Jonathan “J.J.” Thompson, founder and CEO, Rook Security
Sanctions are an effective counter to foreign cyber attack when they are designed around the primary goal, effects, and management of critical success factors. The goal must be to deter future state-sponsored or enabled cyber attacks. The key effect will be unique to each foreign government, but should hit the soft spots in socioeconomic, political, and/or psychological areas pertaining to cyber crime and warfare. The management of pressure has to be enough to overcome the biggest challenge of ensuring success when attacks can be executed from a keyboard, with little more than a few lines of code, advanced planning, and solid reconnaissance. Every day, we see attacks originating from within China from both known IP address ranges as well as from burner addresses utilized by foreigners trespassing on Chinese assets. Either way, digital missiles are being launched and our homes, phones, and offices are being raided daily by attackers originating from within Chinese IP space. There must be strong deterrents for future attacks, and it must happen immediately.
Lisa Donnan, vice president of federal, BeyondTrust
Historically, economic sanctions imposed by a single county alone have never proven to be an effective instrument in exercising soft power diplomacy. This is especially true when the objective is to influence a nation state's internal or external actions. Moreover, economic sanctions, even when imposed by a majority of economic world powers, are not very effective as evidenced by the nuclear crisis with Iran.
Attribution further complicates the matter. Traditional reactions of any alleged hostile actor is to admit nothing, deny everything, and demand absolute proof. Are we willing to risk exposing sources and methods? APTs can, and often are, routed through spoofed accounts and compromised servers. Can we be confident that we have correctly identified the real threat actor?
A better response would be to implement a proactive protective strategy that makes it more difficult, more expensive, and less likely for the threat actor to succeed. We do this in the physical world. Why not also for cyber, just as the US Military does in the other four domains: air, land, sea, and space.