The State Department’s Weary Soldier in America’s Cyber War
From Ukraine to Sony, cyber attacks are spooking governments and private companies -- and leaving officials like Christopher Painter scrambling to help devise rules of the road for how to respond.
A new age of cyberwarfare is dawning, and a little-known State Department official named Christopher Painter -- a self-described computer geek who made his name prosecuting hackers -- is racing to digital battlegrounds around the world to help stave off potential future threats.
A new age of cyberwarfare is dawning, and a little-known State Department official named Christopher Painter — a self-described computer geek who made his name prosecuting hackers — is racing to digital battlegrounds around the world to help stave off potential future threats.
One of his stops was in South America, where he visited Argentina, Chile, and Uruguay, to hear about what those countries were doing to protect computer networks. One was in Costa Rica, to tout the U.S. vision for the Internet, including security. Another was in The Hague, to, among other things, promote international cooperation in cyberspace.
“It’s been a hectic couple of weeks,” he said
There’s a reason for that. Last month, Arlington, Va.-based security firm Lookingglass released a report detailing a full-scale cyber war being waged by Russia against Ukraine. Russia, Lookingglass concluded, was hacking Ukrainian computers and vacuuming up classified intelligence that could be used on the battlefield. The week before, the Pentagon publicly released a new strategic document declaring, for the first time, that it was prepared to pair cyber war with conventional warfare in future conflicts, such as by disrupting another country’s military networks to block it from attacking U.S. targets
Painter is charged with finding answers to some of thorniest policy questions confronting Washington in the digital age: How to wage cyber war, how not to, and how nations can or even should cooperate on establishing rules for cyber offense.
Countries have found it so hard to sort out answers to these difficult subjects, Painter is setting his sights low, at least for now. One of his initial goals: Promoting a set of voluntary international standards, such as one that says that nations should not knowingly support online activities that damage critical infrastructure that provides services to the public.
“We’re in the relative infancy of thinking about this issue,” Painter said. “This is a fast-changing technology. We’re at the beginning of the road.”
Other, related debates — on surveillance and cyber defense — are further along. Congress is working through a renewal of expiring provisions of the Patriot Act. Other countries are getting in on the act as well: France’s National Assembly this month approved a bill being dubbed “the French Patriot Act,” which controversially allows the government to collect mass e-mail data, and Canada’s House of Commons last week passed anti-terrorism legislation that critics contend endangers online privacy. Congress also has a good chance this year to pass a cybersecurity bill that fosters threat data sharing between companies and the government.
The nascent conversation about cyber offense draws, in some ways, on existing international law, but in other ways has no historical precedent, because cyber war is unlike any other kind of war. Government hackers can do tremendous damage to an enemy country without touching it physically or using any troops or military hardware whatsoever, and without leaving much of a trace about who is responsible. It also upends the traditional notion of deterrence in a realm where the often-invisible attacks make it hard to figure out whom to retaliate against and signal that offense will be answered with offense. Sometimes it’s hard to tell what an offensive weapon even is, since so many cyber tools have both offensive and defensive uses.
The U.S. position is complicated by how advanced its offensive capabilities are in relation to the rest of the world — not only in how far it’s willing to go to limit itself, but also how willing anyone else is to listen because of how it aggressively the U.S. has used its technological edge to spy on other countries and, in the case of Iran, directly attack their infrastructure.
“The United States is in a very unique position. It’s definitely in a class of its own when it comes to cyber offensive operations,” said Henry Farrell, an international affairs professor at George Washington University. “The other problem is that it’s in a class of its own in the unique vulnerability to various forms of cyber attack.”
And for the United States, there are both domestic and global components of the debate over what kind of offensive authorities it should have. While the Obama administration tries to figure out what kind of posture it wants to take on the international stage, some in Congress are agitating for the executive branch to say what it can do on offense, and under what circumstances. If the executive branch doesn’t do that, Congress might do it for them. Senate Armed Services Chairman John McCain (R-Ariz.), is among those contemplating taking action; he is weighing an amendment to the annual defense policy bill that would spell out what the Defense Department’s cyber offensive and defensive capabilities should be.
