Going on Offense: State-Sponsored Offensive Cyber Operations

The Trump Administration is supporting an often-cited but infrequently described element of the cyber domain – offensive cyber operations. In August of 2018, President Trump rescinded the Obama-era Presidential Policy Directive 20 (PPD-20), whose critics suggested the directive delayed and obstructed the path that would enable the United States to effectively conduct offensive cyber operations. PPD-20’s replacement is the classified memorandum – National Security Presidential Memorandum 13 – an explicit memorandum on conducting offensive cyber operations. Additionally, the White House’s recently released cyber strategy implies a more aggressive willingness to deploy offensive operations against nation-states and criminal groups in the cyber domain.

In a recent appearance at the Center for Strategic and International Studies in Washington D.C. former National Security Agency Director Michael Rogers expressed his support for offensive operations stating, “My argument when I was in government was, we want to keep the full range of options and capabilities available. One of the things that frustrated me at times was: Why are we taking one element just straight off the table? I just thought…if you’re in Moscow or Beijing, you are loving this approach to life because it doesn’t really change your risk calculus.” But, for all the attention such operations have received in the news, it’s important to define offensive cyber operations and worthwhile to investigate Admiral Rogers’ suggestion that U.S. adversaries have embraced and “love” the offensive cyber approach.

Offensive Cyber Operations

Discovering what offensive cyber operations are is a complicated task. One inherent pathology to the cyber domain is the frequent and inconsistent use of definitions within the field. Part of this difficulty stems from not only the global nature of the cyber domain, but its continued evolution and complexity. Luckily, the Australian Strategic Policy Institute (ASPI) provides an adequate definition of state-sponsored offensive cyber operations as operations that are designed to manipulate, deny, disrupt, degrade, or destroy targeted computers, information systems or networks; which for the intents and purposes of this article, will suffice.

Adversaries on the Offense

Reflecting back on Admiral Roger’s suggestion that U.S. adversaries embrace the offensive approach to cyber is worth further discussion. We see ample evidence of cyber operations in day-to-day news. Some examples of other nations using offensive cyber operations include:

China:

Overall China conducts such operations to offset its existing imbalance in conventional military forces as a way to better position itself in the global marketplace. According to a 2018 IP Commission Report China has stolen more than $300 billion dollars from U.S.-based companies. China has also been responsible for the 2015 breach of the Office of Personnel Management where 21 million records were stolen. There is also a measurable decrease in Chinese-sponsored cyber attacks that have taken place against the U.S. which, some have suggested, is the result of the U.S.-China agreement that the respective governments would not conduct or knowingly support cyber-enabled theft of business secrets.

North Korea:

North Korea utilizes cyber operations as a means to finance illicit state activity and project power. It is a useful tool for the North Koreans to circumvent economic pressures from sanctions and to fund national initiatives. Most notably, North Korea was responsible for the 2014 Sony Pictures hack. North Korea has also targeted the private industry of its neighbors. In 2011, North Korea conducted a destructive attack on South Korea’s Nonghyup Agricultural Bank, impacting more than 30 million customers for nearly a week by destroying critical bank information.

Iran:

Cyber operations have become a hallmark tool of Iranian statecraft. Attacks in 2018 have also demonstrated that Iran’s cyber operations are increasing in sophistication. Most recently, Iranian hackers have been breaching defense contract networks, oil and gas companies, tech firms, telecommunications providers, and aviation firms. The Trump administration also recently indicted an Iranian-sponsored hacking group that allegedly targeted dozens of U.S. universities, companies, and government agencies—as well as the United Nations—and stole roughly 31 terabytes of data and intellectual property from entities worldwide. As a threat actor, it’s also important to note that Iran’s cyber sophistication has increased exponentially in a relatively short period of time.

Russia:

Russia is one of the world’s foremost adversaries in the cyber domain, particularly when it comes to targeting Western nations. Russia continually deploys a wide-range of aggressive cyber operations to undermine democratic institutions and to demonstrate strength through non-kinetic means in what are called “active measures.” Russia has engaged in activity targeting U.S. energy and other critical infrastructure sectors, U.S. elections, and has even gone so far as to access routers in private homes of U.S. citizens. Today, Russia has reportedly targeted more than 500 people or institutions to include senior leaders such as Colin Powell, the Clinton campaign, the Democratic National Committee, and, according to US-CERT, are now targeting U.S. critical infrastructure. Following ASPI’s definition, one can see how Russia has gone far beyond using cyber as a means to collect valuable intelligence and has advanced its cyber capabilities to not only further its strategic objectives but also to “manipulate, deny, disrupt, degrade” networks in the United States.

U.S. on the Offensive

While we can readily identify what our adversaries’ offensive cyber operations look like, it is more difficult making projections as to what the new U.S. approach to offense in the cyber domain might look like. We’ve seen historical examples in the past such as the Stuxnet operation or Siberian pipeline efforts by CIA, which show that the U.S. has, at least to some extent, initiated in offensive cyber operations before. But, compared to our adversaries, it would seem that U.S. offensive cyber operations are not nearly as brazen. That being said,  proponents of the new approach, like National Security Adviser John Bolton, have yet to articulate what sort of offensive cyber operations the United States would pursue in attempting to thwart our adversaries. Moreover, a review of the White House cyber policy clearly shows that like many cyber-related strategies before it, it is heavily oriented on securing existing networks and doesn’t mention the words “offense” or “offensive” once.

There is some speculation that a component of offensive cyber measures could be used in part to retaliate against Russia’s nefarious cyber activity. To that end, Pillar III of the new White House Cybersecurity Strategy entitled Preserve Peace Through Strength explicitly calls for the imposition of consequences and countering malign cyber influence operations.

A new/renewed American offensive approach to cyber may provide some sense of relief to organizations who often have no opportunity for recourse if attacked or compromised by another nation state in the cyber domain. Existing law prevents private sector entities from engaging in what is generally referred to “hacking back”. The hacking back option often gains political salience when companies suffer major cyber breaches and, in legal parlance, are unable to be made whole from the resulting damages. If the U.S. begins to retaliate in the cyber domain on the behest of the private sector and victims of foreign cyber operations, nation state actors might adjust their calculus when attempting to breach the networks of private sector organizations.

Staying Ahead

Keeping up with the myriad of policy changes that can impact private organizations is no easy feat. At N2K, our executive training programs offer unique insights on how organizations can factor in everything from changes in policy to the ever-changing regulatory environment into their overall cyber risk calculus. Moreover, our programs are loaded with additional content to keep busy senior business leaders apprised of the latest news in cyber and what it could mean for your organization.