1 big thing: Why the U.S. needs better cyber deterrence
The U.S. lacks a well-formulated policy of cyber deterrence, one that ensures adversarial states will anticipate the consequences of their own cyber operations and online influence campaigns against the U.S., according to a U.S. senator who is a prominent voice in the cybersecurity field.
Why it matters: With elections looming in November, hacks afflicting Twitter and other services, and misinformation rampant on social media platforms, the U.S. remains a vulnerable target for state-backed cyber operations.
- A clear, enunciated policy of cyber deterrence could help mitigate future attempts at covert electoral interference in U.S. politics as well as serious disruptive cyberattacks.
What he's saying: Sen. Angus King (I-Maine), a member of the Senate Intelligence Committee and co-chair of the bipartisan Cyberspace Solarium Commission — a high-level expert group focused on U.S. cybersecurity and defense — spoke to Codebook in a recent telephone interview about this need.
- “I probably have sat through .... 25 hearings over the last 7½ years on both Intelligence and Armed Services where it’s been made crystal clear that we don’t have a policy that causes our adversaries to calculate the risk of their actions,” says King. “We are a cheap date.”
The big picture: King points to Russia’s 2016 “active measures” campaign during the U.S. presidential election as the moment that crystallized the need for a better cyber-deterrence strategy.
- Russia was deeply involved “in our election in 2016, which is a major part of what our democratic process is all about, and essentially paid no price,” notes King. “Some sanctions by Obama, but they essentially paid no price. So why shouldn’t they do it again?"
Some “rules for the road” are necessary, says King, in making clear how the U.S. will respond to certain sorts of cyber activities, so foreign states will understand the consequences of their activities. Otherwise, covert actions in cyberspace could lead to escalating retaliatory conflict — or even a hot war.
- “I understand the dangers,” says King. “We spent a lot of time on this [at the Solarium Commission], the dangers of escalation. I want them in the Politburo when they’re discussing coming after our, I don’t know, water system in New York, saying, if we do this, something bad might happen to us, and we better think twice.”
How it works: It’s a balance, says King, between crafting policies that deter foreign cyber operations while also making clear to those adversaries exactly what the U.S. will do in response to such activities, which will preclude misunderstanding that could spiral out to conflict.
- “The other side has to know what your intentions are — you have to have both the capacity and the will,” says King. “So it’s a big part of this, and that’s a part we can't really legislate. This is really a presidential responsibility to articulate a doctrine on cyber deterrence.”
- Congress has a role to play as well, says King — publicly, with reports like those put out by the Solarium Commission, but also via closed-door meetings with top intelligence officials.
- Roughly once a month, Senate Intelligence Committee members meet with the heads of the CIA, NSA, DNI and other senior intelligence community officials for informal roundtables, says King.
What's next: Fundamentally, according to King, deterring electoral interference by Russia or anyone else will require wider actions outside the cyber domain: primarily, public disclosure of Russian activities as part of a larger educational campaign.
- “What if the intelligence community learns in September that Russians are penetrating the electoral system in 14 states, or even harder, they are penetrating the servers of the campaign apparatus of one of the major candidates?” asks King. “What is the responsibility of the intelligence community to disclose that information to the public?"
The bottom line: Under such a scenario, says King, the greatest deterrent to Russian “active measures” will be a more informed citizenry — which will require more transparency from America’s own intelligence agencies about just what they know Russia is doing.