By Adam McPhail
In November 2013, a group of hackers dubbed X1 gained access to the networks of the Office of Personnel Management (OPM), obtaining manuals and information regarding the general IT system architecture. Later in 2014, having realized foreign agents had hacked into their systems, OPM planned a “big bang,” hoping to boot the cyber attackers out of their system. However, only weeks before the scheduled system reset, a group named X2 installed malware that gave them a backdoor into the OPM, evading the big bang. Even worse, this time the hackers accessed sensitive, personal OPM files. With 5.6 million sets of fingerprints stolen and 22 million people affected, the 2014-2015 Office of Personnel Management data breach revealed a new front in the ever-changing nature of conflict: cyberwar. The incident permeated the United States government and culture at large, signaling that a new era of national security was not merely accelerating towards them at a frightening pace; rather, it had already smacked them in the face, leaving them dazed and unprepared.
Among those affected was Yale Law School Professor Oona Hathaway. “They got the operation of personnel management files, which includes my personal information, all the forms I filled out to get my security clearance,” Hathaway said to the Globalist. “So it is my social security number, all my financial information, all my personal contacts abroad. They now have all that stuff and they have that not just on me, but everybody who applied for top secret clearance in that period.” In 2014, Hathaway began to work for the United States government. The Gerard C. and Bernice Latrobe Smith Professor of International Law, Professor Hathaway worked as the Special Counsel to the General Counsel for National Security Law, offering legal advice to the Secretary and Deputy Secretary of Defense. To attain this position, Professor Hathaway endured a rigorous series of documents and security vetting, eventually receiving SCI (sensitive compartmentalized information) access, the highest level of security clearance. Professor Hathaway finished her work with the Department of Defense in 2015, returning to Yale academia and law professorship with an award honoring excellence to boot.
Since 2014, public perception of cyberattacks has increased and morphed into a more expansive definition. The rapid development and pervasiveness of technology plus the recent 2020 Solarwinds and Microsoft hacks have only further exposed the American public to the wide-ranging effects and forms of cyberattacks. Cybersecurity no longer merely affects one’s personal information; it encompasses the entire foundations of government and democracy. It is a fundamental pillar of American national security. But just how prepared the United States is for this new era of international relations has been a point of contention with scholars, who reference unprecedented challenges such as the difficulties of tracing cyber-belligerents to states, a lack of a legal framework, and the complex confluence of private and public actors.
United States Cybersecurity Infrastructure
Over the past decades, the United States government has attempted to broaden its overview of cybersecurity. In 2007, the United States formed the National Protection and Programs Directorate (NPPD), a subsection of the Department of Homeland Security (DHS) designed to coordinate efforts across government agencies to prevent attacks and threats on critical infrastructure, including both physical and cyber attacks. Later, in 2018, the United States elevated cybersecurity to its own agency under the supervision of the DHS, founding the Cybersecurity and Infrastructure Security Agency (CISA). Its goals are wide-ranging, seeking to curb cyberattacks from sophisticated actors and nation-states attempting to steal information, money, or intelligence; suspend government services; or to disrupt physical infrastructure.
President Biden has emphasized that cybersecurity will be one of his administration’s top priorities. However, even CISA admits that it is notably hard to secure cyberspace.
Adapting legal framework to trace cyber-belligerents back to states
First, actors committing cyberattacks can work in anonymity and operate from any space in the world. Perhaps the most obvious to the American public, it makes attribution incredibly difficult for the United States government. Even if one were able to acquire the identity of the foreign actor – which in and of itself is extremely difficult – it is hard to discern where the actor is physically. Further still, it is challenging to know whether they are working on behalf of the government, for another country, a non-political organization, or simply of their own accord. The inability to assign blame and punishment for these unlawful actions has emboldened actors, making them more ambitious in their cyberattacks.
The complexity of this issue has led many international legal and political questions to remain unsolved. For example, because cyberspace enables foreign hackers to be shrouded in anonymity, many countries encourage actors within or outside of their state to work on their behalf to conduct cyberattacks on other foreign governments. The government knows it will be difficult to confirm whether or not they are responsible because actors not affiliated with the state carry out the cyberattack. The government still realizes its desire, whether they want to accrue information or disrupt systems within another country, with a lower risk of “getting caught.” How does the international community ensure that governments do not actively encourage private actors to work on their behalf, giving them, as Professor Hathaway remarked, “a wink and a nod?”