There are widespread worries across Capitol Hill, meanwhile, that Washington isn’t doing enough to keep up with steady stream of cyber attacks designed to steal corporate secrets and financial data. That never-ending drumbeat has in recent months afflicted Anthem, the second-biggest U.S. health insurer in which hackers accessed personal data like Social Security numbers for millions of customers, and JPMorgan Chase, in which a sophisticated cyber attack compromised the accounts of millions of households and small businesses. McAfee, a leading cyber defense firm, estimates that there are hundreds of cyber attacks per minute.
One major question House Armed Services Committee Chairman Mac Thornberry of Texas and others want to resolve is what the U.S. government should do in instances like the Sony hack last fall, which led to the release of reams of sensitive corporate emails, movie scripts, and even digital copies of unreleased films. President Barack Obama blamed the North Korean government, which was angry over the unflattering portrayal of Kim Jong-un in the film “The Interview,” then promised the United States would “respond proportionally.”
Some cyber experts have subsequently raised doubts about whether Pyongyang was actually behind the attack. If they were, it would mark a milestone as the first time government hackers in one country attacked a private firm in another.
“We don’t have the proper structure in place because our thinking and policies have not evolved to the reality of what cyber is as a domain of warfare,” Thornberry said in an interview. “We don’t really have authorities in place about how to defend civilian/private networks, much less what sort of offensive preemptive retaliatory actions potentially the government would take on their behalf.”
But lawmakers also want to be prepared for more catastrophic attacks, like an assault on the electricity grid, which is largely controlled by private sector computer networks. As far back as 2009, there were reports of foreign governments infiltrating the U.S. electricity grid, and while they didn’t damage the networks they penetrated, National Security Agency director Adm. Michael Rogers has warned they would be a major target in a large scale cyber war.
Painter, who considers himself an early aficionado of computer technology, has said he began playing with a primitive personal computer while he was at college in the 1980s. After graduating from Cornell in 1980 and Stanford law school in 1984, he gravitated toward tech-oriented lawsuits, and prosecuted the most prominent early hacking cases, securing a conviction in 1999 of the famed hacker Kevin Mitnick — said to be the inspiration for the film “War Games” — for stealing files from companies like Sun Microsystems and Motorola. Later, Painter moved to the Justice Department headquarters and the White House to work on cyber issues.
One thing Painter isn’t looking for, in all his travels, is any kind of comprehensive cyber treaty to somehow tackle the myriad security topics — or, to use his quote from “Lord of the Rings” during a panel in The Hague, “one ring to rule them all.”
Because of how complicated and formless the cyber offense problem is, and how new it is compared to more established forms of warfare, the idea of any kind of comprehensive cyber treaty has been set aside — not just by the United States but many other countries as well, at least for now. Instead, Painter’s focus has been on creating a commonly held set of principles — “norms” — that nations adhere to on a voluntary, legally non-binding basis.
Painter maintains that the emphasis on norms isn’t about preserving “American hegemony.” Yet many others have noted a distinct lack of interest from the United States when it comes to taking any kind of action that could limit its own offensive options.
“Just as a general matter, administrations of any stripe are certainly not looking to limit their ability in legislation and would probably be loathe in international regulation to swear off particular lines of attack,” said Michael Allen, a former top National Security Council staffer in the George W. Bush administration and former staff director for the House Intelligence Committee who now is managing director at Beacon Global Strategies, a consulting firm. “I don’t think people are eager to start immediately signing up to regimes, norms or certainly not laws, without serious consideration, that begin to restrict this new tool of warfare in its infancy.”
Michael Hayden, a former NSA director and now a principal at the Chertoff Group consulting firm, said the bigger issue is simply that a cyber treaty would be unenforceable. It’s easy enough to cheat on a biological weapons treaty, he said; imagine how easy it would be to cheat on a cyber treaty, since sophisticated hackers can leave no fingerprints whatsoever.
The reason it would easy, he said, is because of how hard it is to determine, forensically, who’s behind any given attack at any time. The landmark 2013 Mandiant report that tracked a host of cyber attacks netting government documents and company secrets to a Chinese military unit was the result of six years of work, and it ultimately could place the attacks as originating only from the doorstep of the building suspected of conducting the hacking.
