President Obama's cyber strategy directive sets out which agencies will lead cyber attack response, but dealing with the hackers themselves is a more vexed issue.
By Steve Ranger |
The White House has published its strategy outlining how the country will respond to significant cyber-attacks.
The Presidential Policy Directive on United States Cyber Incident Coordination makes it clear for the first time that the FBI and the National Cyber Investigative Joint Task Force (NCIJTF) would take the lead in 'threat response activities'.
The Department of Homeland Security will be in charge of 'asset response activities,' which includes providing technical assistance to the affected entities to protect their assets and mitigate the impact of the attack, while the Office of the Director of National Intelligence is the lead agency 'for intelligence support'.
The directive defines the severity of cyber-attacks on a scale from zero (an "Unsubstantiated or inconsequential event") up to a 'level five' incident, which "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of US persons".
Level zero is business as usual, while level five might well be considered an act of war -- especially if it was the result of an attack by a nation state. A level three incident or above ("Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence") is considered "significant" and will trigger application of the directive's coordination mechanisms.
Attribution: a complex task
The directive sets out who needs to take charge in the event of a major attack, and notes that "the ability to degrade or mitigate adversary threat capabilities" comes under the general heading of intelligence support. However, it offers little on what to do about the attackers, which is a much more difficult task.
That's because working out whether and how to retaliate against cyber-attacks is complicated. The first task is to work out who did it, but attributing a cyber-attack to a particular group or nation state is hard work: most hackers are smart enough to cover their tracks and throw in red herrings, even to the point of masquerading as other groups.
But even if a government is confident who the attacker is, it's not entirely clear what shape a response could take because there isn't much of a framework. The US government is actually ahead of most others in setting out responsibilities and some sanctions to deter attackers, but there are still plenty of ambiguities.
NATO has already confirmed that a serious cyber-attack -- one that's likely to cause loss of life -- could trigger its collective defense mechanism, opening up the possibility of a physical military response to a digital attack. The US also has extensive cyber offensive capabilities that it could use against an aggressor.
Another part of the problem is that the line between cyber espionage and cyber-attacks is a blurred one, and it's still unclear how governments should respond to incidents at the lower end of the scale -- the ones that take place on an regular basis. Government networks are constantly being probed by attackers for weaknesses that might never be exploited.
But there's still a big, big grey area. One option is financial sanctions -- an Executive Order paved the way for that last year, plus indictments of individuals if they can be identified. However, it would appear that this hasn't done much to prevent intrusions into US networks: the attack on the Democratic National Committee computer systems and the subsequent leaking of the stolen data is one example where attackers do not seem to have been deterred by existing sanctions. And it's not clear where that would appear on the new scale (above) either.
Dealing with the aftermath of an attack is all very well: stopping the attacks and deterring the attackers is quite another.