Cyberattacks against U.S. networks continue to grow in scale and number. Recently, a series of high-profile “ransomware attacks,” where criminal groups shut down networks until they receive payment, have gained national attention. This year alone, ransomware attacks disabled the pipeline carrying nearly half of the gasoline on the East Coast, shut down one of the country’s largest meatpacking companies, and caused a large-scale IT firm to deliver malicious software to its customers, compromising the networks of thousands of businesses. These criminal groups predominantly operate from Eastern Europe, Russia, and the former Soviet Union, and other ransomware and cyber threats emanate from China, North Korea, and Iran. At the same time, broader exploitation and espionage campaigns, such as the SolarWinds and the Hafnium Microsoft Exchange intrusions, have continued to wreak havoc on the U.S. public and private sectors.
Much of the discussion in the Biden Administration, on Capitol Hill, and throughout corporate boardrooms has revolved around improving U.S. cyber defenses. There is plenty of work to do on that front. Government and the private sector alike should improve cybersecurity awareness of their employees, employ multifactor authentication and zero-trust architecture, and improve public–private partnerships and information sharing. Congress, for its part, should impose breach notification requirements and help establish additional baseline cybersecurity protocols for critical infrastructure systems. All these steps are necessary, but they will not be sufficient. Cyber defenders must stop every possible attack, while attackers only need to find a single vulnerability to exploit. Given the breadth of U.S. critical infrastructure—including more than 10,000 power plants, 153,000 public drinking water systems, 16,000 publicly owned wastewater treatment facilities, and 6,000 health care facilities—a determined attacker will always find a way through network defenses.
Current Efforts Are Insufficient
The Biden Administration has attempted to use diplomacy, sanctions, and law enforcement actions to fight ransomware. This strategy is not new, and it is unlikely to succeed. Adversaries such as Russia are indifferent to sternly worded press releases and shrug off diplomatic efforts. In June, President Biden warned Russian President Vladimir Putin that attacks on 16 U.S. critical infrastructure sectors were off-limits; it took only a few weeks for Russian hackers to launch another round of ransomware attacks. More recently, Russia’s foreign intelligence service, the SVR, appears to have continued an espionage campaign against thousands of U.S. government, corporate, and nonprofit networks.
Economic sanctions can also be important tools, but for many nation-states and criminals, they have reached the limits of their effectiveness. Many adversaries have reduced their reliance on the U.S. financial system, and many of the logical targets have already been targeted. Another layer of sanctions on Russian intelligence services, for example, is unlikely to change Moscow’s decision-making.
Targeted sanctions also take a significant amount of time to develop. For example, the Department of the Treasury designated the North Korean state-sponsored “Lazarus Group” for sanctions in September 2019—nearly two years after the group launched the WannaCry 2.0 ransomware attack and five years after it hacked the Sony Pictures film studio. There must be evidence of the sanctions target’s nefarious behavior that could be used in a court proceeding if the target challenges the designation. Thus, the U.S. Intelligence Community is frequently hesitant to allow its best intelligence sources and methods to be used to support a designation. As a result, sanctions are too little, too late to deter cyberattacks.
Law enforcement efforts are similarly unlikely to deter cyberattacks. Attackers should, of course, be prosecuted when possible. Cybercrime investigations, however, often require cooperation from foreign adversaries who are unlikely to provide it. And even when there is enough evidence to indict cybercriminals, government-sponsored hackers can escape justice simply by remaining in their home countries, safely out of the reach of U.S. law enforcement. The Department of Justice has brought charges against numerous Chinese and Russian hackers over the past decade, but only a token few have ever appeared inside American courtrooms.
Some commentators have proposed bolstering private-sector capabilities for “active cyber defense.” This approach, sometimes called “hacking back,” would encourage the U.S. private sector to go beyond protective software, firewalls, and other passive screening methods and deceive, identify, disable, or otherwise retaliate against hackers. Private-sector hacking-back presents various challenges under both domestic and international law, especially the prohibition in the 1986 Computer Fraud and Abuse Act (CFAA) on accessing a computer system without authorization. Uncoordinated actions by the private sector also risk interfering with U.S. foreign policy interests and ongoing U.S. military and intelligence operations. Even so, recently some U.S. companies have attempted to work within the scope of CFAA to take action against cyber attackers.
In short, although U.S. diplomats, sanctions enforcement officials, prosecutors, and law enforcement agents are engaged in noble efforts, their actions alone will not deter the most significant cyberattacks. The United States should continue to use these diplomatic, economic, and investigative tools, but unless its adversaries pay a price, cyberattacks will only continue to escalate.
Trump Streamlined U.S. Offensive Cyber Operations
Given the insufficiency of other policy tools, the U.S. government should increase its use of offensive cyber operations, sometimes called cyber effects operations, to degrade adversaries’ capabilities and create strategic deterrence. Under the Obama Administration’s policies, offensive cyber operations were destined for failure. President Obama’s 2012 Presidential Policy Directive 20 (PPD-20) stressed that the U.S. government would “undertake the least action necessary to mitigate threats” and expressly prioritized “network defense and law enforcement as preferred courses of action.” Before the U.S. government could carry out an offensive cyber operation, PPD-20 required an interagency policy coordination process chaired by the National Security Council—at least three levels of meetings, allowing “anyone to stop the process at any point.” As a result, “much of the authority [was] held at the presidential level,” making the PPD-20 process too “slow and cumbersome” to enable timely or meaningful cyber operations.
