NSA’s Rob Joyce said recently at RSAC 2019 that we’ve seen a shift in the cyber attacks being mounted by nation-states. They’ve moved from simple theft of secrets toward becoming a principal means of imposing national will.
His colleague Christopher Krebs of the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) expressed much the same view in his own discussions at the conference. Russian attempts to run information operations against the US 2016 elections represented, Krebs argued, the "Sputnik moment" for cybersecurity. "That's when people realized," he said, "that the cyber domain wasn't about PII, or about some movie the North Koreans don't like. It was about disrupting democracy."
And both Joyce and Krebs were quite clear that the coming of 5G, and with it an Internet-of-things even more capable and pervasive than what we know today, would vastly expand our attack surface. Both Russia and China, peer competitors of the United States, have shown in their different ways a strong determination to develop the capability to exploit that attack surface.
With this background in mind, the inaugural meetings of CYBERSEC DC on March 19th, 2019, were particularly interesting. They offered the perspective of national authorities who find themselves on the front line of a new intra-European border, that between Russia and the near abroad.
The conference focused on the linkage between economic development and cybersecurity, particularly as that linkage is evolving along NATO's eastern flank. Sponsored by the Center for European Policy Analysis (CEPA) and the Kościuszko Institute and held at CEPA's headquarters in Washington, DC, the conference's announced goal was discussion of the "transatlantic quest for cyber trust."
The conference also sought to develop some high-level, yet actionable, recommendations for furthering such transatlantic cooperation. Participants took it as given that cyberspace had become a field of great power competition, and that the Western allies faced an immediate threat from Russia ("our friends to the East," as they were frequently called) in the form of hybrid war and its attendant information operations, and a more patient threat from China in the form of long-term economic entanglement.
The perspective was clearly informed by the experiences of the Three Seas countries, those Central and Eastern European nations that stretch from the Baltic to the Black and Adriatic Seas: Austria, Bulgaria, Croatia, the Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Slovakia and Slovenia. It was also informed by the way in which cyber conflict has evolved: while it does now fall under NATO's Article 5 collective defense provisions, cyber warfare remains for the most part confined to actions that fall below the threshold of armed conflict, and thus not susceptible to the sort of responses and deterrence that have long been in place for conventional war.
Among the conference’s recommendations for "advancing secure digital transformation" were first, auditing assets in place that could serve both resilience and deterrence in the Three Seas region, second, arriving at consensus among governments of the form 5G implementation will take; third, development of a "stronger narrative" concerning the value proposition of investment in digital transformation; fourth, auditing talent in the Three Seas region; and fifth, cooperating to develop truly international as opposed to merely regional standards. With respect to building cyber deterrence along NATO's eastern flank, the recommendations divided into achieving clarity about costs and advancing cooperation within the Alliance.
The cost piece was particularly interesting, with an emphasis on identifying what the adversary (and in this context the adversary was principally Russia) valued, and determining how those values could be held at risk. The consensus of the panelists was that Moscow was likely to remain largely indifferent to naming-and-shaming, and so that other means of imposing costs would have to be pursued. The participants recommended full use of the NATO toolbox, including diplomatic and economic tools, and they argued that imposition of costs need not, and probably should not, be symmetric. That is, threatened retaliation for cyber attacks need not confine itself to cyber counterattacks.
We subsequently spoke with one of the senior US participants in CYBERSEC DC, Rob Strayer, Deputy Assistant Secretary at the U.S. State Department for Cyber and International Communications Policy.
Strayer argues that countries should make a realistic, risk-based assessment of their infrastructure and the supply chain that sustains it. That assessment should consider closely how an adversary might influence vendors to either compromise data integrity, disrupt communications, or conduct espionage. When looking at specific vendors, he makes a case that assessing the relationship between any company and its home government is crucial. Any company likely to be subjected to extrajudicial pressure is one whose participation in 5G should raise concerns.
The development of such norms would seem to be one reasonable step toward collective defense against cyber operations that might fall below the threshold of armed conflict.