The AP is reporting on a new round of cyber attacks that targeted computer networks at the Treasury Department, Federal Trade Commission and Secret Service. Other targets are reported to have included the White House, Pentagon, and New York Stock Exchange. W. David Gardner of InformationWeek reports that the attack was even more expansive, including more than 25 targets:
Law enforcement officials in the U.S. and South Korea were stepping up their efforts Wednesday to halt a rash of denial of service cyber attacks against more than 25 government agencies and companies. While the source of the attacks wasn’t pinpointed as of Wednesday morning, officials said they suspected the attacks originated in North Korea or from groups sympathetic to North Korea.
This problem is not going away. I wrote an op-ed in The Washington Times in May which communicated the need to articulate a clear cyber deterrence policy. Our adversaries, I argued, are launching attacks in cyberspace in what amounts to a consequence-free environment. We need to find ways to impose costs on our adversaries. They cannot continue to launch attacks in cyber space without fear of retaliation. Here’s what I wrote on May 7, 2009, just after the Joint Strike Fighter (JSF) program was hacked and design information was stolen:
Policymakers in Washington should examine how the threat of military force can be used to prevent attacks in cyberspace. Regrettably, deterrence has been an underutilized element of Washington’s efforts to build a strong cybersecurity policy.
Without a cyberdeterrence policy in place, the United States can expect more and larger cyberattacks on its interests. It was reported in the Wall Street Journal on April 21 that a cyberintrusion breached the Pentagon’s $300 billion Joint Strike Fighter (JSF) program. The attackers copied critical design information which could make it easier for an adversary to defend against the aircraft in a conflict.
The Obama administration recently concluded a 60-day review of U.S. cybersecurity; details of the review have not been released, though it is believed the review focused largely on the coordination of U.S. cyberinitiatives throughout the federal government.
An effective cybersecurity strategy must include a clearly articulated cyberdeterrence policy. When responding to a cyberattack, Washington should move beyond cybercounterattacks to include full kinetic attack options.
In other words, cruise missiles or precision guided munitions should be used to retaliate against facilities where cyberattacks are launched with the complicity of an enemy state. All options should be on the table when it comes to responding to attacks in cyberspace.
A declaratory cyberdeterrence policy will not eliminate the threat of cyberattacks, but it will limit the number of attacks – particularly from state actors such as China. Lone-wolf hackers are much more difficult to deter, but deterring state-sponsored cyberattacks will make an incredibly complex problem more manageable as resources can be diverted to focusing on lone-wolf hackers. The deterrent piece of U.S. cybersecurity strategy should focus on state actors. States who sponsor cyberattacks – or allow nonstate actors to launch attacks from within their borders – should be held responsible for such attacks.
I recognize the fact that the attribution piece makes deterring cyber attacks challenging. It is easy for the bad guys to conceal their identity in cyber space or even make it look like another country executed an attack. However, attribution is not an insurmountable challenge and in many cases we are able to attribute the attacks. Developing a comprehensive response plan is what policymakers need to work on–and fast. As I said, this problem is not going away. The “Pearl Harbor in cyber space” that I wrote about in May is preventable, but the U.S. needs to act quickly. These cyber attacks are becoming more frequent and more damaging. The U.S. cannot afford to be surprised by a catastrophic cyber campaign against military, government, and private sector targets. The 2007 adventure film, Live Free or Die Hard, starring Bruce Willis gave us a glimpse into what a catastrophic cyber campaign could do to this nation. This is serious business. The Congress and the Obama administration need to act.
Who wrote this? Why isn’t there a by-line or other attribution?