Readings

John Carlin on "Detect, Disrupt, Deter: A Whole-of-Government Approach to National Security Cyber Threats"

By Benjamin Wittes
Tuesday, June 21, 2016, 1:37 PM

Assistant Attorney General John Carlin, who runs the Justice Department's National Security Division, has a new paper out in the Harvard National Security Journal entitled "Detect, Disrupt, Deter: A Whole-of-Government Approach to National Security Cyber Threats." I have not read it yet and may have comments after I do. In the meantime, the introduction reads as follows:

The United States faces an inflection point when it comes to the Internet’s effect on daily life. What has enriched our economy and quality of life for the past several decades may start to hurt us more than help us, unless we confront its cybersecurity challenges. Waves of network intrusions—increasing in number, sophistication, and severity—have hit American companies and the U.S. government. In 2012, former CIA Director and Defense Secretary Leon Panetta described the nation’s cybersecurity weaknesses as presenting a “pre-9/11 moment.” And in July 2014, the 9/11 Commission itself warned: “We are at September 10th levels in terms of cyber preparedness.” Following that ominous prediction, in a span of less than two years, the United States was besieged by intrusions originating from around the globe. There was no single target, and no common perpetrator. Our adversaries stated or demonstrated that they hacked on behalf of China, North Korea, Syria, Iran, and many others. They stole sensitive information from government databases, damaged and destroyed private companies’ computer systems, and—in a new twist—even targeted individuals’ personally identifiable information to benefit terrorist organizations. The list of victims is broad and varied—the private sector, the government, and individual citizens. The past two years have publicly demonstrated the extent of the threat.

Former Federal Bureau of Investigation (FBI) Director Robert Mueller once offered the following analogy to describe our growing cyber vulnerabilities:

In the days of the Roman Empire, roads radiated out from the capital city, spanning more than 52,000 miles. The Romans built these roads to access the vast areas they had conquered. But, in the end, these same roads led to Rome’s downfall, for they allowed the invaders to march right up to the city gates.

Like the Roman roads, the Internet connects us to the world. Empowered by advances in technology like cheap storage, increased bandwidth, miniaturized processors, and cloud architecture, we’ve extended Internet connectivity throughout our lives. But this expansion carries a risk not fully accounted for. Increased connectivity makes our critical infrastructure—water, electricity, communications, banking—and our most private information more vulnerable. We invested an enormous amount over the past few decades to digitize our lives. But we made these investments while systematically underestimating risks to our digital security. If we don’t secure our Internet connectivity, what has been an important driver of prosperity and strength for the past twenty years could have disastrous effects in the next twenty.

To meet this challenge, the U.S. government has changed its approach to disrupting national security cyber threats. One element of its new strategy involves implementing and institutionalizing a “whole-of-government” approach. No one agency can beat the threat. Instead, success requires drawing upon each agency’s unique expertise, resources, and legal authorities, and using whichever tool or combination of tools will be most effective in disrupting a particular threat. At times, that may mean economic sanctions from the Treasury Department, proceedings initiated by the Office of the U.S. Trade Representative, and cyber defense operations from the Defense Department. At other times, it might mean information sharing coordinated by the Department of Homeland Security, diplomatic pressure from the State Department, intelligence operations from the U.S. Intelligence Community (IC), 5 and prosecution and other legal action from the Justice Department. And in many instances, it will mean a coordinated application of several capabilities from the U.S. government’s menu of options.

The United States’ approach to combating Chinese theft of sensitive U.S.- company business information and trade secrets—activity that former National Security Agency Director Keith Alexander described as the “greatest transfer of wealth in history”—illustrates the power of this coordinated approach. In May 2014, after an unprecedented investigation spanning several years, a federal grand jury indicted five uniformed members of the Chinese military on charges of hacking and conducting economic espionage against large U.S. nuclear-power, metal, and solar-energy companies. The 48-page indictment describes numerous, specific instances where officers of the People’s Liberation Army (PLA) hacked into the computer systems of American companies to steal trade secrets and sensitive, internal communications that could be used for economic gain by Chinese companies. The recipient companies could use the stolen information against the victims in competition, negotiation, and litigation. 

This landmark case was the first prosecution of official state actors for hacking. But the indictment was not pursued in isolation; nor was it seen as an end in and of itself. Rather, the investigation and prosecution of the PLA members were pieces of a larger deterrence strategy. In spring 2015, the President issued an executive order authorizing sanctions against companies engaging in malicious cyber activity. At the same time, the government was advocating diplomatically for basic international norms in cyberspace.

It appears that these coordinated efforts are starting to establish new norms in cyberspace. In September 2015, President Obama and Chinese President Xi Jinping affirmed that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors. Although we don’t know the extent to which China will honor this commitment, the fact that the commitment was made is itself significant, as is the fact that at the November 2015 G20 Summit in Turkey, leaders representing the twenty largest economies in the world agreed to norms related to acceptable behavior in cyberspace. As President Obama has noted, the Internet can sometimes seem like the “Wild Wild West.” But we are beginning to bring law and order to the Internet through concrete actions designed to ensure there are consequences for impermissible or unlawful behavior in cyberspace.

A whole-of-government approach is critical to success in disrupting national security cyber threats. But given the complexity of the threats we face, no strategy, regardless of the number of agencies involved or the breadth of tools available, would be complete without coordination with the private sector. In an increasingly flattened and connected world, the threat can easily move and change—but one constant is that private entities remain on the front lines of this fight. Thus, a second element of the United States’ new approach involves deeper partnerships with the private sector.

This Article explains how national security investigators and lawyers in the Department of Justice (DOJ) play a crucial role in this new approach. As practiced at DOJ, national security law goes beyond the use of one set of tools or body of law. It is cross-disciplinary—encompassing a practical, problem-solving approach that uses all available tools, and draws upon all available partners, in a strategic, intelligence-driven, and threat-based way to keep America safe. As former Acting Assistant Attorney General (AAG) for National Security Todd Hinnen has noted, “[n]ational security investigations seek to harness and coordinate the authorities and capabilities of all members of the national security community, state and local law enforcement, and foreign law enforcement and intelligence partners,” and “may result in a wide variety of national security activity, including . . . arrest and prosecution of perpetrators, imposition of economic sanctions, diplomatic overtures to foreign governments, and actions undertaken by U.S. intelligence services or armed forces overseas.” 

Key to almost any of these responses is attribution. Attribution is the ability to confidently say who did it: which country, government agency, group, or even individual is responsible for a cyber intrusion or attack. To respond to cyber activity, you must know who is responsible, and what makes them tick. Defense, deterrence, and disruption all require an understanding of the adversary. Government lawyers, agents, analysts, computer scientists, and other national security investigators are particularly good at developing the building blocks of attribution—they have expertise honed in criminal investigations and carry a host of legal authorities that allow them to investigate and gather information.

Although attribution is a simple idea, doing so on the Internet is very complex. The Internet’s architecture allows hackers to route their activities through a global network of computers, almost all of which are owned and operated by a variety of private actors. In addition, knowing which specific computer or network caused the malicious activity doesn’t necessarily tell you which person or organization ordered, carried out, or supported the hack.

But attribution is still possible. DOJ, including the Federal Bureau of Investigation (FBI) and other law enforcement agencies, and with support from the IC, has unique expertise and legal authorities it can use to attribute cyber activities to their source. We can then take steps based on that attribution— including but not limited to prosecuting those responsible—to help us fight cyber threats. Each of these steps may seem small, but incrementally they can help us turn the tide.

This Article proceeds in three parts. Part I describes the cyber threats we face and emphasizes that any long-term solution must include deterrence and disruption. Part II explains why DOJ is well-placed to attribute network intrusions, and how it goes about doing so. Part III lays out the tools—within DOJ, across the federal government, and in the private sector—that rely on attribution to defend against, disrupt, and deter cyber threats. Throughout, this Article attempts to give concrete details and examples. But the need to protect sensitive sources and methods—in particular the means by which the government attributes cyber activity—limits what can be publicly described.

Before proceeding, it’s important to emphasize that we are at the very beginning of the effort to confront national security cyber threats. All of the organizational and legal innovations discussed below—for example, increased intelligence coordination and the use of prosecutions, sanctions, and other legal tools to counter cyber threats—are evolving. The number of successful operations is still modest, especially given the size of the problem. And although we’re moving in the right direction, we need to move faster. We might need to modify or abandon some of the approaches if they prove unworkable, unscalable, or ineffective. Tools and techniques we haven’t even thought of may ultimately take center stage. We welcome criticism and suggestions—indeed, encouraging this conversation is one of the main purposes behind this Article.