In the wake of the recent WannaCry and Petya ransomware attacks, cyber warfare has once again made mainstream news headlines. With cyberattacks becoming increasingly common, it becomes important to understand the options the United States has in dealing with these kinds of attacks.
Petya, though in many ways similar to WannaCry and other ransomware attacks, appears to have been a thinly veiled act of sabotage directed at a specific nation: Ukraine. Organizations and individuals in other countries, some in the United States, were caught in the Petya crossfire. Although few US organizations were damaged by Petya, these attacks will likely continue, and the United States could be the next direct target. The United States has already suffered the consequences of directed cyber interference—in the run-up to the 2016 US presidential election, a Russian cyberattack hit systems in thirty-nine US states.
Although the United States certainly could respond in kind to cyberattacks, it is important to ask: should it, and if so, how? The United States must weigh any cyber actions against the possible responses by the opposing party, as well as avoid setting dangerous precedents in a largely undefined theater of conflict.
One option would be for the United States to “hack back” anyone who attacks the United States with cyber capabilities. However, there are significant risks associated with this practice, including risks of accidentally hitting an innocent party or destroying evidence of the original attack. In addition, the difficulty associated with attributing a cyberattack means that the United States would often not be entirely certain that the party they are hacking back is the guilty party.
Some have suggested that the specific victims (for example, a corporation) of a cyberattack be allowed to hack back. The Active Cyber Defense Certainty Act 2.0, a bill proposed in the US House of Representatives, would allow victims of a cyberattack to disrupt the attacker and try to establish attribution. The bill would, however, require entities to inform law enforcement when they use such active defense measures, therefore, it would not resolve any of the issues faced by the US government.
Cyberattacks remain challenging to attribute, and responses still run the risk of hitting civilians. In addition, companies seeking to react to a cyberattack may not be entirely aware of a wider US strategy as pertains to a particular target, and their responses therefore may not be consistent with US policy. Within the stipulations of this bill, private companies could gain the right to hack back at any perpetrator of a cyberattack, including nations. This could set dangerous precedents and start conflicts that are easy to escalate and difficult to control. What would it look like if, say, Google and North Korea fought a full on cyber war? The lack of binding and codified norms in cyberspace make any conflict in that domain rife with uncertainty. Although there are some efforts to establish important norms such as the Tallinn Manual, there are not yet binding rules on cyber war.
Cyberattacks rarely provoke a significant response, which is why they have become such commonly used tools by countries such as Russia and China. However, the United States does have a number of options for retaliatory cyber strikes, from leaking Russian documents to targeting Russian cyber units.
Shawn Turskey, the executive director of the US Cyber Command, stated in late 2016 that the Cyber Command is looking for “loud” cyber tools that can be definitively traced back to the United States. These more visible tools would exist as a counterpoint to stealthier methods used in the intelligence community and would be potentially useful as a deterrent or as a punitive measure.
If the United States wants to engage in retaliatory cyber strikes, it requires the correct infrastructure to do so. The administration of former US President Barack Obama considered making Cyber Command a unified combatant command, separating it from the National Security Agency (NSA), which would potentially increase US cyber power by giving it greater autonomy. Having an independent Cyber Command, though potentially prone to structural redundancy, would address the NSA’s lack of authority to destroy or change someone’s information, to harm someone’s network, or take over someone’s computers. Separating the two organizations would give Cyber Command more flexibility in its operations, particularly in the deployment of offensive cyber measures. The United States has used offensive cyber capabilities as a tool in the past, the highest profile example being the Stuxnet worm identified in 2010 commonly attributed to the United States and Israel.
Although the United States certainly has the capability to use its cyber offense as a deterrent or a punitive measure, the response to a cyberattack does not have to come from the same domain. The United States could respond to a cyberattack with economic sanctions or the expulsion of diplomats, as Obama did in response to the Russian hacking of the 2016 US presidential election. Conventional intelligence responses against individual perpetrators, such as the leaking of personal information, provide additional alternatives. Military responses such as a targeted strike on the installation responsible for the attack, though it risks escalation, could also be an option.
Ultimately, the question of how to respond to a cyberattack is a complex one. The inherent anonymity and uncertainty associated with cyber warfare makes both attacking and counter-attacking distinctly risky. The United States will need to be careful about how it uses its offensive capabilities going forward, and should continue to harden its defenses to avoid the need for retaliation in the future. Splitting Cyber Command from the NSA would give the United States more offensive flexibility and more offensive power and power projection in the digital realm. Until the world can come to a stronger consensus on the rules of cyberwarfare, caution will be critical in preventing more conflict.
Adam Petno is an intern at the Atlantic Council’s Brent Scowcroft Center for International Security.