September 23rd, 2020


Forget sanctions and red lines. Fight cyber attacks with cyber retaliation

Andrew Malcolm

By Andrew Malcolm McClatchy Washington Bureau/(TNS)

Published March 5,2018

Forget sanctions and red lines. Fight cyber attacks with cyber retaliation
Perhaps you've noticed in recent weeks a marked increase in talk about the mounting threats of malicious cyber activity to our national security, intellectual property, critical infrastructure operations and even our election systems.

The Justice Department on Feb. 16 announced indictments of 13 Russian organizations and individuals for meddling in the 2016 election. Apparently the accused sought to foment divisions in American society largely through social media.

At the time their fake accounts, malicious rumors, incitements and spurious demonstrations went largely unnoticed by users of Facebook and Twitter, among others, because — News Flash! — thanks to anonymity U.S. social media already overflows with vile, mean, malicious, racist, hate-filled messages.

Media bought the indictments as getting tough, even though none of those Russians are anywhere within reach of U.S. authorities.

The Council of Economic Advisers estimated the other day that “malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016" involving “denial of service attacks, data and property destruction, business disruption (sometimes for the purpose of collecting ransoms) and theft of proprietary data, intellectual property and sensitive financial and strategic information."

In 2015, the Obama administration's Office of Personnel Management said it suspected hackers had breached its obviously inadequate cyber security to access the Social Security numbers and personal records of 4.5 million Americans. That sounded horrible.

Later we learned hackers spent months calmly copying OPM records, including security clearance information, of 21.5 million Americans. Then-Director of National Intelligence James Clapper said he thought China was probably the culprit.

China also routinely promises to look into theft of corporate secrets. So, it's probably just coincidence that its newest fighter looks much like our F-35.

While we spend so much time properly worrying about North Korean ICBMs incinerating U.S. cities, we have other less lethal but quite crippling threats to worry about.

Most of the world's financial transactions, for instance, transit five big cities; fully half flow through New York. Imagine the economic impact and unleashed global fears if hackers took down just part of Gotham's financial or market operations for a few hours, perhaps even absconding with a few hundred million.

Not long ago, suspected Iranian hackers entered Saudi Arabia's national oil company and erased virtually all its electronic records. In 2016, North Korea electronically lifted $81 million from Bangladesh's Central Bank account in New York.

Last summer, according to U.S. and British intelligence, Russians planted the NotPetya virus in Ukraine to shut down a large portion of its electrical grid. It worked. But the virus escaped and scampered around the world, costing billions of dollars in damages.

“The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," a British official threatened with empty words.

Blaming Russia, Trump press secretary Sarah Sanders said NotPetya was “a reckless and indiscriminate cyber attack that will be met with international consequences." Someone remind Putin to worry.

After the 2015 OPM attack, Barack “Red Line" Obama vowed serious repercussions “at a time and place of our choosing." As with his “swift justice" vow following the Benghazi murders, he never got around to choosing.

Here's the go-to Western response: Economic sanctions. None have worked on Syria, China, Iran, Russia or North Korea. So maybe more of them will.

Enough with all the worried words and empty threats over foreign cyber attacks. Haven't we sat around and bemoaned breaches enough? When are we actually going to do something in self-defense? Hardening government and corporate security is tardy and clearly ineffective.

What about some flat-out electronic retaliation?

It is possible. In late 2003, under international pressure, Libya's Moammar Gaddafi abandoned his nuclear weapons program and turned over all the equipment, which happened to be the same as Iran is using for its weapons development.

Intelligence agencies, most likely American and Israeli, reverse-engineered Libya's gear and developed what came to be known as the Stuxnet virus. It was smuggled into an Iranian nuclear facility on a thumb drive. The stealth virus proceeded to order, one by one, more than 1,000 centrifuges to accelerate out of control into oscillating self-destruction, all the while feeding false normal readings to gauges and paralyzing all intruder alarms.

What if one wintry day the Kremlin's power grid suddenly blew out? Or if Moscow's air traffic control system failed as Putin prepared to travel?

We know from satellite images when Pyongyang is preparing a missile test. What if, oh, say, a future missile exploded on the launch pad? Or better yet, flew up, turned around and came back down on its own launch site?

Well, gee, you know, making ICBMs is dangerous business.

Of course, Washington's do-nothing gnomes would predictably oppose the notion of standing up to electronic bullies and retaliating with our own unannounced cyber attacks, fretting with trembling words that target countries would then attack us.

Here's the problem with that: They already are.

Andrew Malcolm
McClatchy Washington Bureau

Malcolm is an author and veteran national and foreign correspondent covering politics since the 1960s.