Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?
In the spring of 2015, after a wave of cyberattacks on the US of increasing frequency and severity, President Barak Obama made a dramatic announcement.
The level of hacking and cyber-espionage against the US had created an "unusual and extraordinary threat to the national security, foreign policy, and economy" of the country, said the President, declaring a national emergency to deal with the threat. His executive order allowed the US government, for the first time, to pursue sanctions against those who attacked US critical infrastructure or stole secrets.
"Cyber intrusions and attacks — many of them originating overseas — are targeting our businesses, stealing trade secrets, and costing American jobs," the President warned, pointing to the North Korean attack on Sony Pictures' computer systems and the Iranian hackers who had targetted US banks as just two examples of the threats the country faced.
Since then the national emergency has been extended three times (it must be reconfirmed every year), but the attacks against the US and its allies continue.
Indeed, the ongoing state of emergency did little to deter the most spectacular hacking and disinformation campaign in recent years: Russia's meddling in the 2016 US presidential election.
Russia is not alone in pursuing cyberattacks—which show little sign of stopping—to advance its aims: the US government and its allies have long complained about the behaviour of China as well as Iran and North Korea.
Declaring a cyber state of emergency was the first high profile attempt by the US to stop the almost constant attacks on its computer systems. Despite years of sanctions, indictments, and other attempts to combat hackers that have followed, the attacks have continued. And experts have warned it could be 20 years before the situation is brought under control. So why can't the hackers be stopped?
How can governments stop hackers?
It's not that the US hasn't tried to deter cyberattacks, rather that the techniques the country, and its allies, have used so far haven't been very effective at stopping the bombardment.
"We have seen consistent intrusions and intrusion attempts," said Benjamin Read, manager of the cyber-espionage team at security company FireEye.
Cybersecurity is a tough concept for politicians to get their heads around. Foreign agents sneaking into computer systems to steal secrets is crazy enough; the idea of enemies hacking into the computers which control critical infrastructure like power stations to cause destruction can seem like something out of an airport thriller—but is scarily real.
But while politicians try to wrap their heads around the concept of "the cyber," in the absence of a clear legal framework, hackers and spy agencies are experimenting to see what they can—and can't—get away with. It's this uncertainty and lack of rules, and in particular the lack of any obvious deterrent, that's creating an online free-for-all.
Cyberattacks are cheap, too: No need for a huge military might when all you need is a few smart people and a bit of computer code to start a hacking campaign that can cause headaches for some of the biggest nations on the planet. For a state with few other options, cyberattacks can be a potent weapon.
What makes cyberattacks an even more enticing option is that it's often hard to work out who is actually responsible for a particular incident, making it a handy way to cause trouble without getting caught. Nations often outsource these kinds of intrusions to freelancers who are adept at covering their tracks, making it harder to point the finger of blame. One example: an intrusion that took French TV station TV5Monde off the air was first thought to be the work of the "Cyber Caliphate" linked to ISIS, but is now blamed on Russia-backed hackers who deliberately left a false trail.
Complicating matters even further is the often-forgotten reality that all countries commit espionage—even against their own allies—to understand capabilities and intentions. There's also an unwritten rule that defence contractors and government agencies are considered to be fair game when it comes to espionage, digital or otherwise.
For Western governments, it has proved difficult to make a clear distinction between what they consider standard (if unsavoury) elements of statecraft—like 'standard' espionage—and those activities that they deem unacceptable—such as industrial espionage, election meddling, destructive cyberattacks, and even cyberwarfare.
Hacking is cheap, easy, deniable, and everybody is doing it. No wonder it's proving so hard to stamp out.
How does cyber-deterrence work?
All of this makes for a complicated backdrop against which Western governments are struggling to build some kind of strategy to deter cyberattackers.
"What deterrence is fundamentally about is making the cost of doing something too high for someone to want to do it," says Ewan Lawson, senior research fellow for military influence at the Royal United Services Institute (RUSI), who was previously with Joint Forces Command with responsibility for the development of cyberwarfare capabilities.
"The two forms we've tended to see is deterrence through hardening—just making something too difficult to be done—or deterrence through punishment, where you impose a cost on the individual or organisation," he says.
