Creating a foundation for cyber security deterrence begins by partnering with countries that think alike, a White House official said on Tuesday.
“We’re going to be working with like-minded countries to start to enforce the norms that we’ve talked about that do exist,” Rob Joyce, special assistant to the president and Cyber Coordinator at the White House, said at a cyber security conference. “The rule of law as it applies in physical space, applies in cyberspace, so we’re going to use like-minded countries to start pushing at those norms that we know need to be enforced and following up so that we can impose costs and start the deterrence cycle to address the issues we’re seeing in cyberspace.”
President Donald Trump in May issued an executive order on cyber security that has three pillars, one of which is deterrence and international cooperation. The May 11 directive sets forth a policy that promotes a “secure internet” that is open and interoperable and is protected “against disruption, fraud, and theft.”
Joyce spoke at an event hosted by the Department of Homeland Security’s Science and Technology Directorate to showcase its work in the are of cyber security research and technology. Later in the day, in an email response to questions from Defense Daily about how partnering with like-minded nations outside of large multinational forums will serve to promote cyber deterrence, Joyce said such agreements will enable collective action.
“We have made progress in recent years in building consensus around responsible state behavior, but now we need to hold nations accountable when they violate that consensus,” Joyce said in his email response. “We have to move from talking about these norms to implementing them. Our like-minded partners should be prepared to work together to deter bad behavior. Multilateral forums like the UN have struggled, so implementing norms may not be achievable through a UN effort in which we must deal with the lowest-common denominator to reach an agreement. There is a purpose and value to multilateral efforts, but we find bilateral efforts much better for the decisive initiatives that are required in deterrence. The responses we envision with partners include a wide variety of means: sanctions and secondary sanctions, indictments, diplomatic demarches, cyber actions, naming and shaming, and other creative efforts. Larger groups tend to devolve to the lowest common denominator for action- which often means inaction.”
Trump’s order requires an interagency report due in early August on deterrence options for cyber threats. It also calls on key agencies to provide reports on their international cyber security priorities and a collective report on “documenting an engagement strategy for international cooperation in cybersecurity.”
During the Obama administration there were a number of high-profile cyber attacks against networks in the United States, including data breach of the federal Office of Personnel Management believed to have originated in China, a California-based entertainment division of Japan’s Sony Corp. attributed to North Korea, and possibly most notoriously, a Russian-led hack against computers and networks of the Democratic National Committee and the campaign manager for presidential candidate Hilary Clinton prior to national elections last November.
The Obama administration had been criticized for not establishing a policy for cyber deterrence although administration officials have said that it is a difficult issue to solve. President Barack Obama did reach an agreement with China’s President Xi Jinping in Sept. 2015 that the two countries would support cyber theft of intellectual property, a deal that U.S. officials at the time held up as the type of effort needed to reduce state-sponsored cyber breaches.
Joyce, speaking at the DHS event, didn’t mention Obama’s agreement with Xi but pointed to a deal last month between the U.S. and Israel that represents the kind of partnership with like-minded countries that will help set the foundation for cyber deterrence.
“But in the end, one of the things that we’ve got to do is we’ve got to raise the cost for doing exploitation, whether its criminals, nation states, or non-nation state actors,” Joyce said. “And in that, it’s hard to do in a big multinational forum. So, you’ve seen recently …. we announced a partnership with Israel.”
The agreement with Israel was reached last month and signed by Joyce’s boss, Thomas Bossert, who is Trump’s senior adviser on homeland security, and Israeli Prime Minister Binyamin Netanyahu. The agreement calls for the countries to create joint working groups in a number of areas such as international cyber policy, defense of critical infrastructures, research and development, and workforce development.
The talks in Israel initiated a cyber working group between the two countries, which was led by Jocye for the U.S. side. He told Defense Daily that the group will improve coordination and enable new opportunities between the governments, ultimately serving to “strengthen the strategic alliance between the nations.”
Joyce said there are 11 actionable items arising from the agreement around direct technical cooperation, international policy and legislation, human capital and workforce, and operational cooperation.
“These activities ranged from joint exercises to improved means to share threat information in operationally relevant timeframes,” Joyce said.
Bossert, speaking in Israel last month, said the agreement is aimed at “’stopping adversaries in networks and identifying ways to hold bad actors responsible,” according to Israel National News, which reported on the deal.
Joyce at the DHS conference also referenced the Five Eyes intelligence alliance and the “close connections” the U.S. has with the partners here. The alliance includes the U.S. National Security Agency, Britain’s Government Communications Headquarters, Canada’s Communications Security Establishment Canada, the Australian Signals Directorate, and New Zealand’s Government Communications Security Bureau.
Joyce said that “partners and allies” are necessary for the U.S. to protect its institutions, infrastructures, businesses and people in the cyber domain.