Currently, the international expectation is that countries uphold a “due diligence requirement” against actors in their state. “States are responsible to engage in due diligence to ensure that actors within their territory are not posing a threat to actors outside their territory,” Professor Hathaway noted. She added that, of course, governments do not need to be aware of every actor in their state. “You are not strictly liable for the fact that some private actor goes and does bad things in other places, but you are supposed to take basic measures to try and address the possibility of private actors within your country taking actions that are going to have an impact outside your territory,” Hathaway said. If governments discover actors committing illegal actions they must prosecute them to the fullest extent of their domestic law in their own courtrooms. However, countries have no incentive to prosecute their citizens if their nefarious cyberattacks aid the government’s geopolitical interests.
Additionally, states must follow what is known as the “law of state responsibility.” Officially adopted by the United Nations in 2001, article 1 states, “Every internationally wrongful act of a State entails the international responsibility of that State.” In other words, if a state breaches international law then they are responsible for it and they must take on the consequences. Additionally, article 11 reads, “Conduct which is not attributable to a State under the preceding articles shall nevertheless be considered an act of that State under international law if and to the extent that the State acknowledges and adopts the conduct in question as its own.” In abstruse legal language, the article states that if there are individuals within a country breaking international law and their once-independent actions are so helpful to the government that the government supports and adopts their acts, then the state in question, not just the individual actors, violates international law. “Generally speaking, the law of state responsibility of states being responsible for the actions of non-state actors requires an awful lot of close connection between the state and the non-state to hold them directly liable for the actions of non-state actors,” Professor Hathaway solemnly said. It is already tough to cite the law of state responsibility to hold states accountable for individual actors working implicitly on their behalf. Cyberspace only amplifies this challenge because it is increasingly difficult to link cyber actors, shrouded in anonymity and secrecy and potentially located in another country entirely, back to a government. “The international legal rules governing the behavior of states that work and operate through non-state actor groups, be it cyber, or be it conflict zones, is not a particularly well developed area of law,” Hathaway lamented. As technology and its geopolitical implications continue to develop, international law regulating this interplay struggles to keep up. One can imagine that this ambiguity will only intensify as cyberattacks become an increasingly prevalent issue in international relations.
Cyber-deterrence
So, if the United States cannot use the international legal system to deter other countries or actors from using cyberattacks, what other deterrence methods does the United States have? Professor Edward “Ted” Wittenstein teaches classes concerning law, cybersecurity, and foreign policy at the Jackson Institute for Global Affairs. Previously, he worked in the United States Department of Defense, Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction, Office of the Director of National Intelligence, and the Department of State. “The enforcement challenge is rather significant because there is no common understanding and transnational law about these forms of malicious cyber activity,” Professor Wittenstein said. Instead, Professor Wittenstein stated that the United States has other tools in its arsenal, including levying economic sanctions, using military activity, or enacting intelligence offenses designed to manipulate, degrade, or destroy the capabilities of these malicious actors.
However, none of these strategies are without their faults. The United States has utilized economic sanctions as a means of deterrence or punishment in many political realms. For cyberspace specifically, the United States has levied economic sanctions on actors from various countries, including Russia, Iran, North Korea, and China. But there is a large body of academic literature debating the effectiveness of economic sanctions concerning cyber deterrence, especially against actors closely connected, either politically or strategically, to the state. High-profile individuals can evade economic sanctions via the international banking system and clandestine offshore money accounts. Without significant cultural and diplomatic pressure, economic sanctions alone do not significantly alter state actions. Intelligence responses are also tricky to carry out and states risk engaging in a tit-for-tat with other countries, heightening tensions by continually reducing the others’ intelligence capabilities. It is a difficult balance to strike. “In some ways, a little bit of espionage is actually kind of good in the international system because you want each state to have a little bit of insight to what the other is up to, otherwise when they are doing something, you might see it as very threatening,” Professor Hathaway said. An integral part of international relations theory, what was formerly a “little bit of espionage” before the technological era is amplified immensely in the cyber context. Previously, one could not physically accrue a significant amount of information without an extensive and detailed spy network. But cyberattacks allow states to obtain massive amounts of information without the past physical restraints. How much data accumulation is too much espionage and ought to prompt retaliation? Military response is often expensive and can cause the loss of human life. While it may be odd to visualize now, a future where traditional “surface” military activities arise in response to cyberattacks is likely. One must wonder if this fascinating confluence between traditional, material surface actions and cyber-surface events will mark international relations in the rest of the 21st century.
