This article is part of the National War College’s contribution to the series “Compete and Win: Envisioning a Competitive Strategy for the Twenty-First Century.” The series endeavors to present expert commentary on diverse issues surrounding US competitive strategy and irregular warfare with peer and near-peer competitors in the physical, cyber, and information spaces. The series is part of the Competition in Cyberspace Project (C2P), a joint initiative by the Army Cyber Institute and the Modern War Institute. Read all articles in the series here.
Special thanks to series editors Capt. Maggie Smith, PhD, C2P director, and Dr. Barnett S. Koven.
Recently, a single individual retaliated against North Korea for hacking his computer system. This lone wolf hacker, an American identified by his handle P4x, says he identified North Korea sources behind the hacking and in return took advantages of vulnerabilities in North Korean systems to successfully wreak havoc on their infrastructure.
P4x is not alone among cyber victims who feel the need to take matters into their own hands. Several years ago, while working at the National Security Council, I received a question from a friend at a cybersecurity company. The firm had identified someone trying to hack into their systems and traced the source back to its origin. The company was poised and ready to strike back but was hesitant. Their question was, could they? In response, I was forced to explain that it is illegal for private entities to hack back. They would have to depend on the government.
These are not isolated incidents. Both the public and private sectors in the United States are under a constant barrage of cyberattacks, which cost the US economy hundreds of billions of dollars, threaten personal information, and undermine confidence in the government. Major cyber events are becoming part of the daily lexicon. Cyberattacks like the 2014 Sony, 2020 SolarWinds, and 2021 Colonial Pipeline attacks are familiar to even the most technologically illiterate. The proliferation of cyberattacks and the damage they cause has many asking the questions of how and who best to protect the United States from these malicious actors.
Sound strategy involves identifying advantages over your competitors. This is part of the theory of success, or why the strategy would succeed. Conventional wisdom dictates that authoritarian regimes and centrally managed economies are less efficient and less innovative than free markets and societies. It is the incentives and energy in the private sector that are the drivers behind advancement and growth, which in turn gives the United States a competitive advantage over its competitors. But it is only an advantage if used. Americans learned during World War II that the private sector’s contribution was necessary to win the war. It was the rallying of private industry around the war effort that ensured victory. It is also industry that grows the economy and, concomitantly, the defense industrial base during peace and that helps serve as a deterrent.
Russia, China, North Korea, Iran, and other adversaries have embraced those working outside the normal government stovepipes and are capitalizing on their cyber expertise to attack the United States. We have many patriotic and committed cyber experts in our federal departments and agencies, but the United States’ advantage lies in the private sector. The government recognizes this—hence the many programs to attract cyber experts into government service. Yet, the nature of bureaucracy disincentivizes risk taking and innovation. Conversely, the private sector rewards it. Therefore, the concept of a whole-of-nation strategy must include these private sector experts to ensure sound cyberspace strategy.
Social Contract Theory and Government Response
Increased familiarity with cyberattacks is accompanied by an understanding of the threat they pose to all aspects of daily life. It also comes with a growing frustration of what many feel is an ineffective government response to punish those responsible, and to thereby deter others.
The United States was founded on the ideals of seventeenth-century social contract theory, the intellectual progeny of philosophers like Hobbes, Locke, and Rousseau. They argued that citizens and governments form a contract; the people give up certain freedoms in exchange for government guarantees of law and order. It is this contract that allows for societies to peacefully exist. For example, if Jill is wronged by Jack, Jill does not take the response into her own hands, but trusts the government to represent her interests. The alternative to the social contract is a state of anarchy where might makes right, and thus a failure of civil society.
One of the most understood freedoms given up to the government under social contract theory is security. The government is responsible for defending society against security threats. As, the early twentieth-century theorist Max Weber noted, a monopoly on violence is a central attribute of modern states. Concomitantly, it should not be surprising that the US government has vigorously sought to defend its population against physical violence perpetrated both by state actors, as well as by a diverse panoply of violent nonstate actors (e.g., terrorist groups and violent extremists, drug trafficking organizations). However, in broadening the aperture beyond physical security threats to also include those emanating from the cyber domain, the results become far more mixed. While the US government almost certainly desires to be responsive to its citizens cybersecurity needs, it lacks a firm understanding as to how to effectively do so.
