16 September 2016

Cyber red lines: ambiguous by necessity?

September 8, 2016

Members of Congress, academia, industry and policy circles have derided the lack of clear red lines in cyberspace -- cyber acts that would, without question, warrant a response. However, from the government’s perspective, some level of strategic ambiguity in red lines allows for critical political wiggle room.

“Currently most countries, including ours, don’t want to be incredibly specific about the red lines for two reasons: You don’t want to invite people to do anything they want below that red line thinking they’ll be able to do it with impunity, and secondly, you don’t want to back yourself into a strategic corner where you have to respond if they do something above that red line or else lose credibility in a geopolitical sense,” said Sean Kanuck, who most recently served as national intelligence officer for cyber issues within the Office of the Director of National Intelligence. "There’s an interest in ambiguity from a strategic sense that also leads to a strategic uncertainty. So it’s two sides of the same coin…If you don’t have specific red lines, you don’t have specific necessarily action plans in certain scenarios.”

Kanuck spoke Sept. 7 at the 2016 Intelligence and National Security Summit in Washington.

While attribution, an elusive component in the cyber domain, appears to be much less convoluted in the physical world, at least one military official expressed a contrary view.

“While cyber is difficult and we’re still maturing, it’s not like it’s easy in lots of other domains. You look at questions about who shot down the [Malaysia Air passenger jet] over the Ukraine [in 2014], who’s doing what in other countries -- often it’s not quite clear, it’s hard to prove exactly who was behind it,” said Lt. Gen. Kevin McLaughlin, deputy commander at Cyber Command. In the case of the downed jet in Ukraine's disputed Crimea region, many believe the plane was shot down using by separatists with Russian-supplied surface -to-air missiles, however, there is still some doubt.

In responding to these incidents, McLaughlin noted that in some cases, it can be difficult to discern if a red line was crossed, leading to focused policy discussions that can go on for days or weeks. In instances where the government must respond quickly, McLaughlin said “we have many of those authorities where it’s clear within a limited set of things [that] we’ve crossed some threshold…and in limited cases we can respond” within the rules and policies set forth.

Others, while sympathetic to the government’s position on strategic ambiguity, aren’t totally buying in.

“I do understand the piece about you don’t want to define [red lines] so clearly that then we’re locked in or the adversaries think they can go right up to the red lines as long as they don’t cross it, but there’s got to be some messaging to our adversaries so that [adversaries] clearly understand,” Shawn Henry, president at CrowdStrike, said during the panel. “There’s certain issues I think if we wait until after the action occurs, we are in a very difficult situation…I think that there are some lessons that we can learn about what the communications need to be like, what the discussions should be like in order for the adversaries to really recognize our intent.”

Greg Shannon of the White House's Office of Science and Technology Policy noted during the discussion that how the administration in policy directives and executive orders has outlined that attacks on critical infrastructure is a “red line.” While this is still playing out and the government is in the beginnings of laying out policy, red lines ultimately come down to definitions, he said.

From the outside, the administration appears to still be working through these definitions in defining exactly when and how to respond to certain incidents. Acting Assistant Secretary of Defense for Homeland Defense and Global Security Thomas Atkin told the House Armed Services Committee in June that the government has a responsibility to defend against attacks of significant consequence, determined by whether there is loss of life, physical damage, an economic impact or an impact on American foreign policy. However, Atkin noted that these factors are determined on a case-by-case basis.

“As far as an attack of significant consequence, which DoD would respond to in the homeland, we don’t necessarily have a clear definition that says this will always meet it,” Atkin said, noting the decision is based upon the four aforementioned criteria. “There are some clear lines in the road which we would evaluate any specific cyber act or incident in how we would respond to that.”

Regarding acts of war in the cyber domain, Atkin noted that “that has not been defined – we’re still working toward that definition across the interagency.”

McLaughlin added that over time, greater clarity in cyber red lines will emerge.

“I think those red lines in the cyber area will firm up to some degree, but I think you’ll see a lot of it generate down to what actually was the country trying to do?” he said. “It’s often not that the action itself in cyber was the thing that crossed the red line, it’s often what was the objective of the organization behind it and was the actual end result or what they were after [crossing] a red line?” 


No comments: