By Claude Barfield
As readers of this blog know, I am a follower of the Jack Goldsmith school of thought regarding the strong yet perilous US position when it comes to cyber conflict over espionage, intellectual property theft, and potential attacks on vital US infrastructure. Through the Barack Obama, Donald Trump, and now Joe Biden administrations, the same cautionary refrains have been advanced here and by Goldsmith when it comes to fashioning responses to cyber incursions and attacks.
Goldsmith, other scholars, and I have made several points. One is that the US “has no principled basis to complain about the Russia[n] hack[ing] . . . since the U.S. government hacks foreign government networks on a huge scale every day.” Second, more practically, the reality is that while the US still retains the most sophisticated, in-depth technical offensive cyber capabilities in the world, it is highly vulnerable to counterattacks on vital — and still quite vulnerable — networks and infrastructure. Even with stepped-up actions by the Trump and Biden administrations, the US economy and society are now deeply dependent on exposed internet operations.
But pressures for a response of some kind have recently increased greatly, driven by the recent brazen Russian and Chinese state-sponsored attacks on US government agencies and private-sector networks. The combined Russian SolarWinds and Chinese Microsoft attacks may have triggered a turning point in US policy — though this is particularly more likely in the wake of repeated vows by President Biden to retaliate against cyber assailants targeting the US. (Read: “I will take action.”)
Thus, a series of strikes, counterstrikes, and inevitable escalations may well be in the cards. While vulnerable to valid pie-in-the-sky claims, some cybersecurity experts — including Goldsmith some years ago — have urged the US to lead an effort to fashion, even with known adversaries such as Russia and China, a set of cyber offense norms that major nations would agree to abide by.
Recently, a group of cybersecurity experts has advanced a proposal for the US to “build international support for drawing lines between responsible and irresponsible operations in cyberspace.” While technically difficult, the goal would not be the impractical end to espionage, but to “decompose cyber operations into their component methods and behaviors and assess each on a spectrum of responsibility.” The norms would include, for instance, agreements on attempts to reduce the risk of unintended consequences. Here, the contrast is between the very precise, targeted attack on SolarWinds and the scattershot “recklessness” of the Chinese Microsoft attack, which left scores of opened backdoors vulnerable to marauders.
Such practices would also include testing cyberespionage tools before an attack, avoiding indiscriminate targeting, more cautious selection and handling of malware (i.e., being capable of stopping and killing the “worm” at all times), preventing criminal and third-party access to backdoors, and responsible design, engineering, and bureaucratic oversight of cyber operations.
The experts conclude that although it will take some “hardheadedness” for the leaders of the China, Russia, and the US to candidly discuss spy craft and malware, they have a responsibility toward other nations to make offensive cyber operations more predictable. In any case, no technical defense is invulnerable, so as the experts noted: “Better to create codes of honor among spies, and their bosses.” Apologies to the “hardheaded” realists in the audience who find all of this utopian. Admittedly, we are likely to go through a round or more of escalation before serious thought is given to offensive cyber norms.