In “an offensive step forward.” the Trump Administration discarded President Obama’s policy on cyberattack and cyber defense (also known as Presidential Policy Directive-20 or PPD-20). Trump’s replacement “cyber deterrence plan” was ready in mid-May, but its release was delayed because of disputes over retaliatory hacking measures. Meanwhile nation state cyberattacks continue and handwringing has been our standard response for years. It is hard not to conclude that the United States is doing a lousy job fighting back.
PPD-20 “mapped out an elaborate interagency process that must be followed before U.S. could use cyberattacks.” Dropping the PPD-20 is more than editorial tweaking. It removes bureaucratic shackles that limit US cyber activities. PPD-20 also called for compliance with all US laws and relevant international laws, and it called for extending advance notice to non-targeted countries which may be impacted by US cyber action.
PPD-20 was framed in a rococo, multi-level pile of legalese that emphasized “deconflicting” any potential cyber action through signoffs by a roomful of potentially relevant U.S. departments and agencies. For example, in the case of Persistent Malicious Cyber Activity cyber-responses need to be coordinated among, the Departments of State, Defense, Justice, Homeland Security, Federal Bureau of Investigation, Office of the Director of National Intelligence, the National Security Agency, the Central Intelligence Agency, the Departments of the Treasury and Energy (DOE), and other relevant members of the Intelligence Community, and sector-specific agencies. The Department of Justice was tasked with first response to cyberattacks, but even in the event of an emergency, Presidential approval was required before any significant action could be pursued.
President Trump’s cyber deterrence plan has not been released so we cannot determine if, like PPD-20, it shackles US cyber-responses. We also need to know whether it is sufficiently aggressive to raise the pain and cost incurred by our adversaries. The lengthy history of nation state attacks against the US leads us to question whether the US has sufficient technical capability to suppress persistent malicious cyber hacking by adversaries such as Russia, China, Iran and North Korea. Of course, the public cannot know much about our defenses because so much of the topic is opaque due to classification.
We see Russia and others running amok without consequence, especially in social media and political circles. A recent “Iranian campaign used a network of fake news websites and fraudulent social media personas spread across Facebook, Instagram, Twitter, Google Plus, and YouTube, to push narratives in line with Tehran’s interests.” The Iranians voiced “anti-Saudi, anti-Israeli, and pro-Palestinian themes”, as well as advocacy of policies favorable to Iran such as the U.S.-Iran nuclear deal. Iran is entitled to its viewpoint, but not when it masks its identity and poses as Americans. Iranian operatives had also been disseminating Iran’s talking points via #lockhimup, #impeachtrump and #notmypresident. Twitter removed 284 accounts involved in the misinformation campaign. Facebook removed 254 fake pages and 392 accounts from Facebook and Instagram.
Social media misrepresentations and spear phishing attacks against political sites earn a lot of press coverage, but less publicized attacks do damage to government and commercial systems, especially to infrastructure (e.g. dams and the electricity grid).
The PPD-20 masterpiece of bureaucracy may have thrilled Department of Justice attorneys and international law students, but based on persisting Russian cyberattacks, it was ineffective. Good riddance. Release the “cyber deterrence plan.” The public deserves evidence (through actions, not policy papers) that we have the resolve and the cyber tools needed to repel the Russian, Chinese and Iranian hackers.