The US needs to fundamentally rethink its strategies for stopping cyber attacks and should develop a tailored approach to deterring each of its key adversaries, according to a new government report.
The report published by the US State Department — like a recent paper on botnets — comes in response to an executive order signed by President Donald Trump last year, which called for a report “on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”
The report said that while the US has become dependent upon sophisticated networked information systems, its rivals have been learning to exploit that dependence to “steal from Americans, disrupt their lives, and create insecurity domestically and instability internationally.”
The cyber threat posed by rival states — and by Russia, China, Iran and North Korea in particular — is often alluded to by intelligence agencies, but the US and its allies have struggled to find a way to deter these cyber intrusions.
The unclassified cyber-deterrence overview published by the State Department doesn’t mention particular countries, but said that strategies for deterring malicious cyber activities “require a fundamental rethinking”. The report said that the US has made efforts to promote a framework for “responsible state behaviour in cyberspace”, but noted that this has not stopped state-sponsored cyber incidents.
“The United States and its likeminded partners must be able to deter destabilizing state conduct in cyberspace,” the State Department warned.
Of course, the US has plenty of military muscle should it come to full-on cyberwarfare, but it’s much harder to tackle cyber attacks that don’t necessarily deserve an armed response — which make up the majority of attacks.
The report said the US should develop a broader menu of consequences that it can impose following a significant cyber incident. The US should also take steps to make it easier to prove who is behind cyber attacks, it said.
Another big problem is the poor state of cyber security. “Efforts to deter state and non-state actors alike are also hindered by the fact that, despite significant public and private investments in cybersecurity, finding and exploiting cyber vulnerabilities remains relatively easy,” the report said.
“Credibly demonstrating that the United States is capable of imposing significant costs on those who carry out such activities is indispensable to maintaining and strengthening deterrence,” the report added.
According to the State Department, the three key elements of cyber deterrence should include:
- Creating a policy for when the United States will impose consequences: The policy should provide criteria for the types of malicious cyber activities that the US government will seek to deter. The outlines of this policy must be communicated publicly and privately in order for it to have a deterrent effect.
- Developing a range of consequences: There should be “swift, costly, and transparent consequences” that the US can impose in response to attacks below the threshold of the use of force.
- Building partnerships: Other states should work in partnership with the US through intelligence sharing or supporting claims of attribution.