President Trump’s replacement directive, National Security Presidential Memorandum (NSPM)-13, established a process to delegate authorities to operating agencies, including to the Department of Defense, to conduct “time-sensitive military operations in cyberspace.” Although much of the substance of the order and operations remains classified, the U.S. government has publicly disclosed a few operations that occurred under the NSPM-13 framework. General Paul Nakasone, commander of U.S. Cyber Command (USCYBERCOM) and director of the National Security Agency (NSA), has described efforts to “Defend Forward” and maintain “persistent engagement” against adversaries. In March 2021, Nakasone testified that USCYBERCOM had conducted “more than two dozen operations to get ahead of foreign threats before they interfered or influenced our elections in 2020.” This number included 11 “hunt-forward” operations, where USCYBERCOM partnered with allies to counter or halt malicious cyber activity, in nine different countries as part of election-security efforts. In addition, an October 2020 USCYBERCOM operation disrupted the Russia-based Trickbot botnet, a malicious malware that had previously damaged a health care provider and was viewed as a possible threat to the 2020 election cycle.
Congress has also helped clarify the legal landscape for offensive cyber operations. The Fiscal Year (FY) 2019 National Defense Authorization Act (NDAA) recommended that the “United States should employ all instruments of national power, including the use of offensive cyber capabilities, to deter if possible, and respond to when necessary, all cyber attacks or other malicious cyber activities of foreign powers that target United States interests” and provided statutory authorization for certain offensive cyber operations, including those that would “significantly disrupt the normal functioning of United States democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government).” The FY2019 NDAA also settled a long-running question as to whether a cyber operation constitutes covert action if it obscures U.S. involvement in the operation. By affirmatively stating that such operations are “traditional military activities,” the NDAA opened the door for deniable cyber operations without a covert action finding.
Foreign Governments Engage in Offensive Cyber Operations
When the recission of PPD-20 was reported, many commentators feared hostile reactions from allies and a cycle of escalation with adversaries. Neither fear has been borne out. Worries of offensive operations impairing intelligence-collection efforts have also not come to fruition. In fact, many allies have sought U.S. leadership and cooperation to deter mutual adversaries. The United Kingdom, for instance, took a forward-leaning view of international law that permitted it to conduct offensive cyber operations well before the shift in U.S. policy. And last year, the U.K. established a National Cyber Force, a unified command staffed by personnel from the Secret Intelligence Service (MI6), the Government Communications Headquarters (GCHQ), and the Ministry of Defense to conduct offensive cyber operations. GCHQ Director Sir Jeremy Fleming recently stated the desire and capability to deploy civilian personnel from the National Cyber Force to “go after” ransomware gangs, and where groups were outside the reach of prosecutors and police, they would face “the pointy end of the spear.”
China, Russia, and other adversaries regularly engage in offensive cyber operations. The Office of the Director of National Intelligence’s 2021 Annual Threat Assessment noted that Russian cyber operations “target critical infrastructure, including underwater cables and industrial control systems” and that Russia considers “cyber attacks an acceptable option to deter adversaries, control escalation, and prosecute conflicts.” Similarly, China is “a prolific and effective cyber-espionage threat” that “possesses substantial cyber-attack capabilities” and can “launch cyber attacks that, at a minimum, can cause localized, temporary disruptions to critical infrastructure within the United States.” Rather than cede the debate over international norms to Russia and China through inaction, the United States should join its allies to create the norms it desires through state practice.
The Biden Administration’s Approach
So far, it is not clear what approach the Biden Administration has taken with respect to offensive cyber operations. Earlier this year, following the SolarWinds intrusion, as well as a spate of ransomware attacks emanating from Russian territory, news reports indicated the Biden Administration prepared a “series of clandestine actions across Russian networks that are intended to be evident to President Vladimir V. Putin and his intelligence services and military but not to the wider world.” And according to recent press reports, a multi-country operation successfully forced REvil, a Russia-based ransomware group, offline. REvil was involved in several prominent cyberattacks this year, including the Colonial Pipeline and JBS meatpacking attacks.
News reports also indicate National Security Advisor Jake Sullivan—who has no legal authority to direct departments or agencies—reportedly issued guidance to notify the National Security Council (NSC) of large-scale operations and allow for a review and adjustment of those operations through the policy coordination channels. As has been reported for other critical national security issues, this guidance may signal a return to the Obama Administration’s byzantine procedural requirements that prevent a timely response to cyber threats.
- Provide additional statutory authorities to USCYBERCOM. Congress should further clarify that the FY 2019 NDAA authorities extend beyond election interference and extend statutory authorization to a wide range of cyber operations that can deter or degrade adversaries’ ability to attack U.S. critical infrastructure. Although the President has constitutional authority to carry out offensive cyber operations, additional statutory authority will help bolster the President’s power and send a clear signal to U.S. allies and adversaries of political support for offensive cyber operations.
