‘It is time to strike back’ against cyberattacks
I have now told the senior-most officials of three presidential administrations that Putin respects only the Machiavellian language of force and retribution. For him, all else is tactical.
With gasoline once again flowing through the Colonial Pipeline, I too will resume a predictable routine. Every few days, I will pass armed guards and locked doors to be briefed on the week’s cyberattacks. Most will have come from Russia, China, North Korea, Iran or some shadowy criminal group, often sheltered by one of those countries. Many will have succeeded in stealing valuable data or breaking crucial networks. Some will have been catastrophic. Only a few, like the recent attacks on the Colonial Pipeline and the SolarWinds breach, will ever become publicly known.
There is a long list of things we must do to stop these attacks. We should require private companies to tell the public, or at least the government, when they have been attacked. We should make sure that experts at places such as the NSA and the FBI are sideby-side with corporate network operators when attacks are underway. We should have a clear policy on the payment of ransom to ransomware attackers. We could all help by using twofactor authentication and not clicking unknown links.
But at the very top of the list is the need to fundamentally change the game by establishing a sure and swift deterrence.
Had the attack on the Colonial Pipeline involved explosions at pumping stations, law enforcement or military operators would be breaking down doors. Had the SolarWinds attack snuck Russian military operatives instead of malicious code into server farms, we would have called it an act of war, and responded appropriately.
Instead, time and again, we do too little, too late.
Five years ago, President Barack Obama responded to the Russian attack on our presidential election, on the very essence of our democracy, with the expulsion of 35 Russian “diplomats” and the closing of a few secondary Russian facilities. And he told Putin to “cut it out.” Putin barely felt the slap on the wrist.
Fewer than four years later, the SVR, a Russian intelligence agency involved in the 2016 election hacks, used a supply chain attack on Microsoft and SolarWinds to penetrate thousands of networks including those of the federal government. In response, the United States — you guessed it — expelled some Russian diplomats. Fool me once ...
For the bad guys, the cost of doing business is very low indeed.
It is time to strike back, using our unparalleled offensive cyber capabilities with the ferocity and precision (and yes, proportionality) that these and many other cyberattacks would have provoked had they been undertaken kinetically.
Darkside, the shadowy ransom-ware gang behind the Colonial Pipeline attack, gave the game away with their bizarre appeal for public sympathy: “Our goal is to make money, and not creating (sic) problems for society.” For DarkSide, it’s all about maximizing revenue and minimizing cost. Nation states do a similar, if more expansive, calculation of costs and benefits.
So let’s raise those costs. Let’s hurl the full weight of the American legal, diplomatic and cyber capabilities against DarkSide and the organizations or countries that assisted. There is no reason why our immense power, if applied, can’t result in jailed hackers, businesses sanctioned into bankruptcy, emptied bank accounts and melted equipment.
The same goes for Putin, who draws no formal distinction between the Kremlin and the private groups who supply it with propaganda, mercenaries, and hacking services. I have now told the senior-most officials of three presidential administrations that Putin respects only the Machiavellian language of force and retribution. For him, all else is tactical. So let’s demonstrate the cyber capabilities we have spent billions of dollars developing. Let’s make sure that he and the oligarchs who support him feel the fear and anxiety felt by millions of Americans contemplating crashed email systems or rising gasoline prices.
The objection to my arguments has been consistent: that as a highly networked nation, we are particularly vulnerable to a cyber tit-fortat. In a cyber exchange, the Russians, Chinese or Iranians may choose to attack our critical infrastructure. Like, say, an essential fuel pipeline. Yes, there is risk. But that risk must be weighed against the fully unacceptable status quo.
Hitting back isn’t the only answer. It’s part of the answer. In this new world, a credible deterrent must be combined with clearly articulated international rules, norms and an understanding of our national doctrines: all the things that helped keep the Cold War with the Soviets from becoming hot. We must rededicate ourselves to leading a global push for the establishment of what I think of as an E-neva Convention.
Though challenging, it is possible to identify things such as the networks controlling health care, aviation, power and other critical infrastructure that should be completely offlimits during peacetime. China and the United States are equally vulnerable to rogue private hacking operations; we should work together to stamp them out. International agreements are imperfect and occasionally flouted. But the world is far more risky without them.
Above all else, however, it’s time to change the game and impose the meaningful costs that will finally deter our adversaries. Until we do, I know exactly what I will learn the next time I walk through those locked doors for a cyberattack briefing.