Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Retaliating for State-Backed Hacks
Responses Likely to Be Kinetic, Not VirtualHow the United States should retaliate against China and other nations for cyber-attacks on American businesses is being debated in the White House. It's a growing challenge that's being discussed not only in the halls of government, but at think tanks and academia.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
"Policymakers must be keenly aware of the costs associated with each response, as they will have an impact on a country's diplomatic relations, reputation, and military and intelligence operations," says Adam Segal, director of the Council on Foreign Relation's digital and cyberspace policy program.
The retaliation for state-sponsored cyber-attacks, especially those that pilfer the intellectual property of businesses, will likely be kinetic, not virtual.
Cyber retaliation is problematic. It's difficult to develop quickly unless a government had prepared a capability against a specific target that likely involved prior cyber-espionage, an unparalleled understanding of a target's vulnerabilities and a custom exploit kit at its disposal, Tobias Feakin, director of the International Cyber Policy Centre at the Australian Strategic Policy Institute, writes in a cyber-brief published this past week by the Council on Foreign Relations. A case in point: the American and Israeli attack on Iranian nuclear centrifuges, known as Stuxnet, which took years to develop and deploy.
Over Cyber Response
"An overt cyber response can be unappealing as states may lose the ability to launch similar responses against other targets," Feakin writes. "Policymakers are likely to concentrate on other levers of power, alongside whatever they may do covertly."
Feakin identifies three variables policymakers must consider in determining the proper response: the intelligence community's confidence in its attribution of responsibility, the impact of the incident and the levers of national power at a state's disposal.
In this diagram, Feakin proposes responses to escalating state-sponsored cyber incidents, ranging from the delivery of a demarche, or protest statement, in response to a website defacement or a distributed denial-of-service attack to conducting a military strike or instituting a blockade in retaliation for a cyber-attack resulting in loss of life or damage to critical infrastructure.
Responses to State-Sponsored Cyber Incidents
Feakin says a response to state-sponsored cyber-attacks must be proportional to the damage caused. "While there may be pressure to respond disproportionally to deter future [cyber] attacks, international law requires that states only take forcible measures that are necessary and proportionate to successfully repel or defeat a disruptive or destructive cyber-attack, limiting the scale, scope, duration and intensity of any action a victim state may take," he says. "Responding proportionally may make it easier to build the international coalitions necessary to isolate and punish the attacker as well as limit the likelihood of escalation."
Jason Healey, director of Columbia University's Saltzman Institute of War and Peace Studies, says Feakin's framework creates a vocabulary policymakers can use in developing appropriate responses.
"Even if you don't think the lines are drawn in the right places, these kinds of frameworks emphasize strategy," Healey says. "If someone disagrees with this, it's much easier for them to say, 'Add these things here, the lines should be drawn here.' ... Whether you've got the right lines in the right places is less important than moving forward the conversation."
Responding to Chinese Attacks
Defining what a state-sponsored cyber-attack is can prove problematic when dealing with a nation such as China, where the government owns businesses. Earlier this week, the Washington Post reported that the Obama administration is considering a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government's cybertheft of valuable U.S. trade secrets.
The consideration of sanctions comes as Chinese President Xi Jinping prepares for his first state visit to the White House. The U.S. is unlikely to choose sanctions found on Feakin's list because the American response likely would be against the businesses - albeit government-owned - that stole the intellectual property. "It's not between Obama and Xi Jinping, it's the United States government putting sanctions on Chinalco and Baosteel," Healey says, referring to the Aluminum Corp. of China and Shanghai Baosteel Group.
In 2014, the U.S. did not directly sanction the Chinese government for the theft of American corporate intellectual property; instead, the Justice Department indicted Chinese army officers accused of instigating the cyber-attack (see The Real Aim of U.S. Indictment of Chinese). It's likely further sanctions would be along those lines, as Healey suggests.
The sanctions might not be announced until after Xi returns to Beijing. But the administration has said that cyberthreats will be among the topics the two presidents will discuss.
Whether economic sanctions against Chinese businesses and their leaders will stifle the theft of intellectual property from American industry is a question that can't be easily answered.