Lorem, ipsum
Ajaybaby40
Mod2Cyber-Realism.pdf
44 ! " # $ % & ' ( ! ! ( % # )
The Case for Cyber-Realism Geopolitical Problems Don’t Have Technical Solutions
Dmitri Alperovitch
In September 2015, U.S. President Barack Obama stood beside Chinese President Xi Jinping in the White House Rose Garden and announced a historic deal to curb cyber-related economic espionage. The scope o* the agreement was modest, committing China and the United States only to stop stealing or aiding in the cyber-enabled theft o* intellectual property in order to boost domestic industry. It was an easy promise for the United States to make, since Washington had long prohibited U.S. intelligence services from conduct- ing economic espionage for the bene+t o* private companies. But it was a groundbreaking pledge for China, whose military and intelligence agencies had for more than a decade engaged in massive cyber-enabled theft o* U.S. intellectual property and state secrets in order to advantage Chinese companies.
The agreement was equally ground- breaking because o, how it came about. In the weeks leading up to the Rose Garden ceremony, Obama had threatened to sanc-
DMITRI ALPEROVITCH is Co-Founder and Chair of Silverado Policy Accelerator and Co-Founder and former Chief Technology O!icer of the cybersecurity firm CrowdStrike.
tion Chinese companies and citizens who continued to target U.S. companies with cyberattacks or exploit stolen intellectual property for commercial gain. These threats, the +rst that an American presi- dent had ever issued in response to Chinese economic espionage, were calibrated to address not just China’s cyber-activities but also its broader economic and strategic objectives. “We are preparing a number o* measures that will indicate to the Chinese that this is not just a matter o* us being mildly upset, but is something that will put signi+cant strains on the bilateral relationship i* not resolved,” Obama told business leaders the week before Xi’s visit. “We are prepared to take some countervailing actions in order to get their attention.”
Initially, the agreement was a limited success. Intrusions from Chinese government-a-liated groups dropped to their lowest level in over a decade in 2016. And for the next two years, American companies enjoyed a brie* respite from what had previously been an unrelenting assault by Chinese military- and intelli- gence-a-liated hackers. But the détente was short-lived. In 2018, U.S. President Donald Trump launched a trade war that undercut the United States’ economic leverage over China and reduced Beijing’s incentives to adhere to the pact. Later that same year, the National Security Agency accused China o* violating the agreement, and the U.S. Justice Depart- ment proceeded to indict Chinese hackers on charges o* cyber-enabled economic espionage. The Trump administration threatened to impose broad sanctions on Chinese companies, but it ultimately sanctioned only a few +rms.
Although it failed in the end, the 2015 agreement between Obama and Xi o.ers
D IG
IT A
L D
IS O
R D
ER
Dmitri Alperovitch
46 ! " # $ % & ' ( ! ! ( % # )
problems that demand geopolitical solutions—namely high-level negotia- tions with adversaries in the pursuit o* agreements that all parties can live with.
As the range o* cyberthreats multi- plies and the frequency and severity o* attacks increase, Washington needs a dose o* cyber-realism. It must treat cyberthreats as a geopolitical and na- tional security priority that demands hard-nosed diplomacy—backed by all o* the United States’ tools for gaining leverage—to entice or threaten U.S. adversaries into changing their behavior, as Obama did in 2015. The speci+c carrots and sticks will need to be tailored to each adversary, taking into account its unique geopolitical ambitions. But the sticks will have to include more aggres- sive deterrence, aimed not just at the hostile military and intelligence agencies that perpetrate cyberattacks but at the regimes to which those agencies answer. Cyberspace is not an isolated realm o* its own, after all, but an extension o* the broader geopolitical battle+eld.
DEFENSE AND DETERRENCE For most o* the last three decades, U.S. cybersecurity policy and cyberstrategy have treated cyberattacks as i* they emerged from the ether, unconnected to the geopolitical con/icts and competitions that structure the global security order. As a result, much o* U.S. cyberstrategy has focused on managing the e.ects o* cyberattacks through defense and narrow deterrence o* actors in cyberspace rather than addressing the causes o* cyberattacks.
