Page 17 - FCW, July/August 2018
P. 17

                                                                                                                                                                                                                                                                                            As the U.S. weighs going on the offensive in the cyber domain, critical questions remain about who will take the lead and how clearly to draw the rules of engagement
For years, security experts have warned of a cyber Pearl Harbor, an attack so big and bold that it cripples U.S. infrastructure and demands a mili- tary response.
However, in interviews with former White House and other executive branch officials as well as members of Congress and staffers involved in cybersecurity policy, many expressed more concern about the potential for a cyber Gulf of Tonkin — a misunderstanding or misat- tribution for an event that precipitates or is used as a justification for war. The name refers to the naval incident that led the United States to deepen its involvement in the Vietnam War.
“I think we should all be concerned about a [misunder- standing] or something that is made to look like some- one else took action,” said Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus. “Attribution is very difficult, although we are getting much better at it. There’s no doubt there could always be a level of uncertainty.”
The U.S. government is currently engaged in disputes with at least four countries — Iran, North Korea, Russia and China — over a series of hacks, intrusions and cyber- attacks over the course of the past five years. In the cases of Iran and North Korea, some experts are concerned that the situation is potentially one precipitating-incident away from breaking out into military conflict.
Furthermore, lawmakers have increasingly agitated for a more forceful response to nation-state-led cyberattacks while providing little in the way of statutory guidance for the rules of engagement for offensive cyber operations, including which agencies should take the lead and how brightly the lines should be drawn between private-sector, civilian government and military response.
Blurred lines
The federal government lacks a commonly understood framework for the type and scope of actions that would qualify as an act of war in cyberspace.
“There isn’t [a document] — to my knowledge at least when I was in government — where [we can say], ‘This is our list, and if it’s one of these things, then we’re going to declare war,’” said Megan Stifel, a former director of international cyber policy on the National Security Coun-
cil. “It’s not very helpful or reassuring to many to say that we’ll know it when we see it, but that has been a bit of the philosophy because we haven’t seen it yet.”
Stifel listed many of the most high-profile attacks against United States assets — including the disinforma- tion campaign during the 2016 presidential election, the 2017 WannaCry ransomware attack, the 2014 Sony hack and the Office of Personnel Management data breaches in 2015 — and questioned whether any of them could be interpreted as a genuine act of war by the nations that supposedly carried them out.
In its new command vision on information warfare, U.S. Cyber Command noted that nation-states have taken advantage of the ambiguous policy landscape to conduct aggressive campaigns to harm or destabilize U.S. interests and infrastructure.
“Adversaries continuously operate against us below the threshold of armed conflict,” the document states. “In this ‘new normal,’ our adversaries are extending their influence without resorting to physical aggression.”
Some have argued that establishing guidelines would allow policymakers to clearly say what kinds of attacks and targets require an in-kind cyber or even a military response. Alternatively, the absence of such a framework carries the risk of creating confusion and misunderstand- ing on the international stage, which could precipitate a larger conflict.
“There are these questions of ‘what was the intent?’ and I think we need to be careful not to [behave like a meta- phorical hammer] looking for nails,” Stifel said. “Because of the way western democracies have the private sector own most of the communications and information tech- nology infrastructure, the lines are very blurred.”
A shifting policy landscape
That ambiguity has left some perplexed about how to respond to cyber-focused operations against the United States. Langevin is one of 12 members of Congress who have co-sponsored a bill introduced by Rep. Ted Yoho (R-Fla.) that would require the president to identify as a “critical cyberthreat” any foreign people or entities deter- mined to be responsible for a cyberattack or any person or organization that “knowingly materially assisted or attempted such activities.”
July/August 2018 FCW.COM 13

















































































   15   16   17   18   19