First it was a massive cyberattack by North Korea against Sony Pictures Entertainment in late 2014 that crippled the company. Now it is a systematic series of ongoing cyberattacks against the nation’s critical infrastructure by Russia that threatens to cripple the nation.
These two seemingly unrelated attacks in cyberspace share a very troubling characteristic: Both have exposed the inability of national security leaders in two successive administrations to craft a coherent cyberwarfare doctrine to govern the nation’s response to major attacks in cyberspace.
So far, the response by the Trump administration to the recent revelations of Russian attacks against the U.S. electrical infrastructure is eerily similar to the Obama administrations response to the Sony hack.
Obama imposed financial sanctions on 10 North Korean government officials, as well as the reclusive regime’s military intelligence bureau and state-run arms dealer. It took the administration six weeks to come up with that response.
Meanwhile, the Trump administration just got around to imposing sanctions against Russia for a series of attacks that began in March of 2016 targeting the U.S. energy grid, nuclear facilities, water processing plants, aviation systems, and other critical infrastructure.
The evidence is clear: Cybersecurity and national security officials in both the Obama and Trump White Houses have failed to devise a coherent national doctrine to guide the nation’s response to cyberattacks that threaten our very way of life.
It’s been six years since President Barack Obama signed Presidential Policy Directive 20, or PPD-20, a classified directive that established guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber attacks. PPD-20 was considered the government’s first step toward laying a foundation upon which a national doctrine governing cybersecurity could be devised.
Obama followed up on PPD-20 with PPD-41, United States Cyber Incident Coordination. For his part, Trump last year signed a long-awaited executive order on cybersecurity, but it was overwhelmingly focused on bolstering the nation’s cyber defenses.
The U.S. has not had a national-level doctrine since the end of the Doctrine of Containment in 1991 as the Cold War was ending, and the nation has suffered significantly for this. Our nation’s cybersecurity leaders have not developed, nor articulated, any sort of doctrine or grand strategy and have, instead, lurched from one crisis to the next during the last decade.
In the long term, incidents like the Sony hack will likely be just a blip on the screen when it comes to the development of a national doctrine for cyberspace security and defense. And despite all of our sophisticated technology and our growing ability to use that technology offensively, there will be situations where technology will not give the U.S. the types of responses that policymakers desire.
But Russia’s latest activity paints a new picture of U.S. vulnerability. When real-world military adversaries set the stage for what could be a debilitating series of attacks that easily could lead to cascading failures of critical infrastructure, our nation must act. But our actions will continue to be hamstrung and impotent if we must first spend weeks or months trying to figure out what our policy is and what an appropriate response should be. That’s why we are supposed to have a doctrine.