Companies are pressuring government officials for a solution, or at least more freedom to act themselves. The government is not ignoring the problem, but countering cyberattacks requires not only the technical capability to hack back; it also involves understanding a complex web of attribution and considerations governing the use of force, law enforcement, policy, and obligations to protect the innocent. While many companies would like to take a more active role in punishing those caught hacking their systems, this might cause more harm than good. However, discounting private companies is also a mistake.
Subscribing to social contract theory does not mean that private citizens do not have a role to play in ensuring societal well-being. Juries are made up of everyday citizens and private think tanks routinely advise the government on security issues. The social contract in a democracy must be participatory. In fact, it is this participation in the government that gives democracies their strength. Participation brings new ideas, energy, and accountability. A successful cyber posture that both defends against attacks and punishes those that are successful will take a concerted effort by government and the private sector. The government needs to take a lead in developing and executing a competitive strategy that bridges the public-private divide and increases the United States’ advantage. But what form should that partnership take? Ought offensive or defensive approaches be prioritized?
Limitations to Offensive Public-Private Cybersecurity Partnerships
US law—specifically, 18 US Code § 1030—prevents private entities from hacking into another computer system. Proponents of hack-back policies find this law overly restrictive. Indeed, frustration with current policies has led to action by the government. Congress has introduced several pieces of legislation aimed at loosening restrictions on hacking back. Some advocates have gone even further by proposing modern day letters of marque authorizing certain companies or individuals to act on behalf of the government to disable or disrupt the attacking systems.
Moreover, hacking back is not as simple as it seems and there are good arguments for a cautious approach. While proponents of authorizing the private sector to hack back typically also advocate for governmental oversite, it is unclear that the government has the capacity or the expertise to provide it. Indeed, Jason Healy and Robert Jervis have argued convincingly that US government departments and agencies involved in cybersecurity are rarely even able to maintain awareness of offensive cyber operations conducted by other US government departments and agencies.
Additionally, attribution for cyberattacks is not easy. The bad guys often originate their attacks from innocent users’ machines they have taken over, employing bots, botnets, or zombies. Disabling or destroying the machines hurts innocent users (they are also victims of the hackers) and not the actual attackers. Imagine the potential harms if an attack was made to appear to have originated from a hospital’s IT network. Hacking back could result in real loss of life.
Furthermore, while there is a lot of focus on offense and the ability to strike back, too much offense can create other problems, like instability in international relations. A back-and-forth exchange of cyberattacks between nation-states can spiral quickly beyond what either nation intended. What started out in the cyber world can escalate into brinkmanship and lethal force.
In short, the United States is right to be cautious with empowering private entities to act offensively on behalf of the government. The past twenty years has demonstrated that the use of private military contractors comes with its own issues. Scandals surrounding Blackwater and other contractors has shown what happens when government allows privatization of inherent government functions.
Defensive Public-Private Cybersecurity Partnerships
Given the limitations inherent to engaging the private sector in offensive cyber operations, defensive options ought to be more carefully considered. Like any successful defense, early preparation and information sharing is critical. Building robust defenses and communicating information about vulnerabilities, where the enemy is likely to attack, any early indications of an attack, and how to support and reconstitute areas attacked are key to strengthening defensive measures and limiting damage.
In 2017, global shipping company Maersk was the victim of a cyberattack that affected its terminals, ports, and ships around the world, costing the company at least $200 million. Maersk’s willingness to share information allowed the US Coast Guard to warn other companies, focus resources, and limit cost to maritime infrastructure. The cooperation by Maersk is a great example of what is needed, but it is the exception, not the norm.
The administrations of both the Donald Trump and Joe Biden issued executive orders to address cyber vulnerabilities, but these orders were for federal systems and did not include the private sector, mainly due to strong industry resistance to government regulation. Companies exhibit a natural preference for a strong, government-led offensive cyber response to deter would-be attackers, instead of paying for expensive defensive measures. Nevertheless, protecting networks needs to be the first step in a successful competitive strategy, and communicating threats is integral to shoring up cyber defenses. Consequently, information sharing is crucial to successful public-private cybersecurity partnerships.
A physical attack is easy to observe, and attribution is usually much easier, allowing for a timely and appropriate response by the government. However, for cyberattacks the government is often dependent on third parties to inform them of not only the occurrence, but also the breadth of the attack. Increasing reporting requirements is one way to help raise awareness and possible attribution, but mandates alone are insufficient.