Hardening defences should be the easy part. Many of the most basic attacks—such as the Russian attacks on routers and network infrastructure that the FBI and the UK's GCHQ warned about recently—could be deflected by basic security measures like changing default passwords.
However, while governments have more control over their systems, they have less ability to insist that businesses and individuals improve their own security, which is generally pretty terrible, because there are always better things to do. That means there is always a backdoor open to the hackers—and too often the front door, too.
According to one estimate, more than two-thirds of the UK's critical infrastructure bodies suffered an IT outage in the last two years, a third of which were likely due to cyberattacks. Few companies can survive a sustained assault by hackers, and even fewer are prepared to defend against state-backed attacks.
"The unfortunate reality is that, for at least the coming five to ten years, the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the United States' ability to defend and adequately strengthen the resilience of its critical infrastructures," warns a 2017 US Department of Defense report on cyber deterrence.
Attempts to tackle the other side of that deterrence equation—imposing a cost on the hackers—have proved even more complicated.
Earlier in 2018 the US director of national intelligence Dan Coates warned that Russia, China, Iran, and North Korea "will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations."
However, finding a set of effective deterrents remains at best a work in progress.
Some state-backed hackers are looking for trade secrets, some are looking for weaknesses that could be used in future attacks, some are looking to steal money—and others want to just stir up trouble. Some want to do all of these things at once. Each of these motivations requires a different response.
"In order to have effective deterrence from a US standpoint it's very important that we not just think about this in terms of cybersecurity defence and offence, but the cultural aspects of various nation states and their motivation," said Trevor Rudolph, a New America cybersecurity fellow who was chief of the Cyber and National Security Division at the Office of Management and Budget during the Obama administration.
Over the last half-decade, the US and its allies have tried to deter state-backed hackers with everything from publicity to sanctions and indictments, and (maybe) even attempts to hack back against assailants.
While governments have plenty of practice at responding to a traditional armed assault because they've been dealing with those pretty much since countries were invented, calibrating a response to a cyberattack remains tricky.
"Ultimately it's not about responding to a cyberattack with cyber means, it's about looking at the full toolkit you have as a state in terms of diplomatic, economic, military, and others, and determining the right set of incentives and penalties you're going to apply to a country that's behaving in a way that is unacceptable," says Dmitri Alperovitch, CTO at security company CrowdStrike.
Cyber-deterrence trial and error
The US, in particular, has been testing a variety of different deterrent strategies over a number of years, since even before President Obama announced his national cyber emergency. China was the first country openly tackled for its cyber-espionage when, in May 2014, a grand jury indicted five Chinese military hackers for hacking directed at companies in the US nuclear power and solar energy industries (see timeline below).
A summit between President Obama and Chinese President Xi Jinping followed a year later, at which both countries promised not to use commercial cyber-espionage. Chinese attacks slowed, at least temporarily. But, according to the US intelligence agencies, China continues to use cyber-espionage to try and break into defence contractors and communications firms in particular.
China is also targeting confidential business information such as pricing strategies or mergers and acquisitions data says FireEye's Read. "What we've seen pop up is Chinese groups targeting US law firms, US investment companies, and so on, stealing information in support of economic goals."
Attempts to curb cyber intrusions by Iran have also met with similar, limited, success.
In March 2016 charges were announced against seven Iranians over distributed denial of service attacks against US companies; one man was also charged with unauthorized access into control systems of a US dam. In March 2018 the US Department of Justice charged nine Iranians with stealing more that 31 terabytes of documents and data from more than 140 American universities and 30 American companies.
The US also tried using sanctions against North Korea over its hacking attack on Sony Pictures in what was the first use of sanctions by the US in response to cyber-espionage.
It's possible, although still unclear, that the US may have also responded to Pyonyang's attack on Sony Pictures by taking North Korea's internet offline for a short period of time, but even this has done little to curb North Korea's activities.
But North Korea continues to use cyberattacks to gain intelligence and in particular to steal funds to prop up the state. "They've really veered into the crime angle," Read notes.
While attempts to curb the behaviour of China, Iran, and North Korea has been limited in its impact, the biggest challenge the US faces at the moment is from Russian interference.
Russia has been blamed for the hacking of the Democratic National Committee and the subsequent leaking of emails. Kremlin-backed groups have also been accused of using disinformation campaigns across social media to stage arguments and undermine trust in the US political system during the 2016 Presidential campaign.
