Thought Leadership

Four principles to guide the US response to cyberattacks

Cyber weapons have allowed Russia to reinvent deterrence on the cheap. Recent reports reveal a prolonged, systematic, and not particularly subtle Russian campaign to infiltrate the U.S. power grid. It raises the prospect that Russian strongman Vladimir Putin has the ability to cut off power to large parts of the United States, as he has done already in Ukraine. He has “prepare[d] the battlefield, without pulling the trigger,” said one former U.S. official.

All of which raises the question: how to deter him? After all, where Putin goes, Iranian mullahs and Kim Jong Un will not be far behind. If any of these actors knock out even a small segment of our power grid, we will need to retaliate, and not with restraint. It’s time to start thinking the unthinkable.

Four principles should guide American decision makers in developing tough responses to other nations’ cyber provocations.

Principle One: Meeting cyberattacks with cyber responses won’t work.

Every offensive capability we possess can be used against us, and probably with more effect. Instead, we must develop responses that play to our overwhelming advantage in traditional military (or kinetic) weaponry. To pick one example, Iran is now flirting dangerously with cyber weapons that damage industrial systems on which lives depend; it has attacked control systems for dams in the United States and for refineries abroad. If it successfully conducts such a cyberattack on us, we shouldn’t agonize about how to do the same to Iranian systems. We should bombard and sink as many Iranian offshore oil platforms as it takes to get the message across.

Principle Two: We need kinetic weapons with some of the advantages that cyber weapons have demonstrated.

Computer network attacks are often hard to attribute conclusively, giving aggressors plausible deniability. They also offer escalation flexibility – the ability to cause great harm without killing anyone. And they can gain leverage over us by imposing costs that are reversible or by lurking in a system, such as our grid, to signal a capability without (yet) causing damage. Kinetic weapons can be developed that have similar advantages.

In some cases, we already have such capabilities. If we want deniability while punishing Iran, we can use covert forces to cut off the flow of oil from its platforms – or just from some of them, leaving the others as hostages for good behavior.

In other cases, relatively modest modification of existing weapons could turn them into contingent threats. If Russia wants to keep its malware in our grid as a permanent threat, we can respond by dropping mines on the seafloor in a few of its harbors, with an assurance that they will remain at the bottom as long as our grid stays up. Similarly, torpedoes could be redesigned to carry propeller-fouling cables that leave an adversary’s most prestigious warships wallowing on the high seas, but still intact.

Principle Three: The U.S. response needs to be a little more than proportionate.

The U.S. should have options that don’t just deprive the adversary of what it hoped to achieve to deprive from us. We’ll need to add a little extra pain to bring the lesson home. So, if the North Korean government hacks Sony to keep it from releasing The Interview, then we should put copies of the movie on a million SIM cards and let thousands of helium balloons carry the movie deep into North Korean territory, so that all of North Korea can watch it – exactly what Kim Jong Un’s government hoped to prevent.

Or if North Korean hackers attack the United States from hotels in East Africa, as they have, the U.S. should quietly urge African governments to seize the hackers and surrender them to the U.S. military, leaving North Korea with fewer cyber troops than before.

But let’s not stop there. When North Korea uses cyberespionage to vastly increase its intelligence penetration of U.S. systems, we need to respond with measures that increase U.S. intelligence penetration of the Hermit Kingdom. Why not a launch a cloud of small, cheap intelligence drones that cost us less to deploy than it costs Kim Jong Un to shoot down with anti-aircraft fire?

Principle Four: We must develop retaliation capabilities that play on our adversary’s unique weaknesses.

Given that most of our adversaries depend on controlling their populations’ access to information, degrading that control could be an effective countermeasure. In the case of North Korea, if launching drones doesn’t yield the right response, why not offer free, drone-powered internet service to anyone in North Korea with a cell phone.

Putin, for his part, relies on the support of a handful of oligarchs who have ploughed their wealth into lavish properties around the world. We’ve never disclosed a detailed list of the oligarchs’ assets. But we could. Transparency for Putin’s cronies could mean tax troubles in many jurisdictions and greater difficulty finding a safe harbor for their dirty money. It might even threaten Putin’s own effort to squirrel his retirement money away outside Russia. Similarly, doing the same for the increasingly corrupt theocrats of Iran would help to undermine that regime’s already shaky legitimacy.

Some of these options may already be in the government’s tool kit. But they certainly haven’t been used with sufficient imagination or resolve. Now is the time to dramatically expand our options and to make sure our adversaries know we have the will to use them.

Or we can sit and wait for Putin to turn out the lights.

Stewart Baker is a Partner at Steptoe & Johnson LLP. He previously served as the first-ever Assistant Secretary of Homeland Security for Policy and as General Counsel at the National Security Agency.

Recommended for you
Around The Web
Comments