The Administration should:
- Continue to delegate authority to operating agencies. Rather than restoring the Obama Administration’s paralysis by analysis, President Biden and his NSC should retain the former Administration’s approach and drive operating agencies to establish deterrence below the threshold of an armed conflict. Siloed infighting among competing agencies and discussions of intelligence-collection gains and loss analysis should not be allowed to dominate considerations of proper and necessary responses. Additionally, policymakers should be clear-eyed on the time, resources, and potential technical capability loss needed to plan and execute offensive cyber operations as well as the level of their impact and time for an adversary to reconstitute. This framework should rely on metrics to properly evaluate risk and reward as well as the effect of actions and their long-term impacts.
- Publicly announce the threshold for offensive cyber operations. Just as the U.S. nuclear “declaratory” policy helps establish deterrence, a publicly announced policy on U.S. offensive cyber operations will force adversaries to consider the likely U.S. reaction before they launch cyberattacks. Furthermore, a clear declaratory policy can help the U.S. government understand, attribute, and prioritize actions against nation-state cyber actors, even when they enter a complicit “gray-zone” or “blind eye” by work with criminal actors. A publicly announced threshold for offensive cyber operations need not exclude more traditional tools—such as diplomacy, sanctions, and prosecutions—when adversaries’ actions fall short of cyber redlines.
- Disclose the results of cyber operations. The U.S. government should also proactively disclose more of its offensive cyber operations. Deterrence works only if adversaries understand—and fear—U.S. capabilities. Just as the U.S. military ensures that adversaries understand the consequences of crossing U.S. redlines, limited disclosures of successful U.S. cyber operations may cause prospective cyber attackers to reconsider. For example, the press attributed the recent success against REvil to “private sector cyber experts working with the United States and one former official,” but there was no official U.S. government statement on the operation. If executed properly, such disclosures would also be unlikely to jeopardize USCYBERCOM’s techniques or intelligence sources and methods.
- Identify additional domestic law enforcement authorities and capabilities. The Department of Justice, including the Federal Bureau of Investigation, should review additional capabilities or authorities needed to target and disrupt known ransomware and, when possible, recover illicit gains from criminals’ financial networks.
The Administration and Congress should:
- Explore further structural changes to interagency cyber operations and collaboration. During the Obama Administration, then-Secretary of Defense Robert Gates proposed appointing a Department of Homeland Security (DHS) official to concurrently serve as a deputy director of the NSA with the power to task NSA resources under DHS authorities. This proposal would have brought the vast and well-established capabilities of the NSA to bear against cyberattacks originating within the United States while following the more stringent privacy and civil liberties regulations of DHS. Gates believes DHS possesses many of the authorities to protect the homeland from cyber threats, but it has little capability to exercise those authorities without duplicating the substantial human and technical resources of the NSA. Despite allegedly receiving the approval of President Obama, this proposal “came to naught” because of “bureaucratic foot-dragging and resistance.” Bureaucracy and conflicting messages should not slow down the U.S. approach to necessary cyber responses.
- Consider ending the NSA and USCYBERCOM “dual-hat” relationship. Currently, the NSA director is a four-star military officer who serves concurrently as the commander of USCYBERCOM. This arrangement was necessary in the infancy of USCYBERCOM, when it relied on the NSA for its capabilities, but there has long been an intent to end the relationship once USCYBERCOM reaches maturity. President Trump elevated USCYBERCOM to an independent unified command in 2018, and the committee-passed Intelligence Authorization Act for Fiscal Year 2022 sets a road map for the termination of the dual-hat arrangement. Congress should continue its oversight efforts while working in conjunction with the Administration, NSA, and USCYBERCOM to evaluate whether the dual-hat relationship should be ended. The dual-hat role is an enormous job for a single person, and a separate seat at the table for USCYBERCOM would help prevent intelligence gain-loss considerations from dominating discussions of offensive cyber operations. Separating the two organizations, may, however, lead to overlapping capabilities. If the dual-hat arrangement ends, there is little reason why the director of the NSA—like the directors of the National Geospatial-Intelligence Agency and the National Reconnaissance Office—could not be a civilian official.
In short, although the Administration should continue to make use of diplomacy, sanctions, and law enforcement actions to reduce the threat of cyberattacks, these efforts are not sufficient. Similarly, efforts to improve the cybersecurity of U.S. critical infrastructure are likely to fall short in the face of attacks sponsored by nation-states. The Administration and Congress should instead continue and expand President Trump’s approach by using offensive cyber operations to degrade adversaries’ capabilities and create credible deterrence. The Administration should disclose more information about these operations to discourage adversaries from attacking, and Congress should consider structural changes to improve the efficiency and effectiveness of U.S. offensive cyber operations.
Dustin Carmack is Research Fellow in Technology Policy in the Center for Technology Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation. Michael Ellis is Visiting Fellow for Technology and Law in the Edwin J. Meese Center III for Legal and Judicial Studies, of the Institute for Constitutional Government, at The Heritage Foundation.