For its part, Russia has denied any meddling. President Putin has denied Russian state involvement in any election meddling, although he did not rule out that Russian hackers might be involved.
"If they are feeling patriotic, they will start contributing, as they believe, to the justified fight against those speaking ill of Russia," he told journalists in 2017. But then, in March 2018 Putin again denied Russian state involvement: "Why have you decided the Russian authorities, myself included, gave anybody permission to do this?" he told NBC News.
US intelligence warns that Russian intelligence and security services continue to probe US critical infrastructures, as well as target the US, NATO, and allies for insights into US policy. Attempts to deter Russian meddling seem to have had little impact.
"It has not changed the calculus or the behaviour on behalf of the Russians," said then-NSA chief Admiral Mike Rogers in February 2018 according to CNN. "They have not paid a price that is sufficient to change their behaviour," he added. Indeed, in the years since the Russian campaign was uncovered, the US has struggled to come up with a set of effective options to punish the attackers and stop it happening again.
In December 2016 President Obama responded to revelations about Russian behaviour by expelling diplomats and closing two Russian properties. President Trump added to those moves with new sanctions in March 2018—which had been approved by Congress seven months earlier—and accused Moscow of attempting to hack the US energy grid. Critics said these sanctions did not go far enough.
"The sanctions... are a grievous disappointment and fall far short of what is needed to respond to that attack on our democracy," said Adam Schiff, senior Democrat on the House of Representatives Intelligence Committee (more sanctions were imposed on Russia in May 2018).
SEE: When Russian hackers targeted the U.S. election infrastructure (CBS News)
Deterring Russia is, for the US, further complicated by Donald Trump's own response to the hacking revelations.
In the Presidential race he—jokingly—invited Russia to hack Hillary Clinton, saying: "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing."
Since winning the election he also has been somewhat inconsistent in his response, and was initially reluctant to blame Russia for election meddling. At the Helsinki summit in July he said President Putin had been "extremely strong and powerful in his denial" of Russian interference and said "I don't see any reason why it would be" that Russia had interfered in the election.
The President later clarified he meant to say "I don't see any reason why it wouldn't be Russia." Trump has also said he held Putin personally responsible for the attacks.
The Senate Intelligence Committee said that Russia had tried to help Trump and hurt Hillary Clinton with its campaign; the Trump administration for its part has insisted that the Russian meddling had no impact on the outcome of the election.
But this level of ambiguity about Russian election interference from the top of the US administration— about who did it, why, and how much impact it had—likely makes it harder for US actions to punish Russia's behaviour to have much real impact.
The limits of naming-and-shaming
One tactic the US has used with some success is to be more public about Russian attacks; it has also coordinated with other countries to go public.
"The US government using its own sources and methods coming out solo in saying 'This nation state did a bad thing' will have a debatable effect. What I think is more effective is if an international body or a group of nations can come out and conclusively say that a particular nation state or group did something," said Rudolph.
In February 2018, seven nations—the US, the UK, Denmark, Lithuania, Estonia, Canada, and Australia—blamed the NotPetya ransomware attacks on Russia, with support from New Zealand, Norway, Latvia, Sweden, and Finland. Similarly, it was the US along with the UK and Australia in April 2018 that complained about Russian interference with routers and internet infrastructure.
Creating a broader coalition makes its condemnation stronger and harder for a country to shrug off.
But although naming-and-shaming may have worked against Chinese industrial cyber-espionage (at least in the short term), it doesn't seem to be particularly effective against the Russians. While the Chinese government doesn't like to be embarrassed in this way, Russia seems much less concerned.
While Moscow consistently denies conducting any of these attacks, it doesn't seem to mind the accusations too much—if only because it acknowledges the Russian state's capabilities. Indictments aimed at individuals are unlikely to ever lead to trials as foreign governments will never hand over these suspects.
"If you look at the Russian government, you have to pair unilateral sanctions with international sanctions and the real threat of retribution. What we did in the last [Obama] administration in response to the election meddling was insufficient at best," said Rudolph.
Some analysts go further: "Building cyber-deterrence through a mix of both national capabilities and global norms that guide behavior has been a cornerstone of US cyber security since the very realm first emerged. Today, it is not just challenged, but in utter collapse," said cybersecurity expert Peter Singer in a January 2018 article. For some experts the US response to Russia's behaviour has been slow, and lacklustre.
