The recent hack of the Democratic National Convention’s emails has the American cybersecurity community reeling. At stake in its investigation are bigger questions, like what role cyber tools should play in securing the nation, both offensively and defensively. Cybersecurity experts at the 2016 Aspen Security Forum discussed the issue at length; read below for highlights from their conversation.
Building the “name and shame” culture
According to panelist John Carlin, assistant attorney general for national security, the United States began to take a new approach to national cybersecurity threats after 9/11. Before the terrorist attacks, the intelligence community had failed to effectively share information across the law enforcement and intelligence divide.
“It was something we won’t repeat again,” Carlin said.
In order to combat cyber threats, Carlin said that the United States shifted to a more aggressive approach. Whenever the US prosecutes a state or non-state actor for cyber threats, the first step is a thorough investigation — and then a public attribution and enforcement of consequences. In other words, a “name and shame.” This, Carlin said, is the equivalent of putting up a “no trespass” sign on the United States’ proverbial lawn and creating a new norm of holding cyberterrorists accountable for their actions.
This model applies to all cyber threats, Carlin continued, whether or not they are a state actor. He sees four main state actor threats to the cybersecurity of the United States:
- Iran
- North Korea
- China
- Russia
“We haven’t yet seen a public action against Russia, but I wouldn’t assume that we’re not going to apply this deterrence model to their actions if they continue to intrude,” Carlin said. “We need to be committed to being public.”
The “name and shame” model deters actors from perpetrating cyber attacks against the United States, but it is not the only tool in the United States’ arsenal. According to Carlin, when a state actor attacks with cyber, that doesn’t mean the response has to be through cyber. Sanctions or diplomatic responses are also often effective.
“It’s like in armed conflict,” Carlin said. “We are designing and developing doctrine over when it is appropriate to use cyber. That doesn’t mean you don’t come up with ways to do deterrence or take action. It just might be asymmetric.”
How can we actually defend ourselves against cyber threats?
Cybersecurity threats are very real, said the panelists, and Americans are going to have to get better at building effective defensive systems. Vinny Sica, a vice president at Lockheed Martin, said that his organization is being attacked every day, and protecting their networks is crucial. It’s not just high-profile organizations that need to secure their data, however.
“The bottom line is nothing should be assumed safe,” Sica said. “It’s all in the public domain.”
One of the difficulties in defending against cyber threats is their evolving nature. It is crucial to be constantly updating and changing defensive systems to stay up to date and effectively protect networks.
“The real scenario that we need to be focused on is: do we have the right intelligence capability to see what’s coming in?” he continued. “We can’t just deliver new systems that, honestly, by the time we deploy them would be out of date. This is a constantly evolving threat, so we constantly need to be staying on top of that and monitoring.”
Going on the offensive
The United States has been scaling up its use of cyber capabilities as offensive tools as well, though panelists cautioned that there are limits to how cyber can be deployed.
“It’s a fantastic advancement,” said Michael Daley, chief technology officer at Raytheon. “Cyber has the ability to change hearts and minds, with nonlethal effects.”
However, said Daley, cyber is not always a sure thing. He compared launching a cyber attack to dropping a bomb: if a country drops a bomb, it blows up every time. However, cyberattacks have more of an element of uncertainty. He called them “perishable.”
“If I use this technique today, somebody will figure out how to shut it down, so I have to be cautious.”
This is part of the nature of cyber threats, said Steve Grobman, chief technology officer of Intel Security Group. It is crucial to always be thinking outside of the box: inherently, threat intelligence is based on something that security experts have already seen. Any new cybersecurity threat is not going to be part of previous intelligence. This works in both positive and negative ways for the United States. As security evolves, cyber threats will shift and change form as well.
“Threat intelligence forces bad actors to constantly reframe their work,” Grobman said.