The latest attempt by the State Department to set behavior norms

Following lawmakers’ calls for the Trump administration to lay out a clear cyber deterrence strategy, the State Department has proposed developing a broader set of consequences that the government can impose on adversaries to ward off cyberattacks.

The unclassified version of the State Department’s deterrence recommendations, published Thursday, calls for the U.S. to work with allies to inflict “swift, costly, and transparent consequences” on foreign governments that use “significant” malicious cyber activity to harm U.S. interests.

To do that, the U.S. government needs to clearly and publicly outline the malicious activity it seeks to deter, according to the State Department report, which was required by a 2017 White House executive order. The document doesn’t go into detail on deterrence tools, but U.S. officials have said that sanctions, indictments, publicly attributing attacks, and covert offensive operations are all on the table.

Dating back to the Obama administration, lawmakers have urged the executive branch to delineate a deterrence strategy after high-profile breaches of the Office of Personnel Management in 2015 and the Democratic National Committee in 2016. Chinese hackers allegedly carried out the former operation while Russian hackers were responsible for the latter.

The Trump administration also should develop different strategies for deterring each of its adversaries, the report suggests. In other words, what might work in deterring North Korean hackers may not for Russian ones as such activity depends on geopolitical context. Pyongyang’s hackers, for example, have continued to carry out attacks against companies on multiple continents despite ongoing diplomatic negotiations with the United States.

State Department officials also released an “international engagement strategy” Thursday advocating a “new cooperative framework” for deterring adversaries, without elaborating on what that looks like. The strategy, also required by the 2017 executive order, aims to reduce the risk of cyber-driven conflict by reviving international discussions of cyber norms.

The State Department pushed for a norms agreement through the United Nations Group of Governmental Experts, but those talks collapsed last June over disagreements between the United States, Russia, and others over the right to defend themselves in cyberspace.

The State Department has been without a cybersecurity coordinator since the departure of Christopher Painter 10 months ago, with Deputy Assistant Secretary Robert Strayer serving as the top cyber diplomat.

Painter, now a non-resident fellow at the Australian Strategic Policy Institute, released his own deterrence report this week, which echoed the department’s call for tailored deterrence strategies.

“Actual or threatened responsive actions are effective only if the target of those actions is something that matters to the state in question, and that target will differ according to the particular state involved,” Painter wrote.