So what would a stronger response look like? RUSI's Lawson suggests that targeting Russian oligarchs and their wealth could be effective. "All of this comes with a degree of risk, and one of the things we don't do very well these days is accept risk. None of these things have a 100% guaranteed outcome, but the do-nothing option is not an option either," he says.
"At the moment for Russia there are no consequences. For Putin it all seems to be working," said Lawson.
So has there been any deterrent effect of Western governments' measures so far against Russia? "Not one that I've heard communicated in a very effective way, and certainly not one when I've spoken to Russians that I think they would recognise as such," says Lawson.
But Rudolph sees some positive developments. The US plans to invest more in identifying who is really behind an attack. The National Security Strategy published in 2017 specifically mentioned plans to invest in capabilities that improve the ability of the US to attribute cyberattacks more effectively, and there is now more of a recognition that the one-size-fit-all approach to cyber-deterrence doesn't work.
"That's something I've seen the Trump administration start to evolve, and I do believe they have different response packages, and for different nation states and that's not something we always had," Rudolph said.
Where does cyber-deterrence go next?
There is always the chance that nation states will change their minds about their use of hacking and cyber intrusion.
As recently as 2009 Russia was keen for a treaty with the US covering the use of cyberweapons. This would have banned countries from embedding code in the systems of other nations and imposed a ban on the use of deception to disguise the source of cyberattacks. The US wasn't interested, however. President Trump has also floated the idea in 2017 that the US and Russia create an "an impenetrable Cyber Security unit" to prevent election hacking, but this didn't get very far.
"I'm sceptical as to whether we can develop a meaningful or effective deterrent strategy," said Rudolph.
It will likely take years, or even decades, for rules to finally emerge that govern cyber-espionage and cyberwarfare, so countries will continue to jockey for position for years to come until norms are established. A failure to establish boundaries accepted by all means that the risk of accidental escalation remains; if the rules of engagement aren't clear, then a relatively trivial hacking incident could rapidly turn into a full-on confrontation.
More worryingly, the kind of cyberattacks that governments are required to deter may also change over time. As societies become more reliant on technology—like the Internet of Things—the risk of catastrophic cyberattacks will rise.
"A large-scale cyberattack on civilian critical infrastructure could cause chaos by disrupting the flow of electricity, money, communications, fuel, and water. Thus far, we have only seen the virtual tip of the cyberattack iceberg," said a 2017 report on cyber deterrence.
Governments might choose to deter the largest attacks with the largest weapons in their military arsenals. It was recently suggested that a sufficiently serious cyberattack could result in a nuclear response, which not everyone thinks is far-fetched.
"I think the national security community has lacked a bit of creativity when it comes to thinking of the sheer scope and scale of a massive cyberattack, and the physical consequences that come from that, so I think the nuclear deterrent is interesting—it's part of the evolution of what is going to be a truly effective deterrence. We just don't know yet, and I don't think we will know for about 20 more years," said Rudolph.
One further complication is that rival countries have very different definitions of national security and how to protect it—understanding these differences will be key to creating an agreed set of rules. This makes cyberwar a question of language, not computer code.
RUSI's Lawson argues the West's adversaries aren't playing by the same rules "so surely it makes sense to continue the conversation and at least start to explore where the boundaries lie."
For example, Russia is—among other things—very concerned about the ability of the West to influence its population through the internet in the way that it did in the past through radio stations, and sees its own election meddling as acceptable through that prism of suspicion.
"It's about continuing the conversation," said Lawson. "If it does take 20 years for norms to appear in part that will be our fault for making the decision not to engage."
But for now, many nations states will judge that using hackers to spy on, disrupt, distract, and steal from rival states remains a cheap, effective, and relatively risk-free option. Until something changes, expect to see plenty more of the same.
A brief history of cyber-deterrence
In the last few years the US government and others have made various attempts to stop hacking attacks by countries including Russia, China, North Korea, and Iran, with mixed results.
A grand jury indicted five Chinese military hackers for computer hacking, economic espionage, and other offences directed at companies in the US nuclear power, metals, and solar energy industries. This was the first time charges were levelled at state-sponsored hackers for economic espionage. "For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries," said then-FBI Director James Comey.