The same problem of so-called attribution for attacks applies under existing international law. In April, both Defense Secretary Ashton Carter and current NSA chief Rogers made headlines for saying cyberwarfare fell under international law, although that was not a new position for the U.S. government. The origins of that position emerged from a United Nations Group of Governmental Experts that declared a set of principles in 2013, a group that included China.
Some legal experts contended that the Stuxnet virus that attacked Iranian nuclear centrifuges, reportedly a collaboration between the United States and Israel, was a violation of international law because it was an “act of force.”
“That’s already a violation of international law unless you have a justification for that,” said David Fidler, and Indiana University law professor serving as a visiting fellow for cybersecurity at the Council on Foreign Relations. “That’s even if anyone acknowledges they were involved, which they don’t do.”
Fidler said some of the “norms” under discussion in the cyber sphere are merely restatements of norms or international laws that apply to existing forms of warfare, and are either unworkable because they don’t apply to cyberspace or originate from poorly agreed-upon definitions of terminology.
As an example, he pointed to a proposal from Temple Law professor Duncan Hollis to create an e-SOS, similar to the distress signal ships at sea send when they are in trouble and merchant vessels are obligated to respond with help. In the event that a country is under cyber attack, Fidler asked, does it really want a nation like Russia getting into its networks to lend a hand?
Additionally, the U.S. message on norms about cyber intrusions hasn’t always been well received, given the wide scale international electronic spying revealed by former intelligence contractor Edward Snowden, Fidler said. To the rest of the world, he said, “it kind of looks like the U.S. has given up on norms and is relying on unilateral action,” especially when combined with an April executive order to financially punish foreign hackers.
It’s not, he said, that the State Department is doing poor work advancing cyber norms – it’s that doing so is inherently difficult, especially under the circumstances.
For his part, Painter acknowledged that there’s much more to be done in figuring out how international law applies to cyberspace. What does the international law of warfare dictating “proportionality in attack” apply there? That kind of question is going to take a ton of academic work, Painter said.
It’s a subject that has nonetheless made Congress antsy. In February, House Homeland Security Chairman Michael McCaul (R-Texas) joined with House Foreign Affairs Chairman Ed Royce (R-Calif.) to write a letter to National Security Adviser Susan Rice, asking how the Obama administration defined different attacks and how it was prepared to respond to them.
McCaul said he hasn’t received a response to the letter. But he said he and Royce are preparing legislation outlining what they expect from the State Department on those questions.
Others on Capitol Hill said they see gaps in the administration’s authorities and doctrines, but aren’t yet ready to press their case without more examination, among them Thornberry and a leading Democrat on his committee, Rep. Jim Langevin.
“We’re developing capabilities faster than the policies and doctrines that control them,” said Rhode Island’s Langevin, the top Democrat on the Armed Services Emerging Threats Subcommittee. “There’s the need for further definition for actions to do things like defend the nation.
“The vast majority of the systems at risk are not DOD systems. They’re in the private sector,” Langevin said. “In a worst-case scenario, DOD is going to be asked to defend them. If there’s an active cyber attack going on on our electrical grid and DOD has to step in and shuts down the entity that’s carrying out that cyber attack, you can imagine that has all sorts of ramifications.”
Over time, Fidler said he expects the State Department to get more creative on the development of cyber offense norms. There also might be some other kinds of international consultation that could de-escalate cyber, with both Fidler and Painter touting the Global Forum for Cyber Expertise that launched in The Hague to build up the capabilities of developing nations to handle cybersecurity.
But, again, it’s very early.
Painter, citing one estimate, said that “when you compare it to the process of nuclear rules, it took about 40 years to get grounded.”
“I don’t anticipate the length of time to socialize and draw lines is going to be anywhere near as long as nuclear,” he said. Still, “it’s not an overnight process.”
Ulrich Baumgarten via Getty Images
More from Foreign Policy
At Long Last, the Foreign Service Gets the Netflix Treatment
Keri Russell gets Drexel furniture but no Senate confirmation hearing.
How Macron Is Blocking EU Strategy on Russia and China
As a strategic consensus emerges in Europe, France is in the way.
What the Bush-Obama China Memos Reveal
Newly declassified documents contain important lessons for U.S. China policy.
Russia’s Boom Business Goes Bust
Moscow’s arms exports have fallen to levels not seen since the Soviet Union’s collapse.