Andy Kessler wrote an op-ed in the Wall Street Journal last week advocating for striking back against every cyberattack. I’ve written before about why that’s a bad idea for private organizations, yet in this case he’s advocating for a government response. While it’s very tempting emotionally, when we step back and look at the options and risk, it’s not really viable.
Look, I get it, we have nation state actors probing our networks, attacking our critical infrastructure, intercepting sensitive government communications, and conducting economic cyber espionage against us. We, and every nation state, does all that except for the economic espionage. The argument is that if these were kinetic attacks, we’d be dropping bombs on the perpetrators before lunchtime, but unfortunately the analogy doesn’t really apply.
First, there’s the problem of vulnerabilities. Unlike bombs where we can just manufacture more, once a particular exploit is used against a target, it’s likely spent. Upon discovery it’ll be remediated, so if we’ve used it to ‘fire a warning shot’, we may not have a capability to take more aggressive action in the future. That’s also true if it’s a simple credential compromise – once used, the credentials are changed, and we lose access for future action.
But what’s worse is the potential for the adversary to capture the exploit code and weaponize it against us. Or, and history shows this to be likely, a targeted attack causes widespread collateral damage because the code is self-propagating. Both bring us to the problem of stockpiling vulnerabilities versus having vendors patch them. We use many of the same systems as the bad actors do, so we’re at as much, or more, risk than they are. Put simply, I’d much rather have my water system or power grid patched so we stay up, than be able to take someone else’s down.
Of course, before we even have the option of hacking back, we have to know who hacked us to begin with. I’ve written in detail on the problem of attribution, and not much has changed. If it becomes known that we hack back reflexively, we’ll see one actor spoofing attacks by another in order to create international chaos. Both hacking the wrong target, and even hacking the right one risks significant escalation and put our civilian population in jeopardy. The lead time to replace major components of our electrical grid, fuel pipelines, and water systems is measured in months, not days or weeks. Yes, we’re at risk of that now if, as one CISO put it, “the cyber cold war turns into a cyber hot war”, but so far, Mutually Assured Destruction (MAD) applies as much to cyber as it does to nuclear warfare. It’s irrational, but it works – and we can even back up cyber-MAD with kinetic attacks too.
A better option is to unilaterally declare, much like the START treaty, a Strategic Cyber Arms Reduction Effort (SCARE, yeah, sorry) by aggressively testing and remediating vulnerabilities across our critical infrastructure. Every vulnerability we find and patch removes the exploit from everycyber arsenal. Fewer cyber arms makes for a safer world – and we have far more to lose than our adversaries.
Fortunately most of the impactful attacks at the moment are economic in nature, and deserve an economic response. We can’t conduct economic espionage because no American company would ever use that information – lawsuits abound (and the government isn’t exactly going to sell foreign credit card numbers on the black market!). So the only viable option to address things like intellectual property theft, and one for which there’s widespread bi-partisan support, is via trade policy and other diplomatic efforts, which are underway.
Those two efforts aren’t perfect. Diplomacy is open to violation of agreements. Testing and remediation is unlikely to find everything. Yet the combination is a far better option than playing chicken with critical infrastructure.