Internet service in North Korea is disrupted shortly after President Obama said the US would respond to North Korea's attack on Sony Pictures "in a place and time and manner that we choose." If this was a US attack, it would be the first publicly known retaliation by the US against a cyberattack.
US government imposes sanctions on North Korea following its "destructive, coercive cyber-related actions during November and December 2014." This is the first time sanctions are used to respond to a cyberattack.
President Obama declares a national emergency to deal with cyberattacks, saying: "The increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States." The executive order authorises a set of new sanctions against individuals or groups whose cyberattacks result in significant threats to the US, and gives authorities the power to freeze assets or apply sanctions against companies that knowingly use stolen trade secrets.
Agreement on commercial cyber-espionage. President Obama and China's President Xi Jinping agree that "neither country's government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors."
Charges are announced against seven Iranians for conducting a coordinated campaign of DDoS attacks against 46 companies, mostly in the US financial sector, from late 2011 through mid-2013. One man was also charged with gaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, in Rye, NY, in August and September of 2013.
US places sanctions on Russia over election meddling.
"Russia's cyber activities were intended to influence the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government. These actions are unacceptable and will not be tolerated," the White House said. The April 2015 executive order is extended to authorise sanctions against those who: "Tamper with, alter, or cause a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions."
The Department of Defense's Defense Science Board Task Force on Cyber Deterrence warns: "It is clear that a more proactive and systematic approach to U.S. cyber-deterrence is urgently needed."
The national emergency is extended. "The President believes that the significant cyber-enabled activities continue to pose an unusual and extraordinary threat to our national security and economic prosperity, and therefore he has determined that it was necessary to continue this national emergency," said then-White House press secretary Sean Spicer.
Three Chinese nationals are indicted for computer hacking, theft of trade secrets, conspiracy, and identity theft directed at US and foreign employees and computers of three corporate victims in the financial, engineering, and technology industries between 2011 and May 2017.
The US National Security Strategy says the country will "impose swift and costly consequences on foreign governments, criminals, and other actors who undertake significant malicious cyber activities." It adds: "We will also invest in capabilities that improve the ability of the United States to attribute cyberattacks."
The US and the UK blame Russia for NotPetya ransomware, saying: "It was part of the Kremlin's ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia's involvement in the ongoing conflict. This was also a reckless and indiscriminate cyberattack that will be met with international consequences."
More US sanctions on Russia following election meddling and NotPetya. "The Administration is confronting and countering malign Russian cyber activity, including their attempted interference in US elections, destructive cyberattacks, and intrusions targeting critical infrastructure," said Treasury Secretary Steven Mnuchin.
The US Department of Justice charges nine Iranians with conducting a massive cyber theft campaign, stealing more that 31 terabytes of documents and data from more than 140 American universities and 30 American companies.
Cyber state of emergency extended again. "Significant malicious cyber-enabled activities originating from or directed by persons located, in whole or in substantial part, outside the United States continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States," says President Trump.
The US, the UK, and more accuse Russia of hacking into networks. "We have high confidence that Russia has carried out a coordinated campaign to gain access to enterprise, small office, home office routers known as SOHO routers and residential routers, and the switches and connectors worldwide," said Rob Joyce, White House cybersecurity coordinator.
The US State Department publishes a document on cyber-deterrence that warns "Strategies for deterring malicious cyber activities require a fundamental rethinking."
The US Treasury Department announces further sanctions against five Russian companies and three individuals, part of its attempt to tackle "Russia's malign and destabilizing cyber activities." The Treasury said the sanctions targeted Russia's cyber and underwater capabilities, and said "Russia has been active in tracking undersea communication cables, which carry the bulk of the world's telecommunications data."
The Justice Department indicts 12 Russian hackers thought to be responsible for the 2016 cyberattack on the Democratic National Committee.
The US Department of Justice charges a North Korean programmer with involvement in some attacks including the WannaCry ransomware outbreak in 2017, and the attack on Sony Pictures Entertainment in 2014.
The US charges Russian military officers over international hacking and disinformation campaigns: the charges relate to attacks against the World Anti-Doping Agency in an effort to undermine it following the exposure of a Russian state-sponsored athlete doping program.