Currently, there is a hodgepodge of reporting requirements that vary considerably by industry and oversight agency. Recently, there has been a move to standardize reporting requirements, giving the government better visibility and information to decide appropriate actions. This is not without controversy. Many in industry do not want their victimization made public, because it could reduce revenue, as well as investors’ and customers’ confidence. For instance, the 2013 attack on Target exposed forty-one million of its customers’ payment card information and resulted in a substantial drop in revenue, lost customers, and a large settlement agreement. Moreover, many companies do not view reporting as useful due to a perceived lack of leadership, responsiveness, and assistance provided by the government in response to cyber incidents. Although companies are reticent to provide this information, the government cannot develop a coherent response to these attacks without awareness. There must be coordinated government action that changes incentives and increases trust.
Trust, of course, works both ways. Just as the private sector must trust the government to represent its best interests in responding to cyberattacks, the government must also be able to trust private sector entities in order to effectively partner on cybersecurity. Engaging private entities on national security interests is not unprecedented. Besides the obvious defense contractors, there are also occasions when private industry is allowed to see behind the curtain. Government must be willing to do this more often. (Admittedly, though, complex ownership and investment structures that often involve non-US persons and financial interests in today’s globalized economy can make this even more challenging.) This goes beyond just setting up additional advisory boards under the Federal Advisory Committee Act. These boards are often just cursory, given little information, and paid little attention to by relevant US government departments and agencies. On the other hand, the boards’ efficacy is limited as they are too often populated with members that have long since retired from industry and no longer occupy influential positions. Instead of building trust between government and industry, they create frustration. Advisory boards need to be populated with current industry leaders and trusted with information and decisions. The government needs to show the private sector how it is part of the nation’s strategic competition with its adversaries.
When Maersk was targeted in the 2017 cyberattack, the company was hesitant to notify anyone as soon as the attack was identified; however, its long relationship with the US Coast Guard encouraged Maersk’s leadership to report the situation. The trust that Maersk showed allowed the Coast Guard to alert other ports and shippers, heading off what could have become a significantly worse problem (or an overreaction by the US government). Following the incident, the Coast Guard worked with Maersk’s cyber experts to investigate what happened and to prevent future attacks. The Coast Guard needed to work with Maersk’s cyber experts to obtain relevant information about the attack, and Maersk needed Coast Guard authorities to quickly reconstitute its terminals and ships.
A whole-of-nation strategy needs to have clear objectives that are easily understood and actionable by the public and private sectors for the good of the American people. These objectives should include resiliency, redundancy, hardening, investigation, and sharing of information as a minimum. To meet those objectives a whole-of-nation strategic framework requires:
- True public-private partnership. This requires not only the private sector to trust the government with information that they consider vital, but also that the government must trusts the private sector with the information it needs. This means an equal exchange of information.
- Sharing ideas, techniques, and technology. Shared information about attacks themselves is only part of it. Allowing for a sharing of ideas, techniques, and technology is just as important. The government cannot afford to attract all the cyber experts into government jobs, nor should it want to; it needs the innovation and energy of the private sector. Bringing that innovation into the fold creates resources to counter our adversaries. Many in the private sector see the government as the enemy and their employees, shareholders, and customers protest when they partner with the government. This must be overcome by establishing a trusting environment.
- Shared action. The strategy may limit offensive cyber activities to government agencies, or it may include a limited licensing to a few trusted companies. This would not be as much a letter of marque as an avenue to seek permission to take one-time action on a target. Either way, all involved need to have visibility on actions taken and a voice—especially when it is the private sector that might take the brunt of any retaliation.
- Regulations. Although it is not popular with the private sector, government regulation will be required. Without it, incentives will not change and information sharing and investment in sound defenses will be hampered.
Other nations will continue to see cyberattacks on both government and private sector targets as a cheap and effective way to counter the United States. The current whole-of-government response is full of noble intent, but it is not a winning strategy. It fails to take advantage of the resources and expertise in the private sector that a whole-of-nation response can. The United States’ free economy, and the incentives it brings, gives it a competitive advantage over its adversaries, but only if it actively engages with private sector actors and convinces them that a whole-of-nation response is in their best interest.
Jason Smith currently serves as service chair and as assistant professor for security studies at the National War College. He has served as a leader and aviator in the US Coast Guard and the US Army, as advisor to the commandant of the Coast Guard, as senior policy advisor in the US Senate, and on the staff of the National Security Council.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.
Image credit: Christiaan Colen