On the vexing problem of how to deter other countries from cyber attacks against the U.S., the Justice Department’s top national security official says the most successful tools the federal government has employed so far have been legal ones rather tit-for-tat counterattacks via cyberspace, and that we should expect to see more of the former.
In particular, the types of cyber intrusions China’s military had previously launched against American companies purely for the sake of economic gain have markedly decreased in the aftermath of a September 2015 agreement between President Barack Obama and President Xi Jinping, said John Carlin, the assistant attorney general for national security.
Carlin said federal policymakers credit a ratcheting up of prosecutions and sanctions for that accord, particularly an April 2015 executive order that authorized the federal government to impose sanctions against not only the perpetrators of cyber attacks, but also anyone who benefited from trade secrets stolen from American firms.
“That changed China,” Carlin told the annual Aspen Security Forum in Colorado. He also cited the government’s involvement in the North Korean hacking case involving Sony Pictures as a pivot point in the government’s handling of nation-sponsored cyber attacks.
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
“This new approach of investigation and attribution showed we can find out who’s doing these things, and that’s because Sony did the right thing and reported it to government,” he said. “Two, we said it: That’s new. Take it out of the intelligence channels and be public about it, because that’s the only way to change the behavior of the people who are launching these attacks, but also the other countries who are watching them get away with it.”
The government’s more out-in-the-open approach to the intelligence it’s gathered about cyber attacks is sometimes referred to as “name-and-shame,” but Carlin said DoJ views the benefits of using legal tools to counter those attacks as going well beyond mere embarrassment.
In May 2014, Justice obtained criminal indictments against five members of China’s People’s Liberation Army for allegedly hacking into systems operated by U.S. nuclear, solar and metal firms. While the prosecutions were derided in some circles as meaningless since there is almost no chance of the PLA officers in the notorious Unit 61398 ever being hauled before a U.S. judge, Carlin said the charges were an important turning point in defining what cyber activity is acceptable under international law.
“The idea is that if you let someone walk across your lawn for long enough, they get the right to walk across your lawn. It’s called an easement, and that’s how international law works,” he said. “We had a situation where attacking private companies was the day job for uniformed members of the second largest military in the world, and that case was a giant no-trespass sign: ‘Get off our lawn.’”
As of yet, however, the more-open attitude toward intelligence about cyber actors has not extended to the case of the emails that were stolen from the Democratic National Committee and then posted to WikiLeaks a week ago. None of the government officials who spoke at Aspen last week were willing to publicly ascribe the hack to Russia.
James Clapper, the director of national intelligence, said that was partially because the intelligence community was still working to strengthen its assessments of what happened and partially because the government had not yet decided whether it should, as a policy matter, identify the hackers in an open setting.
“Frankly, I’m a bit taken aback a bit by the hyperventilation over this,” Clapper said. “We shouldn’t be shocked that someone did some hacking. It’s not like that’s never happened before. I do think it’s illustrative of the need for us as a nation to be more resilient about these kinds of things. We’re in a different era now … we’ve been in somewhat of a reactionary mode, and there’s been an increasing awareness on a personal level and an institutional level that this is a profound challenge for the country. The key thing is the motivation. If it was a nation state, was this done just to stir up trouble, or was it ultimately intended to influence an election? That’s a serious proposition.”
Clapper emphasized that the intelligence community didn’t know enough to say whether the latter was the case. DoJ’s Carlin also steered clear of any comments that would attribute the DNC hack to Russia, but also said Russia, as a general matter, should not believe it’s exempt from the sanctions-and- indictments approach the U.S. has used against officials and individuals in China, North Korea and Iran.
“You haven’t seen, yet, a public action against Russia, but it would be a mistake for them to assume that we’re not going to apply this deterrence model when it comes to their actions if they continue to intrude,” Carlin said. “This approach is new, but we need to keep following it. When we figure out who did something, we need to be public about it and cause consequences.”
Via a new presidential policy directive the White House issued last Tuesday, the Obama administration codified some of the approaches it’s begun to take toward cyber deterrence over the past four years, including by spelling out each agency’s role in responding to a major incident.
Later in the week, agencies began sending companies a two-page information sheet detailing which federal entity they should contact if they wished to follow Sony’s approach and divulge to the government some details of any recent hacking experiences.
“The vast majority of companies today do not report criminal intrusions into their systems,” Carlin said, even after the passage of last year’s Cybersecurity Information Sharing Act, which granted firms certain legal immunities when they elect to do so.
“Imagine today that you’re a company that sees a low-level hacker going through your systems and threatening to extort you by releasing personally-identifiable information, and you kick them off your systems without thinking much about it. In the vast majority of cases, companies don’t report that,” he said. “In one case, we had a company that did report it to us, and the person on the other side of the keyboard turned out to be an extremist who provided that personally-identifiable information to Junaid Hussain, who was one of the most notorious cyber terrorists in the world and who was using that information to create kill lists for his followers. I think any company, if they knew that it was a terrorist on the other side of the keyboard, they would report it. The problem is, you don’t.”