A top White House official says the U.S. government cannot rely on offensive cyber operations to deter foreign hackers from attacking American computer networks.
Thomas Bossert, an assistant to the president for homeland security and counterterrorism, told an audience of former intelligence and defense officials Wednesday in Washington, D.C., that hacking into foreign computer networks should not be considered a means to deterring enemies from breaching American organizations.
“There’s very little reason to believe that an offensive cyberattack is going to have any deterrent effect on a cyber adversary,” Bossert said. “In fact, it will likely encourage them to hurry up and become better hackers and develop better defenses. So I don’t just think this is a misnomer, but it’s something that we need to move past and say out loud.”
Bossert suggested the U.S. government should instead leverage “national power” to stop future cyberattacks.
“I think what we will do on the deterrence side is we’ll figure out a means and a method to apply elements of national power outside of cyber to punish bad behavior. And we’ll try to do it in a way that’s commensurate with the offense and also revocable in a way that’s not going to create a long term escalatory posture,” said Bossert. “And so, if we have a bad actor that does something in increasingly unacceptable than what we’ll have to do is punish them in such a way that is real world and not cyber world.”
U.S. companies and governmental organizations regularly rely on cybersecurity professionals to defend systems from hackers. Occasionally, this work calls for some degree of offense.
It’s not uncommon for law enforcement to use software that would be labelled “offensive” in order to disrupt servers which are hosting or deploying malware. In addition, classified documents leaked by Edward Snowden show that American intelligence agencies routinely leverage software exploits to collect intelligence — which could be used to inform policy decisions, including the deployment of sanctions to discourage cybercrime.
Former U.S. intelligence officials disagree with Bossert’s assessment. They say offensive cyber operations — launched by intelligence agencies like the NSA, CIA and FBI — can have a real impact on an attacker’s ability to remotely break into American companies.
Blake Darche, a former NSA analyst and the now chief security officer of Area 1 Security, criticized Bossert’s comments. The U.S.’s still-developing deterrence strategy must consider a wide array of options, according to Darche, and that should include the NSA’s expertise in some cases.
“A deterrence strategy relying on the physical world is a failed cyber strategy,” Darche said. “You cannot successfully arrest foreign nationals working for their military or intelligence services in a meaningful quantity.”
He added that a successful deterrent is one which raises the amount of resources an attacker has to spend to successfully conduct a cyber operation.
“One way to do this is through sustained information operations, where fake information is fed back to the attacker,” Darche said. “This is extremely difficult to detect and causes the largest amount of havoc in intelligence operations.”
While the government’s use of hackers to counter the actions of others may not be the best solution for every situation, said Jason Kichen, a former intelligence officer and the now director of cybersecurity firm Versive, there are specific conditions and targets where this approach makes sense.
“Neither offensive cyber operations themselves nor the countries they may target are monolithic, and a one-size-fits-all policy to how they are conducted and against who isn’t wise,” said Kichen. “It requires critical and detailed analysis not only to understand the right offensive operation to design: what capabilities to deploy, how and when to deploy them, and what the intended messaging is, but also an understanding of the target, including how they will detect and respond to the attack.”
Asking whether these techniques work to deter certain bad behavior from a specific country is a flawed question in itself, according to Kichen.
“Offensive cyber operations shouldn’t be designed to punish bad behavior in the first place, but instead to affect specific goals and change,” he said.
Bossert, who spoke Wednesday at the 2017 Intelligence and National Security Summit, briefly noted that the Trump administration plans to develop a “means and a method” for how and when to apply punishment when a country is found hacking the U.S.
The lack of such a framework, explained Dave Aitel, chief executive of cybersecurity firm Immunity, Inc., is in part prompting skepticism about the effectiveness of existing tools, including offensive cyber operations.
“You look at how things are today and we really have no understood policy framework for cyber operations … It just hasn’t happened yet. There’s no standard response to a specific type of breach. There’s no red line that triggers a certain response. There’s an absence of policy. And so, how do you define value exactly? How do you know what’s an appropriate response? How do you judge whether something is truly effective,” questioned Aitel. “That’s still obviously an open debate.”