Current tactics to discourage rogue nation-states from engaging in malicious cyber behavior are failing, and could necessitate more drastic actions, according to experts speaking at an RSA 2018 panel session on Tuesday.
Options floated during the session, which addressed the evolution of nation-state cyber norms, included appealing to the United Nations' Security Council to impose international regulations, or even launching an offensive cyber campaign similar to the one U.S. Cyber Command launched against ISIS.
Indeed, as countries like Russia, Iran and North Korea continue to test the limits of what cyber activities they can get away with, U.S. efforts to stop them – including “naming and shaming” foreign agents by way of federal indictment – sometimes don't generate the desired result.
“I think that the ineffectiveness thus far of most of the deterrent techniques that we've deployed simply emboldens people,” said panelist Paul Rosenzweig, founder of the homeland security and privacy consulting film Red Branch Consulting PLLC.
The threat of sanctions did appear to work in the case of China, which in 2015 formally agreed to stop engaging in corporate cyber espionage against private American companies. But the panelists noted that sanctions have not been nearly as effective against other rogue nations.
“Russia, North Korea and Iran have very little to lose when it comes to sanctions,” said panelist Tom Corcoran, head of cybersecurity at Farmers Insurance. “They're already under very heavy sanctions, so the one actor that was vulnerable to pressure was China.”
Consequently, the U.S. and other nations could be forced to reassess their strategy.
“If you were to poll the military and intelligence communities in the United States at the three-star level and below, you would have general agreement that the only way we'll be able to change opponent behavior is by taking direct action against them,” said panelist James Lewis, SVP and program director at the Center for Strategic and International Studies.
As a potential model for what such direct action might look like, Lewis referenced the offensive cyber operation that U.S. Cyber Command initiated in 2016 through its specially formed Joint Task Force Ares unit to disrupt the terrorist group's digital infrastructure, communications and finances.
Rosenzweig agreed that U.S. countermeasures will likely not stop Russia from engaging in malicious cyber behavior “until it hurts Mr. Putin.” But a less aggressive action would be to ask the UN Security Council to weigh in and help establish accepted thresholds of international cyber behavior, even if countries like Russia are unlikely to cooperate.
“I suppose ramping it up to the Security Council and getting a Chinese and a Russian veto, or maybe isolating the Russians and getting just a Russian veto, would be another step,” said Rosenzweig. However, the panelists were not optimistic about the U.N. community taking up the cause, especially since no one has demonstrably perished from a cyberattack yet.
And so for now, nations will continue to push cyber boundaries, while others ponder new ways to push back.
“What we're seeing is the states experimenting in this new domain, just as countries experimented with air power in the beginning of the last century,” said Corcoran. "At the same time, the targets of those activities are experimenting with what's an appropriate response, what's an effective response.”