This could easily be the year the White House approves a Department of Defense counterattack to disrupt an ongoing cyberattack on a US company.
It has been US policy since 2003 that “the US response need not be limited to criminal prosecution [and] reserves the right to respond in an appropriate manner.”
Statements by the White House and military leaders have only become stronger since. For example, when he was head of US Cyber Command, Gen. Keith Alexander testified to Congress in 2012 that “any actor threatening a crippling cyberattack against the United States would be taking a grave risk.”
Still, despite the bluster and stated range of policy options, such retaliation hasn't happened – yet.
After the incredibly dangerous and sophisticated US Stuxnet attack on the Iranian nuclear enrichment program, few nations can doubt the US capabilities to conduct such a counteroffensive. But the last few years of attacks without a military response may give them reason to doubt the US willingness to do so.
The idea of US reticence on counterattacks will strike some observers (say, in Germany or Silicon Valley) as not fitting the facts. But in reality, the eagerness to use cyberspace for spying and covert action is not matched by hawkishness to counter such actions against the US.
Given the North Korean dismantling of Sony Pictures (and have no doubt, Kim Jong-un's online brigades were responsible) the White House is probably sorry they didn’t take a stronger stand against the Iranian attacks on US banks in 2011 and 2012.
These attacks – which only affected individual banks – were not devastating to the financial sector as a whole, so they were allowed to continue with little official response. Despite repeated requests from the banks under attack, the US government provided no digital bailout (the words “moral hazard” were sometimes used), and it was left up to banks to defend themselves.
In the aftermath of the incidents, the US government never called out Iran specifically and the White House didn’t authorize US Cyber Command to disrupt the computers coordinating and carrying out the attack. The government was possibly self-deterred because of ongoing negotiations with Iran or a perceived lack of legitimacy after Stuxnet was revealed.
Perhaps, if the US had taken a more muscular stand, North Korea might have had second thoughts, though that might be asking too much of that particular regime. At least the military would have had some practice in how to respond to nation state disruptive attacks.
It is no surprise, on the other hand, that there was no outgoing cyberfire to suppress the Sony assault. The worst damage was done as soon as the attack became apparent, with all the information already stolen, while the most likely targets to retaliate against were located in China. There’s no way the US would take that shot for such limited gains.
We might not have to wait so long for the next state-sponsored disruptive attack, and it may be far more dangerous. Russian President Vladimir Putin perceives a deep conflict with the West and if his economic back is against the wall, he may unleash a just-deniable-enough attack, covering the West in flagless “little green bytes” so that we feel concomitant economic pain.
Iran might also feel it has little to lose and much to gain if the nuclear talks fail. Should talks break down and Congress take action, the ratcheting of sanctions (and the possibility of military strikes) could entice them to lash out in cyberspace.
Either Russia or Iran would present a far more dangerous adversary than North Korea’s against Sony. That was a one-off attack on noncritical infrastructure while Russia and Iran would almost certainly bring a full campaign of attacks, a string of Sonys, but directed against more economically important targets.
Post-Sony, it is likely the White House will feel compelled to support US companies by authorizing the Pentagon to at least disrupt the incoming attack. In fact, US Cyber Command is already organizing teams for exactly that mission and you can bet they will be chomping at the bit.
Prior to that day, the National Security Council will need a decision matrix on when to authorize a counterattack to disrupt a foreign nation’s disruptive attacks against US entities.
Such a matrix must incorporate at least the following criteria:
- Criticality of the target to the US economy, security and society;
- Possible impact of a successful attack (for example, attacks on a bank’s trading system are in a far different class than attacks on its websites);
- Likely identity of the attacking nation;
- Geopolitical context, especially if a counterattack will cause further escalation;
- Likelihood a counterattack will cause collateral harm either in the adversary nation or in bystanders’; and of course,
- Likelihood that a counterattack would succeed.
Nations are increasingly choosing to actively fight in the grey space between all-out war and true peace. The scope, duration, and intensity of cyberconflicts have consistently increased for over two decades.
US counterattacks might be just the thing to raise the costs for adversaries who feel they can attack US companies with impunity. Of course, it might also spur on others to counter attack against our own cyberoperations and continue the spiral of escalation.
Planning for the next, more dangerous Sony is the first step towards ending up on the best side of that equation.
Jason Healey is the director of the Cyber Statecraft Initiative of the Atlantic Council and editor of the first history of cyber conflict, "A Fierce Domain: Cyber Conflict, 1986 to 2012. You can follow his thoughts and analysis on cyberissues on Twitter @Jason_Healey.