The United States may have pioneered the idea of fighting wars in cyberspace, but it’s our adversaries who are using cyberattacks most effectively. To deter them, the country needs creative new ways to punish nations if they launch the devastating attacks that are within their grasp.
The need for options to strike back at cyber-aggressors is obvious – and urgent. Despite the sanctions and indictments provoked by Russia’s attack on the 2016 U.S. presidential election, Russian President Vladimir Putin is doubling down on cyber-intrusions. In recent months, Microsoft reported that Russia was trying to infiltrate the computer networks of multiple congressional campaigns.
Worse, the Department of Homeland Security says Russia is making a major push to infiltrate U.S. power-plant control rooms.
The only debate is over Putin’s intent: Is he planning to shut off power in the United States, as he is accused of doing in Ukraine in December 2016, or does he simply want to show that he can do so whenever he wants?
Other adversaries are also delighting in cyber-weapons’ leveling effect. U.S. intelligence agencies believe that China is cheating on its Obama-era pledge not to engage in commercial cyber-espionage. North Korea has dramatically improved its capabilities, moving its best hackers to China and other countries where internet service is better, and using them to steal from banks, as well as to threaten the United States. And Iran, which wielded its willingness to attack U.S. corporations, banks and even dams as leverage in nuclear arms talks, remains one of the most active of all the nation-state hackers followed by the cybersecurity firm FireEye. No wonder Director of National Intelligence Daniel Coats recently said of these cyber-threats: “The warning lights are blinking red again.”
U.S. officials have often said that the United States has unrivaled offensive cyber-capabilities. Why hasn’t that deterred anyone? It’s simple. The United States is so reliant on computer networks that we’re afraid to launch a tit-for-tat exchange in cyberspace. It was true during the Obama administration and remains true today. As Army Lt. Gen. Paul Nakasone said during his confirmation hearing in March to be the nation’s top cyber-warrior, our adversaries “don’t fear us.”
Instead, they’re gradually upping the ante, looking to impose as much pain as possible without triggering serious consequences. The longer we go without an effective response, the more pain we’ll suffer. And if we wait until enemy hackers manage to kill lots of Americans, as they could, we risk a U.S. response so sudden and harsh that it sparks a war.
The country has tried “naming and shaming” attackers by indicting government-sponsored hackers from China, Iran and Russia. That’s fine, but the U.S. is unlikely ever to arrest those hackers and, over time, attribution without retribution just advertises weakness. Sanctions have more bite and should still be employed, but their impact is delayed, hard to target and clearly insufficient. These inadequate options are about all the interagency process has coughed up.
We need to get tougher and more inventive. In the hope of inspiring others’ imagination, here are a few options that belong in the U.S. tool kit:
n The next time North Korea uses its cadre of expatriate hackers in Kenya, Mozambique and other countries to attack the United States, we should demand that the host government expel the hackers. If officials don’t comply, U.S. Special Operations forces have plenty of experience taking action in countries that are unable or unwilling to stop terrorists operating from their soil; they could be sent in to seize the buildings, probably hotels, being used by the cyberattackers and take the hackers into custody.
n Russia has allegedly loaded U.S. electrical control systems with tools that could shut down the grid. Putin’s threat is clear, but two can play that game. It’s possible to build electromagnetic-pulse weapons the size of a large copy machine that can fry electronics for a few miles around. Why not install several such weapons in high-rise office spaces around Moscow, including a few places where they’ll be found? Like Putin’s implants in our grid, he’ll never be sure he has found them all, and there’s no need to use them – unless Putin uses his.
n Iran has shown a willingness to use malware that leaves victim networks irretrievably damaged. If Iran did that to U.S. systems, Iran’s remarkably vulnerable offshore oil platforms would be good targets for payback, from simple interruption of gas flows to complete destruction of as many platforms as are necessary to end or deter an attack.
These options may seem extreme; they were once unthinkable. But frankly so was Russia’s playing a major role in a U.S. presidential campaign. If we don’t want to suffer more extreme injuries at the hands of our adversaries, we need a few unthinkable responses of our own.
Send questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.