exploit them, rather than encouraging officials to strike out at overseas targets. And it would reserve the use of offensive cyber capabilities for situations that allow for careful consideration of the possible unintended consequences, narrow tailoring to a specific mission and contained, targeted damage.

Ironically, the new national cyber strategy also charges the United States government with enhancing cyber stability "through norms of responsible state behaviour". As the rest of its policies make all too clear, this administration has already committed itself to irresponsible uses of cyber force that may serve to destabilise everyone's online infrastructure, including its own. NYTIMES

  • The writer is an assistant professor at the Rochester Institute of Technology and the author of You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cyber Security Breaches.