The Trump administration’s approach to deterring bad behavior in cyberspace will probably center around more traditional means rather than using offensive cyber capabilities, a senior White House official said on Wednesday.
In early August, a joint interagency report was due to the White House on “strategic options” for cyber security deterrence and to better protect the U.S. from cyber threats. The report, which hasn’t been released, was directed by President Donald Trump’s May 11 executive order on cyber security.
The agency information is incoming “and I think what we’ll do on the deterrence side is end up figuring out a means and a method to apply elements of national power outside of cyber to punish bad behavior,” Tom Bossert, assistant to the president for Homeland Security and Counterterrorism, said at the Intelligence & National Security Summit co-hosted by AFCEA and INSA.
Bossert also said that responses to adversarial cyber behavior will be “commensurate with the offense,” and still leave a way out so that it’s “not going to create a long-term escalatory posture. And so, if we have a bad actor that does something increasingly unacceptable, I think what we’ll have to do is punish them in a way that is real world and not cyber world.”
The Obama administration was criticized for not developing a cyber deterrence strategy although administration and government officials always maintained that they had a range of potential tools to potentially respond with to any cyber provocation, from kinetic to non-kinetic options. President Barack Obama did establish cyber norms of behavior with his Chinese counterpart, President Xi Jinping, that put the theft of intellectual property off limits.
China continues to abide by those norms and the U.S. will call them out if they don’t, Bossert said.
The problem with using offensive cyber means as a deterrent to cyber misbehavior is that they will open the door for more of the same behavior, Bossert said.
“In fact, it’s going to encourage them to hurry up and become better hackers and develop better defenses,” he said. The punishment needs to change “their behavior while also defending against what will continue to happen regardless of what we do to punish people.”
Bossert, in response to a question, also addressed how the U.S. military cyber forces should respond to cyber attacks on U.S. critical infrastructure. He described the Israeli model, which provides their government with authorities for a “virtual ‘Iron Dome’” that protects everyone in the country. This is something that the U.S. could do with the most critical of critical infrastructures as long as its narrowly tailored to avoid abuses and privacy issues, he said.
The current approach the U.S. has for attacks against people and infrastructures is “trigger-based,” but to keep up with increasing threats is resource intensive, Bossert said. This would require a “10-fold” capacity increase in the FBI’s capacity, which would be a “significant investment” that isn’t “achievable,” he said.
“So, to the trigger question, let’s see if we can reframe the question and think through how much trust we can allow our government to have of its people and how much authority we can then maybe wrap around those things that we consider critical,” Bossert said.
Earlier during his moderated keynote presentation, Bossert said the Department of Homeland Security (DHS), which has responsibility for helping federal civilian departments and agencies protect their networks, has done well in carrying out its cyber mission but that it “deserves” support for obtaining more manpower to add capacity.
Bossert also said that there are authorities that still need to be discussed for DHS but he refrained from providing additional details until the Trump administration is ready to roll out its cyber strategy.
Bossert said there isn’t a need currently for a new cyber organization modeled after the National Counterterrorism Center, which is part of the Office of the Director of National Intelligence and was stood up after 9/11 to better connect the dots and thwart potential terrorist attacks.
“The idea now is we’ve got DHS,” he said. “It is functional, it is working and it requires the love, attention and care of [congressional] appropriators and authorizers to make it better and it requires improvement.”