A trio of high-level Congressional staffers gathered at the 2017 RSA Conference this week in a joint session that sought to explore possible responses to Russia's interference in the 2016 U.S. presidential election, as well as future deterrents that might prevent future foreign cyberattacks.
"If someone does something to you, and you don't respond appropriately, are you allowing yourself to have them do it to you as well?" asked Brendan Shields, staff director with House of Representatives Committee on Homeland Security. "I think there is a growing desire to see that deterrence is real," he later added.
One of the concerns under the Donald Trump administration is that the White House could roll back some of the sanctions against Russia imposed by former President Barack Obama late in his second term, after intelligence reports accused the Kremlin of hacking the Democratic National Committee and Hillary Clinton campaign chairman John Podesta.
"I think the initial step is ensuring that those sanctions are held in place until the point that it is appropriate for them not to be," said Daniel Lerner, professional staff member with the U.S. Senate Committee on Armed Services, which is led by Senator John McCain. Lerner noted that McCain and several colleagues released a bill that would codify Obama's sanctions and ensure they stay in place until the president can certify that Russia is no longer undermining Ukraine or executing malicious cyberattacks.
Even if these sanctions hold, Lerner contends that "the status quo is insufficient" and requires a larger response, perhaps even a reorganization of the responsibilities of federal agencies. "Russia provides us that opportunity for us to look introspectively to understand what the future has to hold for this new domain of warfare," continued Lerner, adding that the U.S. needs to define what constitutes an act of cyberwarfare. He also echoed McCain's stance that the country must establish clear policies for responding to nation-state cyberattacks instead of addressing them on a case-by-case basis.
Michael Bahar, minority staff director and general counsel for the House Permanent Select Committee on Intelligence, believes that U.S. counter-response to nation-state cyberattacks will come in a number of forms, from overt naming and shaming to covert actions. "Some of the things we can do for deterrence are going to be shouted from the mountaintops and we're going to tell you about it," said Bahar. "Other things that would fall under our committee are going to be more subtle, but they will have an impact, and folks will know, if you do that, you're not going to know when or what, but one day your lights are going to flicker. And that, too, should be a deterrent."
Still, retaliation must be thoughtfully considered and carefully tailored, so as not to simply escalate conflict and provoke even more damaging attacks. "How do we avoid the unfortunate... fact that we're much more dependent on cyber than most other countries?" asked Bahar. "North Korea... what are we really going really to do to them in cyber that they can't hurt with us a lot more, doing to us, because we're much more dependent on it?
Bahar said that different actors will require specific responses designed to hit them where it hurts, without provoking further malicious cyber activity. For example, he said, after North Korea reportedly breached Sony for producing the film The Interview, the U.S. could have air-dropped DVDs of the movie over the dictatorial regime.
Of course, it is impossible to formulate a response unless the true culprit can be pinpointed. "We are aware of the complexity. When a nuclear weapon comes to you, you know where it came from. When a cyberattacks comes to you, you don't really know where it came from," said Bahar.
Eventually, the U.S. may pinpoint the culprit. "Then the question is: Can I say how I know? Or am I revealing sources and methods...?" Bahar added, asserting that "we have to be willing to do that."
Bahar also said that the U.S. must continue engaging with foreign countries, developing bilateral or multilateral agreements and common operating principles designed to curb cyberattacks from both sides, much like the U.S. did with China in 2015 to curb the cybertheft of intellectual property.
"You must find a way to incur costs on your adversaries, be they state or not-state actors," said Bahar. "At the same time, you also have to improve your defenses, 'cause that is far more within your control."