March 9, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

As cyber-attacks, including from nation states, are accelerating and the lines delineating criminal activity from nation state activity grow increasingly blurry. As a result, greater engagement from the military is now called for. 

There is now emerging an overlap in economic cyber espionage and cybercrime as new threat actors enter the marketspace of cyber espionage that has traditionally been undertaken by nation-state adversaries. Cyber threats from “independent contractor” actors that are not directly controlled by nation-state governments but are rather suppliers to those governments. As a result of this new dynamic, there has been a significant increase in the number of threat actor’s cybersecurity teams must defend against and it is much more challenging to determine who is attacking and why. These independent contractors acting on behalf of nation-states are leveraging attacks such as ransomware to meet nation-state cyber objectives.

While there has been some increased collaboration from the military with the financial services and energy sectors as described in later chapters, it is still quite limited, and the rules of engagement for military are unclear, which further truncates positive impact.

There now have been repeated, significant instances when the advanced tools and capabilities of the military ought to be more directly engaged in what might otherwise be considered civilian cyber defense. For example, when an innocent company is attacked for exercising their first amendment rights – as in the case of North Korea attacking Sony – or when our critical infrastructure is compromised – such as the Iranian attacks on our financial services sector in response to the US/Israeli attack on the Iranian nuclear reactors – or when systemic attacks such as SolarWinds/Orion generated by the Russian government cause uncalculated damage not only to government but numerous private sector entities, it is clear that in the digital age traditional lines between military and defense and criminal defense need to be rethought, clarified, and adjusted to address the new world order.

Without wading into the massive complexities of when cyber-attacks merit a “shooting war” response and the difficult debate over physical responses to digital attacks there are a wide range of military-civil collaborations that need to be put on the table and addressed all falling well short of firing weapons. From this range of military options there needs to be an improved posture that will create a greater deterrence without moving to armed conflict.

There are clear precedent military tools to be used in civil protection of critical infrastructure. Former Deputy Secretary of Defense William Lynn has noted the precedent for this type of activity and how it can be successfully managed:

“[D]uring a natural disaster, like a hurricane, military troops and helicopters are often used by … [the Federal Emergency Management Agency] to help deliver relief. In a similar vein, the military’s cyber capabilities will be available to civilian leaders to help protect the networks that support government operations and critical infrastructure. As with all cases of military support to civilian authorities, these resources will be under civilian control and used according to civil laws.”

If military facilities can be used to protect private sector property in cases of natural emergencies why are we preventing their use in the much clearer cases of actual nation state and state affiliated attacks on private entitles? These attacks are not random, spontaneous instances that can be dealt with on an ad-hoc case-by-case basis.  They are conscious, well planned, and often, as in the case of SolarWinds, sustained attacks using modern weaponry that put our nation at serious risk.  As we have documented earlier the – well organized – cybercrime “nation” generates revenues roughly the size of the world’s 10th largest nation state – Mexico.  And if current growth patterns hold (and we believe they will) cybercrime revenues will approximate those of China in just a few years. The realization of large well-funded, technically sophisticated criminal syndicates the size of China should be chilling.

The precedents for military collaboration infighting cybercrime need to be expanded to address the threats of the digital age. Defense Secretary Mark Esper, speaking at the Department of Homeland Security’s 2019 Cybersecurity Summit, said “our adversaries are increasingly resorting to military activity in less traditional areas to undermine our security; [t]here is perhaps no area where this is more true than in the cyber domain.”

Given the evolution of international conflict in the digital age and the obvious inadequacy of civilian law enforcement in addressing international, including state-sponsored attacks, there needs to be a reconsideration of what it means to defend the nation and the role of the military in this new age.

In a recent White Paper Jason Healey and Erik Korns note that “the DoD has significant capabilities for responding to cyber incidents,” and that “[o]one of the DoD’s key missions is for it to ‘be prepared to defend the United States and its interests against cyber-attacks of significant consequence.’” At the same time, the DoD has stated that they would assist federal departments such as the DHS and FBI in the wake of a significant incident.

Unfortunately, it is not clear what exactly amounts to a “significant” attack and what the roles and responsibilities for the military in civilian cyber defense are when one occurs. This ambiguity has the result of leaving both the government and critical infrastructure at the mercy of these sophisticated cyber attackers.

The U.S. government has spent considerable effort – and rightly so – urging private entities to engage in cyber incident response plans.  However, these efforts are substantially impeded if in the face of nation state and state associated attacks the private sector is unclear what they can expect from their government partner.

According to a panel at a 2018 strategy symposium run by U.S. Cyber Command, “there is little consensus on what it means to defend the Nation and its interests in cyberspace, or on what role the Department of Defense should be for this mission.”

States in these circumstances have relied on the National Guard under Title 32 of the U.S. Code to prepare for and respond to cybersecurity attacks. However, the DoD’s guidelines under this title have been ambiguous on how exactly the National Guard should proceed in their response and what kind of reimbursements they may receive from the federal government. Further, the guidelines are unclear on how they should cooperate with other federal processes and personnel in the wake of what might be a more significant cyber-attack.

To be clear, this is a government issue.

It is the government that is responsible for both law enforcement and national, military defense. The reality of the nation-state/criminal collaborations is not a truly new revelation.  Government can rethink their traditional responsibleness and come to the table with how they can best carry out their legitimate national defense responsivities. If there is concern with stumbling across private sector rights these discussions can be had and better paths clarified.  No one is in favor of the status quo with respect to cybercrime.

Join the Rethink Cybersecurity Community click here