Defensive measures can be either proactive or reactive, seeking to protect networks from intrusions or to trying to limit the damage when intrusions inevitably occur. But neither o* these
a promising model for addressing cyberthreats. Until recently, the United States has tended to approach issues related to cyberspace as a narrow set o* technical problems to be solved primarily with a combination o* defensive and limited deterrence measures. Those defensive e.orts have included funding the modernization o* technology, regulat- ing industries involved in critical infra- structure, and improving collaboration and information sharing between the government and industry. Deterrence has typically involved punitive actions by law enforcement or sanctions against individual perpetrators or their a-liated military and intelligence agencies. After North Korean hackers breached Sony Pictures in 2014, for instance, the United States sanctioned individual North Korean o-cials and indicted three North Korean intelligence operatives. Russia’s interference in the 2016 U.S. presidential election occasioned a similar response: Washington imposed sanctions on Russian intelligence agencies, indicted Russian military o-cers, expelled Russian intelligence o-cers operating under diplomatic cover, and shut down several Russian facilities located in the United States. The United States has also sought to deter adversaries by threatening to take the o.ensive and carry out retaliatory cyberattacks. Yet despite all these steps, neither North Korea nor Russia—nor any other U.S. adversary, for that matter—has ceased targeting the United States.
That is because vulnerability to cyber- attacks is not a technical problem that hardened defenses or narrow, cyber- focused deterrence can +x. Cyberattacks are a symptom, not a disease; the under- lying conditions are broader geopolitical
The Case for Cyber-Realism
Ja n u a r y / Fe b r u a r y 2 0 2 2 47
relatively minor, and they continue to carry out or condone cyberattacks at an unrelenting pace. More aggressive sanctions that would threaten the underpinnings o* economic growth in these countries, such as sanctions against industrial national champions, would likely achieve a greater e.ect. But because the United States does not approach these attacks in their broader geopolitical contexts, it has failed to mount appropriately tailored responses.
On occasion, the United States has gone on the cybero.ensive. Ahead o* the 2018 U.S. midterm elections, for in- stance, U.S. intelligence agencies sought to disrupt the Internet Research Agency, Russia’s infamous Internet troll factory. Such o.ensive measures have occasion- ally succeeded on a tactical level, imped- ing or slowing adversaries’ attacks for a time. But they have done nothing to change the basic calculus o* U.S. adver- saries in cyberspace or to make the United States less vulnerable to cyberat- tacks in the long term.
THE GEOPOLITICS OF CYBERSPACE The vast majority o* cyberattacks against U.S. entities, whether by crimi- nal groups or governments, emanate from the four countries—China, Iran, North Korea, and Russia—that also pose the greatest conventional military threats to the United States. To e.ec- tively counter the cyberthreat from these countries, Washington must consider their broader geopolitical goals.
China is the United States’ most formidable adversary in cyberspace, as well as in the conventional military domain. It has made no secret o* its ambition to surpass the United States as the world’s leading economic and mili-
types o* defensive measures has proved equal to the increasing cyberthreat—as Russia’s recent and extensive hack o* U.S. government networks via network- monitoring software made by the Texas-based company SolarWinds, among other major incidents in cyber- space, has made clear. Attackers have an inherent advantage in cyberspace: when the cost o* each attempted hack is low and the penalties are e.ectively nonexistent, hackers seeking to in+l- trate even hardened targets can a.ord to spend months and sometimes years trying to +nd a way in. That asymmet- ric advantage makes aggressors quite likely to succeed eventually, since they need to get lucky only once, whereas defenders must discover and stop each hacking attempt.
