WASHINGTON: No one really knows what they’re doing in cyberspace: It’s all too new and it changes too fast. So it was refreshing — if unnerving — for two top intelligence officials to admit this morning that the US government’s lack of clarity makes it more difficult both to deter adversaries’ cyber operations and to conduct our own.
“Clearly, we still do not have enough clarity,” said Adm. Mike Rogers, who heads both the National Security Agency and US Cyber Command. “Particularly [in] my operational role as Cyber Command, clarity is everything to me because that helps enable speed of response.” (In cyberspace, even more than regular military operations, speed is life).
“I’m pretty comfortable we’ve got a fairly well understood characterization of what is ‘defensive,'” Rogers told the House Permanent Select Committee on Intelligence. “There is still uncertainty about how you would characterize what is ‘offensive’ and what is authorized.” So far we’ve made these policy calls “on a case by case basis,” he said, which can be painfully slow in a crisis.
We have to get offense right, Rogers argued: “A purely reactive, defensive strategy is not ultimately going to change the dynamic where we are in now, and the dynamic we find ourselves in now, I don’t think is acceptable to anyone.”
The head of the intelligence community, Director of National Intelligence James Clapper, went farther: “This sort of thing is going to continue — the OPM breach [for example] — until we create both the substance and the psychology of deterrence.”
In other words, adversaries like China and Russia will keep hitting us until we have both the technical capability and the political resolve to hit them back — and they believe it.
“We enhance our security if we can deter,” agreed an approving Rep. Chris Stewart. “I know there’s a fine line we have to tread there, because you don’t want to reveal our capabilities…. but … it seems like we could be open and more clear about our deterrence policy.” (Emphasis added).
“Certainly, as an intel guy, I would be an advocate for that,” Clapper responded, “but ultimately, that’s a policy call.”
Note that, since the Director of National Intelligence reports directly to the President, the only level of policymaker Clapper has to defer to is in the White House.
There’s a lot of interagency and international discussion about cyber policy, the officials told the committee. “Clearly, we are all frustrated this is taking us longer than we would all like,” Adm. Rogers said. “It is not because of a lack of effort.”
Copying Data vs. Destroying It
Underlining how the confusion extends even to basic terms, Clapper repeatedly noted that the mass theft of data from the Office of Personnel Management (OPM) was not, strictly speaking, an “attack.”
“You said some things that I don’t understand,” Rep. Stewart asked. “It’s not an attack?”
“There was no destruction of data or manipulation of data,” Clapper replied. “It was simply stolen — so that’s a passive intelligence collection activity, just as we do.”
Note those four words: “just as we do.” Espionage is unpalatable but is not an act of war. Such nitpicking distinctions can be a big deal for US intelligence agencies, which are arguably the most closely overseen and tightly regulated on the planet, as well as the most far-reaching. Clapper made clear that before we publicly condemn others, move forward with international norms, or seek agreements that denounce certain kinds of cyber activity by others, we should consider the consequences for our own operations: “[Like] people who live in glass houses, we should think before we throw rocks,” he said.
Notably, the US considers espionage for intelligence purposes to be perfectly legitimate, but commercial espionage to be anathema. While we put a lot of weight on that distinction, said Clapper, “the adversaries, notably the Chinese, do not. They don’t see a difference at all.” (The French, Israelis, Russians and a host of other countries don’t see much difference either. See this excellent regular government report on such issues. The Editor)
Clear distinctions become even more important as hackers shift from simply “stealing” data — which is technically just copying it without authorization — to erasing or modifying it, for instance by introducing deliberate errors. Clapper and Rogers see this more destructive form of attack as increasingly likely in the future. It could be dangerously destabilizing if one nation-state sees wiping a network as routine cyber sabotage, but the victim sees it as an act of war.
“Nation-states use the spectrum of capabilities they have to attempt generate insights about the world around them,” said Rogers. (That is, they spy). “But that does not mean the use of cyber for manipulative or destructive purposes is acceptable.”
Ultimately, the world needs an agreement regulating cyber conflict, Clapper said, something “somewhat analogous to the Chemical Warfare Convention,” which also restricted a disruptive weapons technology. “Of course,” Clapper added, “it took many, many years for the Geneva Conventions to evolve, and I suspect it probably will in this case as well.”