The increasing rate of global cyber threats such as the WannaCry ransomware and NotPetya malware attacks must push the United States defense policy away from currently insufficient methods of deterrence in the domain to a more active policy in dealing with malicious, often state-sponsored threats, according to Naval Postgraduate School Professor and Retired Navy Capt. Scott Jasper.
In a speech to the Heritage Foundation on June 28, Jasper detailed the current cyber deterrence policies as restraining the full potential the U.S. needs to protect its networks in the cyber domain from the wide-range of actors deploying new methods. He called for the implementation of an active cyber defense strategy.
“If North Korea is behind WannaCry, obviously previous efforts by the United States for deterrence by denial and retaliation have failed,” Jasper said in his remarks. “In the case of the WannaCry campaign, since the ransomware disabled systems in critical infrastructure, such as hospitals and railways, a state might invoke a violation of sovereignty, but countermeasures are only allowed to be used when the breach of obligation is attributable to the responsible state.”
The recent NotPetya malware attack, which infiltrated mostly systems in Ukraine but may have reached over 60 nations, was largely unsuccessful in collecting its ransom once deployed but has also raised questions over how to respond when a state-actor is presumed to be responsible.
NotPetya is suspected to have been launched either by a state actor or by an adversarial group with support from a state-actor since the operation was not rather complex or expensive and the method of ransom collection was poorly designed, according to a statement from NATO’s Cooperative Cyber Defence Centre of Excellence (CCD COE).
Cyber attacks represent a grey area for military response triggered by Article 5 of the North Atlantic Treaty, as self-defense actions cannot be implemented unless consequences similar to an armed attack are reported. However, the NotPetya and WannaCry attacks on critical systems have represented an increasing risk to citizens of NATO nations that the CCD COE called on the international community to start developing a thorough response.
“If the operation could be linked to an ongoing international armed conflict, then law of armed conflict would apply, at least to the extent that injury or physical damage was caused by it, and with respect to possible direct participation in hostilities by civilian hackers, but so far there are reports of neither,” Tomas Minarik, CCD COE Law Branch researcher, said in a statement. “There is a lack of a clear coercive element with respect to any government in the campaign, so prohibited intervention does not come into play. As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.”
Jasper’s active cyber defense strategy, which is the foundation of his upcoming book, Strategic Cyber Deterrence: The Active Cyber Defense Option, is an example of such a countermeasure. He calls for a tactic that combines internal systemic resilience with tailored disruption capacities.
“This strategy uses the real-time detection, analysis and mitigation of network security breaches combined with the aggressive use of legal countermeasures beyond network and state territorial boundaries,” said Jasper. “Under international law, if the attribution is not conclusive, states can invoke the plea of necessity, but that is only for a grave and imminent peril to an essential interest. Therefore another strategic option is necessary and that strategic option is based on the promise of active cyber defense, particularly in this case inside the network to automatically detect, verify, and remediate cyber threats.”
Jasper is working with the cyber industry in Silicon Valley who are testing their Next-Generation Firewalls by installing them on Wildfire devices at the Naval Postgraduate School to see if active cyber defense measures can operate at cyber relevant speed.