9 July 2017

U.S. Diplomacy Options for Security & Adaptability in Cyberspace

By Matthew Reitman

National Security Situation: U.S. competitors conducting national security activities in cyberspace below the threshold of war aka in the “Gray Zone.”

Background: State actors and their non-state proxies operate aggressively in cyberspace, but within a gray zone that violates international norms without justifying a “kinetic” response. Russian influence operations in the 2016 U.S. election were not an act of war, but escalated tensions dramatically[1]. North Korea used the Lazarus Group to circumvent sanctions by stealing $81 million from Bangladesh’s central bank[2]. Since a U.S.-People’s Republic of China (PRC) agreement in 2015 to curb corporate espionage, there have been 13 intrusions by groups based in the PRC against the U.S. private sector[3]. The State Department has helped to curb Islamic State of Iraq and Syria propaganda online via the Global Engagement Center[4]. The recent creation of another interagency entity, the Russia Information Group, suggests similar efforts could be effective elsewhere[5].

The State Department continues to work towards establishing behavior norms in cyberspace via multilateral channels, like the United Nations Group of Governmental Experts, and bilateral channels, but this remains a slow and tedious process. Until those norms are codified, gray zone activities in cyberspace will continue. The risk of attacks on Information Technology (IT) or critical infrastructure and less destructive acts will only grow as the rest of the world comes online, increasing the attack surface.

Significance: The ever-growing digitally connected ecosystem presents a chimera-like set of risks and rewards for U.S. policymakers. Protecting the free exchange of information online, let alone keeping the U.S. and its allies safe, is difficult when facing gray zone threats. Responding with conventional tools like economic sanctions can be evaded more easily online, while “hacking back” can escalate tensions in cyberspace and further runs the risk of creating a conflict that spills offline. Despite the challenge, diplomacy can reduce threats and deescalate tensions for the U.S. and its allies by balancing security and adaptability. This article provides policy options for responding to and defending against a range of gray zone threats in cyberspace.

Option #1: Establish effective compellence methods tailored to each adversary. Option #1 seeks to combine and tailor traditional coercive diplomacy methods like indictments, sanctions, and “naming and shaming,” in tandem with aggressive counter-messaging to combat information warfare, which can be anything from debunking fake news to producing misinformation that undermines the adversary’s narrative. A bifocal approach has shown to be more effective form of coercion[6] than one or the other.

Risk: Depending on the severity, the combined and tailored compellence methods could turn public opinion against the U.S. Extreme sanctions that punish civilian populations could be viewed unfavorably. If sanctions are evaded online, escalation could increase as more aggressive responses are considered. “Naming and shaming” could backfire if an attack is falsely attributed. Fake bread crumbs can be left behind in code to obfuscate the true offender and make it look as though another nation is responsible. Depending on the severity of counter-propaganda, its content could damage U.S. credibility, especially if conducted covertly. Additionally, U.S. actions under Option #1 could undermine efforts to establish behavior norms in cyberspace.

Gain: Combined and tailored compellence methods can isolate an adversary financially and politically while eroding domestic support. “Naming and shaming” sends a clear message to the adversary and the world that their actions will not be tolerated, justifying any retaliation. Sanctions can weaken an economy and cut off outside funding for political support. Leaking unfavorable information and counter-propaganda undermines an adversary’s credibility and also erodes domestic support. Option #1’s severity can range depending on the scenario, from amplifying the spread of accurate news and leaked documents with social botnets to deliberately spreading misinformation. By escalating these options, the risks increase.

Option #2: Support U.S. Allies’ cybersecurity due diligence and capacity building. Option #2 pursues confidence-building measures in cyberspace as a means of deterrence offline, so nations with U.S. collective defense agreements have priority. This involves fortifying allies’ IT networks and industrial control systems for critical infrastructure by taking measures to reduce vulnerabilities and improve cybersecurity incident response teams (CSIRTs). This option is paired with foreign aid for programs that teach media literacy, “cyber hygiene,” and computer science to civilians.

Risk: Improving allies’ defensive posture can be viewed by some nations as threatening and could escalate tensions. Helping allies fortify their defensive capabilities could lead to some sense of assumed responsibility if those measures failed, potentially fracturing the relationship or causing the U.S. to come to their defense. Artificial Intelligence (AI)-enhanced defense systems aren’t a silver bullet and can contribute to a false sense of security. Any effort to defend against information warfare runs the potential of going too far by infringing freedom of speech. Aside from diminishing public trust in the U.S., Option #2 could undermine efforts to establish behavior norms in cyberspace.

Gain: Collectively, this strategy can strengthen U.S. Allies by contributing to their independence while bolstering their defense against a range of attacks. Option #2 can reduce risks to U.S. networks by decreasing threats to foreign networks. Penetration testing and threat sharing can highlight vulnerabilities in IT networks and critical infrastructure, while educating CSIRTs. Advances in AI-enhanced cybersecurity systems can decrease response time and reduce network intrusions. Funding computer science education trains the next generation of CSIRTs. Cyber hygiene, or best cybersecurity practices, can make civilians less susceptible to cyber intrusions, while media literacy can counter the effects of information warfare.

Other Comments: The U.S. Cyber Command and intelligence agencies, such as the National Security Agency and Central Intelligence Agency, are largely responsible for U.S. government operations in cyberspace. The U.S. State Department’s range of options may be limited, but partnering with the military and intelligence communities, as well as the private sector is crucial.

No comments: