Soon after moving into the White House, Trump released a draft of an Executive Order on cybersecurity, which spends several pages defining the problem and almost no space on potential solutions. The draft order requires a review of the country’s infrastructure and weaknesses, a process that literally could go on for the rest of time. There is almost no practical way to enumerate all of the government’s systems and assets, let alone the critical infrastructure systems owned by private companies, which is most of them.
It’s not exactly clear what’s holding up the release of the final version of the order, but it’s almost certain that the administration is seeking input from security experts in government and in the private sector. These kinds of documents are group efforts, even though they have one name on the bottom. Officials at government agencies that will be affected by the order are eager to make suggestions, as are executives at technology companies and other groups, and that takes time. So a few extra weeks of consideration and revision is probably a good thing.
Whenever it comes out, this order will emerge in a very interesting climate. Accusations of politically motivated hacking have become an almost daily occurrence, and it’s gotten to the point that some foreign governments aren’t even bothering to hide what they’re doing. These accusations and counter-accusations naturally lead to questions about how governments can or should respond to attacks by other countries.
Intelligence officials tend not to talk much about the offensive side of cybersecurity, as they don’t like to reveal their strategy or methods. But at an event this week sponsored by the Aspen Institute, a top NSA official was asked whether the final version of the Executive Order should have some kind of language that spells out exactly how the United States will respond to attacks by nation states, a kind of standing doctrine. His answer was very interesting.
“It could be useful but dangerous, because if someone knows if you do this I’ll whack you in this way, they could pretend to be another nation state actor. Attribution is hard, but it’s not impossible and it’s probably not even as hard as people think. But it’s hard to do in a timely way and an actionable way. It usually involves some fairly sensitive intelligence sources and if you disclose those they won’t be there the next time,” said Richard Ledgett, deputy director of NSA.
That’s a canny, but telling, answer from someone who has been in the intelligence community for almost 30 years. NSA does the bulk of the offensive cybersecurity work for the U.S. government and it knows its business. But it also has defensive responsibilities, and what Ledgett is telling us with that answer is the agency — and the others in the defense and intelligence communities — don’t want their adversaries to know what they know.
That’s at the heart of how the intelligence game has been played for hundreds of years. You don’t let your opponents know how good you are or how much you know. And that line of thinking naturally has made its way into the cybersecurity realm, where much of the spy game now plays out. Ledgett is right, of course. Retaliating for every individual attack doesn’t always make sense.
Whatever the final Executive Order includes, a standing response to cyber attacks shouldn’t be part of it, especially since adversaries of the U.S. have ample historical evidence of how good NSA and its allies are at their jobs. See: Stuxnet. See also: Flame.