The administration’s top cyber officials outline various policies for actively combatting cyberattacks and discuss the future of government operations.
Is the U.S. ready to go on offense in the cyber domain? It is certainly taking incremental steps in that direction. Exclusively focusing on defensive measures will not deter malicious behavior such as theft of intellectual property or manipulation of data, Adm. Michael Rogers, commander of U.S. Cyber Command and the director of the National Security Agency, said at the AFCEA Cybersecurity Technology Summit in Washington today. According to Rogers, the United States right now is reacting rather than acting.
So what steps are officials taking to deter threats? This week, the President Barack Obama signed a first-of-its-kind executive order that sanctions individuals who conduct malicious cyber activity that threatens U.S. national security, foreign policy or economic stability.
Michael Daniel, White House cybersecurity coordinator, said at the conference the new executive order enables the government to utilize a new tool against cyber threats. The online community allows for a great deal of anonymity and hackers have grown accustomed to lack of reprisal, especially if they exist in other nations or jurisdictions. The sanctions can prevent cyber criminals from hiding because, now, their assets will become blocked. Daniel said that the United States developed this framework while coordinating with many international partners and that those partners could implement similar measures.
Another added benefit of the executive order is that international partners and organizations typically follow and concurrently block individuals or groups that the U.S. designates as terrorists, narcotraffickers and criminals because they do not want to do business with them either.
The White House also has called for legislation from Congress that prosecutes certain cyber crimes such as the use of botnets and the sale of individual financial information overseas, Daniel said.
Despite those moves, the government has a long way to go toward an active cyber defense. In early March, Rogers alluded to the fact that deterrence in the cyber domain is relatively undeveloped. “This is still the early stages of cyber in many ways…so we're going to have to work our way through this,” he told a group gathered for a New America Foundation cybersecurity conference. Rogers did say that the executive order signed this week was a step in the right direction in terms of offensive capabilities and deterrence.
Both Rogers and Daniel lauded the recently established Cyber Threat Intelligence Integration Center as another measure that will help the government decide when to act in response to an attack. The new center will collect and analyze the latest data on cyber threats and share that information with Intelligence Community agencies. Daniel described it as the internal glue of the government that will provide a more integrated view to position government resources. Modeled after the National Counterterrorism Center, CTIIC will apply the lessons learned from counterterrorism and 9/11 to the cyber realm and the intelligence community.
The cyber realm is still undefined for the most part, with many private-sector groups and government agencies learning on the fly. Daniel compared the current cyber climate to the time after World War II, rather than pre-9/11, because at that time, the U.S. did not know how the Cold War would play out. This analogy applies today because the frameworks developed to combat malicious cyber activities will last for years to come. Cyber, he said, cannot be a strategic liability.