Even i* the U.S. government could su-ciently harden its own defenses, moreover, it would not be able to prevent all or even most cyberattacks, many o* which are directed against smaller entities, such as schools, hospi- tals, police departments, small busi- nesses, and nonpro+t organizations, which have neither the resources nor the knowledge to implement complex cybersecurity strategies. These organi- zations will have little chance o0 fending o. sophisticated cyberattacks from hostile countries no matter how e.ec- tive U.S. government defenses become.
Deterrence, as it has traditionally been practiced, has been similarly ine.ective at preventing cyberattacks. In the past four years, the U.S. government has sanctioned and indicted government o-cials and contractors from all its four primary adversaries: China, Iran, North Korea, and Russia. Yet these states regard the cost o* such measures as
Dmitri Alperovitch
48 ! " # $ % & ' ( ! ! ( % # )
maintain its in/uence in its so-called near abroad. Nevertheless, it is striving to retain its status as a great power, a goal that its leaders believe they can achieve by strengthening their position at home while undercutting the reputation o* the United States and its allies and frustrat- ing their international ambitions.
Like its Soviet predecessor, the Russian government carries out tradi- tional spying and economic espionage. Today’s Kremlin uses both cybertools and conventional means for this purpose. But Russia’s cyber-activities also focus on sowing political and economic turmoil in the West, undercutting Westerners’ faith in democratic government, and weaken- ing the in/uence o, Western countries in Russia’s neighborhood. Moscow’s inter- ference in the 2016 U.S. presidential election, its 2017 malware attack that took down networks in Ukraine before spread- ing around the world, and its 2018 hack o* the International Olympic Committee all served this broader agenda.
The same is true o0 Russian ransom- ware attacks, which, despite being carried out by criminal gangs, represent an important part o* the Kremlin’s strategy. The cybercriminals that have targeted thousands o* U.S. organiza- tions and extracted over $1 billion in ransoms in recent years have sometimes been protected by Russian security forces, and regardless, the Kremlin’s refusal to crack down on them amounts to a tacit endorsement o* their activi- ties. Although cybercrime does not advance Russia’s core national interests, it does serve a strategic purpose: dis- rupting the U.S. economy and sowing fear among American business leaders. Cybercriminals are also valuable bar- gaining chips in international negotia-
tary superpower, and its activities in cyberspace follow logically from this goal. The vast majority o* Chinese cyberattacks are instances o* traditional and economic espionage. Between 2010 and 2015, for instance, state-sponsored Chinese hackers systematically targeted U.S. and European aerospace companies, stealing valuable information that China then funneled to its state-owned aero- space manufacturers. This hacking campaign was an enormous success; by the time it was discovered, in 2018, Chinese manufacturers had already built commercial jets based in part on the stolen intellectual property.
China’s cyber-espionage has been especially aggressive in sectors that Beijing deems critical to its economic and national security objectives. Last July, for instance, the National Security Agency, the !1%, and the Cybersecurity and Infrastructure Security Agency released a joint report warning that Beijing-linked hackers were continuing to target U.S. companies and institutions in strategi- cally important areas, including defense and semiconductor +rms, medical institu- tions, and universities. Compared with other U.S. adversaries, however, China has engaged in relatively little cybercrime and has carried out few destructive cyberattacks. This, too, +ts with China’s broader strategic agenda, since such activities could undercut China’s standing on the international stage.
Russia has its own set o* geopolitical goals that its cyber-activities aim to advance. Like Beijing, Moscow is moti- vated by a pugilistic sense o* national pride. But unlike China, Russia does not have the economic capacity to compete with the United States. It is increasingly isolated internationally and struggles to
The Case for Cyber-Realism
Ja n u a r y / Fe b r u a r y 2 0 2 2 49
curb intellectual property theft. Likewise, i* the United States wants to check Russia’s nefarious cyber-activities, it will need to ease Moscow’s concerns about U.S. interference in Russian domestic and regional a.airs. Addressing the cyberthreat from Iran and North Korea will similarly require making progress on negotiations over their respective nuclear programs, which are by far the most pressing concern for both countries.
This might seem like cause for gloomy fatalism about the chances o* resolving issues related to cyberspace. In fact, the opposite is true. Like all complex geopolitical challenges, cyber- threats can be addressed using the right combination o* incentives, disincen- tives, and compromises. The question for the United States and its allies is whether they are willing to prioritize progress on issues in cyberspace over progress on other geopolitical objec- tives—and what they are willing to give up for the sake o* that progress. Con- sidering the recent slew o* major ransomware attacks and supply chain hacks, the Biden administration must urgently answer that question. Then it must back up its rhetoric on cyberspace with hard-nosed diplomacy that can change its adversaries’ behavior.
Part o* what it will take to force these countries to make a deal will be broader deterrence, including measures that raise the costs to hostile regimes o* carrying out cyberattacks while denying them the bene+ts o* doing so. In addition to military and spy agencies, the United States should sanction and prosecute companies and executives in countries, such as China, that bene+t from cyber- enabled economic espionage, sending the message that the theft o* intellectual
tions: Russia can o.er action against ransomware gangs in exchange for important concessions, without having to address its more strategically impor- tant, state-sponsored cyber-activity.
The United States’ other two major adversaries, Iran and North Korea, have also used cybertools to advance their domestic and international goals, al- though less ably than China and Russia. Both countries have done so primarily to circumvent Western sanctions that are squeezing their domestic economies. The North Korean regime has +nanced itsel* with tens o* millions o* dollars accumu- lated through cybercrime, and Iran has used cyber-enabled economic espionage to get around Western sanctions on defense technologies, petrochemical production, and other strategic sectors. Both countries have also used cyberat- tacks to weaken their regional rivals, with North Korea launching attacks against South Korea and Iran targeting Israel and Saudi Arabia.
GRAND BARGAINS Better defensive measures might help insulate U.S. government agencies, private U.S. companies, and individual Americans from the consequences o* major cyberattacks carried out by these U.S. adversaries. But neither defense nor deterrence as it is currently practiced can mitigate these threats on its own. Wash- ington’s capabilities might improve, but so, too, will those o* its rivals.
To halt China’s malign cyber-activity, the United States and its allies will have to convince Beijing to make a deal. In exchange for a de-escalation o* the trade war, Beijing might agree to remove market-distorting industrial subsidies, halt the forced transfer o* technology, and
Dmitri Alperovitch
50 ! " # $ % & ' ( ! ! ( % # )
defenses and to help companies and citizens do the same. Ultimately, how- ever, Washington must accept that cyberattacks are primarily an e.ect, and not a cause, o* geopolitical tensions. Unless the United States treats the underlying disease, it will never fully recover from the symptoms.!
property and trade secrets comes at a hefty price. Since anonymous cryptocur- rency transfers now fuel so much global cybercrime, the United States should also work with its allies to sanction and shut down cryptocurrency exchanges that cater to criminal operations or that do not perform due diligence on the transactions they facilitate.
To be sure, as long as grand bargains remain elusive, the United States will have to harden its defenses and make itsel* more resilient. The U.S. govern- ment has a poor record on cybersecu- rity, so it needs to step up its game and lead by example—for instance, by centralizing all civilian cybersecurity operations within the Cybersecurity and Infrastructure Security Agency. It must also incentivize public and private investment in defensive measures, including by subsidizing the costs o* defense for municipalities, nonpro+ts, and small businesses and by holding companies that do not take responsible security measures accountable for negligent failures. Although these measures can only ever be a partial +x, they can limit the damage done by hack- ers and other cybercriminals until Washington can forge a more lasting diplomatic solution.
When the United States faces a military threat from a hostile nation, it does not tell its citizens and businesses to fund their own private armies or to negotiate their own peace deals. Many cyberthreats are not meaningfully di.erent from military or economic threats, and yet the United States allows much o* the burden o* defending against them to fall on individual companies and citizens. In the short term, the United States must do more to harden its
