In the wake of World War II, Japan and the United States signed a security agreement that placed U.S. military bases in the Pacific in return for a promise to defend their host if attacked. A late April joint statement in Washington added a very interesting wrinkle to that arrangement.
Secretary of State Mike Pompeo announced that certain types of cyber attacks on Japan could trigger an armed response from the United States. This level of military commitment by the Trump administration is unusual in the realm of international response to offensive cyber maneuvers, and could signal a broader sea change in foreign policy.
To date, United States public response to cyber aggression by rival nations and foreign enemies has tended to be tepid. Russia has made regular incursions in recent years, including meddling in elections and exploring critical infrastructure such as power grids. Public responses have tended to consist of little more than naming and shaming, however. There has been no visible and serious effort to coordinate an international response to these attacks.
Of course, hacking-in-kind is most certainly going on behind the scenes. This is evidenced by incidents like the hacking of Chinese mobile phone companies and universities by the CIA, which was only revealed to the public due to the Edward Snowden leaks. To date, the international status quo appears to have been a general tolerance of these acts; at the very least, an armed military response was clearly off the table even in the case of fairly serious hacks.
This particular statement was clearly prompted by the actions of China, which has ramped up to about 128 billion cyber attacks on Japan each year. While it is still very unlikely that the United States would ever take military action against China for these attacks, the language of the statement is unusually strong.
While all-out war in response to nation-state hacking would be untenable, there are signs that United States allies are less willing to accept the status quo of letting brazen cyber attacks slide. Consequences are being discussed, and the most likely shape they would take would be a NATO-like alliance in which a large-scale joint offensive cyber response occurs when any one member state is attacked online.
A unified international response?
The United States regularly shares information with the intelligence agencies select allies through the Five Eyes program, but there is currently no real international treaty that provides for a clear unified international response to cyber attacks.
Rival trading partners like China have no fear of probing and exploiting networks, let alone outright enemies such as North Korea. The most brazen of these countries not only make attempts at spying on government agencies, but also target businesses and individuals for profit-making schemes such as ransomware attacks. Unlike traditional military engagements, the private sector and civilians are often either directly targeted by these offensive cyber plays or are simply caught in the crossfire when there is a data breach.
The possibility of an overwhelming international response from a unified alliance might curb some of these hostile cyber adventures, in a model similar to those used to levy sanctions. Establishing an international consensus on how to define and categorize attacks and appropriate levels of offensive cyber for each would definitely be a difficult task, but the United States is at least exploring the idea in private talks with its allies.
What the consequences might look like
While any possible international response agreement of this nature is still in the most rudimentary level of discussions, the United States has made recent moves internally to free up the country’s Cyber Command to engage in offensive cyber operations against known threat actors.
In 2018, Congress approved a range of new authorities for the Cyber Command. Specifically, much more leeway was given to conduct operations classified as “clandestine” in order to quickly respond to threat actors with offensive cyber without having to seek approval from other federal agencies. These authorities can be applied in response to cyber threats from four specific nations notorious for their regular hacking attempts on United States targets: Russia, China, North Korea and Iran.
The federal government stresses that these offensive cyber capabilities are only used as preemptive defense and in response to specific threats as a deterrence method. While much of this necessarily takes place in the shadows, one public example of these new policies in action was the 2018 election day strike on the Russian “troll farm” Internet Research Agency (IRA). The attack took the organization offline during voting to disrupt their disinformation campaigns.
In a February interview in Joint Forces Quarterly magazine, Director of the National Security Agency Paul M. Nakasone described the US Cyber Command’s new cyber defense posture as “persistent engagement.” He describes it as mirroring the practices of the Air Force and Navy, which actively patrol borders at all times looking for potential incursions. Nakasone also described the balance of power as constantly shifting in cyberspace, requiring continual active measures to maintain initiative and continually develop useful tools (which sometimes have a shelf life of mere months before obsolescence).
The nuances of offensive cyber
Critics worry that if national cyber security postures such as these become common, it could lead to increased international spying or even a new internet-based Cold War. There is some legitimate question as to exactly what the U.S. means by “defending forward” in the long term, given past actions like the Stuxnet attack on Iran’s nuclear reactors. One important focus of any national alliances for combating cybercrime would be the formation of norms that could help to more widely standardize international response to these incidents; at the moment, the “norm” is freedom to conduct a broad range of attacks with little fear of consequential retaliation.