The confluence between the public and private sectors
Additionally, the United States has to grapple with the complex links between the public and private sectors in cyberspace. For more material, surface examples of infrastructure, the United States government can physically repair and improve, say, bridges, roads, and canals because they are part of the public sector and the government has oversight over them. In contrast, bolstering “cyberinfrastructure” is significantly more complicated because much of the United States government relies on private-sector products and applications. For example, take the recent Solarwinds hack that affected executive agencies such as the Pentagon, the Treasury, and, ironically, the Department of Homeland Security, which contains CISA. Russian hackers modified code in Solarwinds’ monitoring system Orion, gaining access to computer operating systems via a seemingly inconspicuous Trojan horse-like update. In many government agencies’ computer systems, Orion was linked to individual Microsoft 365 accounts, thus giving hackers access to their emails and all the information within them. This type of cyberattack is called a “supply chain attack,” and it is emblematic of a bigger cybersecurity problem for the American government. Supply chain attacks do not target computer systems directly. Instead, they infect more vulnerable software used in these systems. Thus, the United States government relies on private sector companies to maintain sound cybersecurity because they are using their products. If the US government wishes to bolster its security systems, it not only needs to survey and strengthen its own operating systems, it also must push private companies whose products they use to improve the security of their software, adding an extra layer of complexity and difficulty.
Steps forward
However, the United States government and the international community are taking steps to combat the issues surrounding anonymity, cyber-deterrence, and cyberspace supply chains.
While there is no perfect solution for acquiring the identity of anonymous cyberattackers, there are efforts to define and outline the legality of cyberattacks and cybercrime. Namely, on June 29, 2021, the Russian government submitted an outline to the United Nations titled “United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes.” While more geared towards cybercrime, the document expands the number of definitions of cybercrime from nine to twenty-three. Moreover, it calls for states to bolster their domestic laws relating to cybercrime and cyberattacks. It even supports more robust systems for extraditing hackers for punishment.
Additionally, the Biden administration has placed a greater emphasis on cybersecurity. On July 29, 2021, President Biden signed the National Security Memorandum on “Improving Cybersecurity for Critical Infrastructure Control Systems,” ordering CISA to establish a clear set of cyber priorities and to strengthen the cybersecurity systems that protect physical surface infrastructure sectors. Also, the Biden administration has ramped up cyber deterrence efforts. When President Biden met with Russian President Vladimir Putin on June 16, 2021, he raised the issue of cyberattacks. Biden asserted that there ought to be certain areas of the United States government that are off-limits to foreign cyber-meddling, namely, the sixteen areas of critical infrastructure outlined by CISA.
Furthermore, over the past ten years, the United States has levied many economic sanctions in response to cyberattacks. Notably, the Biden administration has used a larger proportion of its economic sanctions to punish foreign cyber actors and to promote its cybersecurity. By using multiple avenues of diplomacy and economic sanctions, the United States government is taking measures to strengthen its cybersecurity, and thus its national security too. CISA has created partnerships with several private sector organizations in an attempt to foster greater cooperation, aiming to establish what companies ought to do to ensure that those using their servers – including and excluding the United States government – are secure.
However, as the United States marches into the 21st century, these difficulties will only become more and more complex. While it is challenging to keep up with the many technological advances, the United States and the international community must take greater measures to combat the opaqueness of cyberspace and the actors that work in it. As the surface of national security changes, the United States government must take additional prophylactic, not merely reactionary, measures to ensure that government operating systems and the data of American citizens are secure. Both are imperative in bolstering our national security.
Raina Sparks is a first year in Ezra Stiles College. You can contact her at raina.sparks@yale.edu.