March is known for coming in like a lion and out like a lamb, but that has not been the case in the world of cyber policy. In fact, the U.S. has been extremely active this month in responding to malcious cyber activity against U.S. targets. These responses reflect a growing shift that has occurred over the last year, wherein the U.S. government formerly attributes cyber attacks to specific adversaries, and increasingly deploys a range of tools of statecraft. While these are important first steps, a comprehensive and coherent cyber policy and doctrine is still needed. Fortunately, several policy proposals have emerged recently that are effects based, and focus on instilling policies that protect and respond to cyber attacks on certain targets. This is necessary, but more is needed to progress toward a cyber strategy in sync with the magnitude of today’s digital threats. As Senator Mark Warner noted this month at the SXSW conference, the country is “woefully unprepared for cyber threats", and basic rules are required to counter cyber aggressions.
Two Weeks in Review
A quick review of the last few weeks illustrates the range of tools the U.S. is increasingly deploying to counter malicious cyber activity. North Korea is absent on this list. Even though the U.S. has attributed WannaCry to North Korea, which reemerged this week, and despite linkage to a series of financially-motivated attacks including a recent BitCoin heist, the US has not responded publicly to North Korea cyber activity beyond the sanctions in early 2015 that were a response to the Sony attack. Nevertheless, there was an unusual amount of new policy initiatives aimed at Russia, China, and Iran within a small time period and deploying a broad range of statecraft.
March 15 – Russian Sanctions
In December 2016, the U.S. sanctioned Russia and evicted diplomats over election interference. In January 2018, the US issued indictments for election interference against eleven Russians and two Russian organizations related to the information operations, social media meddling, and bank and wire fraud. Arguably, this month’s sanctions were the strongest, and included all thirteen entities previously indicted, and six additional Russians for a range of compromises. Although the election interference gained the most attention, the sanctions are also a response to Russian hacking into and/or targeting American critical infrastructure, including electric grids, water supplies, and air travel. The sanctions also address last year’s NotPetya attack, which targeted Ukraine initially but spread globally, costing several large companies hundreds of millions of dollars. There also is news this morning of the extradition of a Russian connected to the LinkedIn data theft and potentially the DNC breach, and is something to follow.
March 22 – Investigation Into China’s Unfair Trade Practices & Broken Agreements
On March 22, the Office of the U.S. Trade Representative (USTR) published a 215-page document that detailed the findings of an investigation into unfair trade practices by China. It was accompanied by a Presidential Memorandum related to the findings of this investigation, which specified the potential for tariffs in response to these unfair trade practices. Buried inside the USTR report is also a section focused on a series of unauthorized intrusions and cyber-enabled theft. This is the first formal acknowledgement that China continues cyber-enabled theft of commercial intellectual property for commercial gain despite the 2015 US-Sino pact which prohibits this activity. While the CCleaner attack last year indicated that this agreement may have been broken, this month’s document specifies a range of intrusions that have occurred since the 2015 agreement. The USTR report includes, among other compromises, the 2017 indictments against three Chinese nationals for intrusions targeting Siemens, Moody’s Analytics and Trimble as well as activity by China-linked APT 10. According to the USTR report, "the evidence indicates that cyber intrusions into U.S. commercial networks in line with Chinese industrial policy goals continue."
March 23 – Iranian Indictments and Sanctions
The Justice Department issued indictments against “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice” in coordination with sanctions issued by Treasury against ten Iranians. The Iranians are responsible for global attacks on numerous private sector entities, hundreds of universities, and government agencies. Nine of the ten Iranians indicted are linked to the Iranian Revolutionary Guard Corps and Iranian universities and charged with the theft of 31 terabytes of data, equivalent to three Libraries of Congress. The tenth individual sanctioned was responsible for the HBO hack, and was indicted in November 2017. The U.S. had previously issued indictments against Iran in 2016 for a widespread attacks on financial institutions and a dam.
Signs of Policy Change?
Clearly, March has been an active month for policy responses to cyber attacks. On the one hand, this marks the continuation of growing U.S. policy activism in response to cyber attacks. The U.S. has actively and publicly retaliated against cyber attacks only recently, ostensibly beginning in 2014 with the indictment against five PLA members for cyber espionage targeting the steel industry. This more recent wave of active policy responses began in late 2016, and has been followed by a series of indictments, diplomatic evictions, and sanctions.
While these generally have been piecemeal responses, there are a few policy efforts that show some forward progress toward a more refined cyber strategy. To strengthen defenses (and deterrence by denial), the latest omnibus spending bill allocates $380 million to states to protect digital voting systems. Similarly, a proposed bipartisan bill aims to safeguard the electric grid from cyber attacks. The proposed Defending Elections from Threats by Establishing Redlines (DETER) also is aimed at voting security, and takes a broader approach to information security by addressing election interference through cyber attacks as well information operations. The DETER act is important as it also specifies how the U.S. will respond if specific intrusions occur, such as issuing sanctions and diplomatic evictions. The other recent policy piece that focuses on deterrence is the Nuclear Posture Review (NPR) which was updated last month. The NPR establishes U.S. nuclear priorities, and notes that under extreme circumstances nuclear weapons may be deployed in response to significant non-nuclear strategic attacks, which is largely interpreted to mean cyber-enabled attacks.
Despite these recent proposals and nascent policies, a piecemeal approach is less impactful than a coherent and comprehensive cyber strategy. The range of tools of statecraft employed in March are indicative of the evolving nature of U.S. responses to cyber attacks and are important first steps. The ongoing stream of indictments and expanded sanctions signal some progress toward greater deterrence, but clearly more is needed. Economic, legal and diplomatic tools are necessary to counter the range of cyber attacks from numerous threat actors, but they are more impactful when placed within a comprehensive cyber strategy that not only provides stronger defenses, but also signals the costs that may occur when specific targets are compromised via cyber-enabled means.