Exposed by Snowden in his 2013 document dump, Presidential Directive 20 limits the U.S. in attacking/counter attacking with cyber weapons. Now it has been rescinded. Does that mean the gloves are off?
We’ve been under attack for a long time. You see signs of it in the headlines – email hacks, records stolen, malware and social media weaponized. Increasingly, the government brings very specific but token indictments against Russians, Chinese and North Koreans.
Critics have lamented for years that we have got to do more than just name and shame the assailants. It turns out that an Obama era directive hamstrung our responses and required presidential permission to launch any cyber action that might have “significant consequences”.
Looks that is all changing. National Security Advisor, John Bolton confirmed that the Presidential Directive 20 has been dumped and a new, more aggressive Cyber Strategy is now in its place. In a call with reporters Bolton cited a number of high-profile cyber attacks such as the 2017 WannaCry and NotPetya malwares, as well as the recent attack on my city of Atlanta, as examples of how the U.S. and other governments are under siege from both nation-states and criminal hackers.
It’s clear that the U.S. cyber capability is very robust. The phenomenal detail in the DNC hacking indictment of twelve Russian GRU officers indicates we know who is doing what, down to their very keystrokes. Now, Bolton is clearly signaling that “any nation that is taking cyber activity against the United States … should expect … that we will respond offensively as well as defensively”.
On a gut level the concept of hitting back at these state and non-state bad actors feels pretty good. At last we are doing something instead of just sitting there like a cyber punching bag and taking it. But what are the implications of going on the offense?
First, A focus on offense increases international tensions and states’ readiness to launch a counter-offensive after a cyber attack, and it often heightens cyber vulnerabilities. Would this lead to a vicious spiral of increasing deadly capabilities as happened with nuclear weapons until we reach the policy madness of Mutually Assured Destruction?
Unfortunately, no – Cyber weapons require nowhere near the money and physical infrastructure needed to maintain and deploy those that traditional physical weapons do. Almost any actor can acquire them. This means an offensive counter attack may hurt the original attacker but it won’t necessarily inhibit them from further attacks.
Second point to consider: The U.S. is much more vulnerable to cyber attack than many other players. Much of our infrastructure (electric, gas, water, etc.) is mostly unprotected from cyber. Surprisingly (or luckily), Russia and China are also pretty vulnerable to cyber attacks as shown by the WannaCry virus last year. So we do have a bit of a Mexican standoff with these major powers but can we take any comfort from this – once again, no. There are lots of smaller states, e.g. North Korea, and non-state actors (criminals and terrorists) that have their hands on these cyber weapons.
So, what are we left to do? It’s time to recognize the new normal. Cyber security challenges are here to stay and we need to up our security hygiene. We need to deploy new tools and disciplines to protect our infrastructure. And, we need some new laws and penalties for organizations that don’t do it. Look at Equifax. A year after losing the coveted details of 140 Million Americans, nothing has happened to them. (Unless you want to count that you can now freeze your credit record for free.)
You are responsible, too. The weakest links in all our systems are the people. Do you know to be careful opening emails that look legitimate but might be a phishing attack? How about not going to some web sites? Or, are you sure you want to download that “free” software? Do your peers know the same disciplines?
Yep, get ready for the new normal.