It’s no secret that U.S. government agencies and businesses are the target of around-the-clock cyber intrusions, many carried out by or at the behest of foreign nation-states.
But how exactly should the feds respond to those incursions?
Ask a random sample of Americans and you’ll likely get a very different answer than if you polled the State Department.
In a recent flash survey of more than 1,000 U.S. adults commissioned by the security vendor Vormetric, a quarter of the respondents said that the United States should cut off all ties to any nation responsible for compromising U.S. government data.
In practice, of course, it is much more complicated than that. In the recent breach of the Office of Personnel Management, information about more than 21 million current, former and potential government employees was exposed in an attack widely believed to have been carried out by hackers working on behalf of the Chinese government.
But no direct public accusation against the Chinese has come from President Obama or any other top administration official, and the suggestion of cutting off ties with China is about as likely as the sun rising in the west.
“He (Obama) needs to do business with them, so it is quite fascinating,” says Alan Kessler, Vormetric’s president and CEO. “They’re trade partners and we have to do a careful dance with them.”
Cyber diplomacy might be good in theory…
More respondents in Vormetric’s survey favored high-level diplomacy than any other single response to a breach of government systems, and, indeed, U.S. officials have said that cyber issues are on the table in virtually every discussion they have with foreign counterparts.
But to what end? It may be hard to argue against engaging in cyber diplomacy with U.S. adversaries, but Kessler is skeptical that any verifiable and enforceable agreement to limit nation-state hacking and surveillance could materialize.
“The reality of the situation is that state-sponsored attacks are of course always going to be denied by the likely attacking state,” he says.
“We all know that talk is cheap, and no one’s ever going to acknowledge cyber activity against another nation-state,” he adds. “What are you really going to say? Because there’s going to be a lot of deniability and denying, unless you have the proverbial smoking gun. The fact that anything’s going to come from that in a negotiated way is difficult to contemplate.”
The respondents in Vormetric’s survey generally showed an appetite for diplomacy over other, more hawkish responses to a cyberattack on government targets. Forty-five percent said that they believe the president should engage in high-level talks with officials from the nation that launched the attack. Asked to name all of the options on a provided list that they see as an appropriate response, respondents expressed support for issuing trade sanctions on the attacking nation (36 percent), and imposing diplomatic sanctions on the country’s diplomats based in the United States (31 percent).
Ten percent said that the United States should launch a counterattack, while 8 percent said that there should be no response.
Do we need a cyber version of the Cold War playbook?
Kessler, who is dubious about the fruits of diplomacy, takes a page from the Cold War playbook in calling for a cyber version of the doctrine of mutually assured destruction. In practice, that would mean amassing a set of offensive cyber capabilities that adversaries in foreign nations would recognize could be so destructive that they would think twice before launching attacks against U.S. targets.
“In reality the way to fight an attack from a nation-state is to have a more powerful capability and the ability to use it and be quiet about it, sort of carry the big stick but be quiet about it,” he says. “You can avoid having a war if you have an incredibly powerful military and your adversary recognizes it.”
While Vormetric’s survey indicates that opinions run strong — even to the extreme — on the issue of nation-states hacking the U.S. government, there remains a considerable amount of confusion or even ambivalence on the issue. It’s one thing to solicit responses to a specific question based on a specific hypothetical, but don’t expect any of the presidential hopefuls to make cybersecurity the cornerstone of their stump speech in the upcoming campaign.
“I think in general the public at large lacks a great deal of understanding because the hits just keep on coming in terms of the headlines,” Kessler says. “They view this in terms of how many free credits reports have they been signed up for in the last year.”
What, then, would it for cyberattacks from hostile foreign nations to become what pollsters sometimes refer to as a kitchen-table issue that really moves voters?
“I think it gets kitchen table when lives are really put at risk or lives are lost or critical infrastructure are destroyed,” Kessler says. “Right now it’s not. Right now it’s an annoyance and it’s a cost of doing business and it’s maybe a lurking concern in the background, but it really hasn’t been brought to the foreground.”