LAS VEGAS. Two leading cybersecurity strategists are offering tangible ways to assess whether the Trump administration’s embrace of offensive cyber actions as the linchpin of deterrence actually “makes things better or worse” for the nation in cyberspace.
The Trump strategy of “persistent engagement” is “the most significant policy change in 20 years,” said Columbia University’s Jason Healey, a prominent cyber strategist and policy voice. Healey and research partner Neil Jenkins of the Cyber Threat Alliance discussed their work today here at Black Hat.
Healey noted that National Security Advisor John Bolton is pushing for offensive operations in cyberspace to “create structures of deterrence,” while the chairman of the Joint Chiefs of Staff and the head of Cyber Command have recently preached the message that good offense is good defense.
“The question is whether it’ll work or not,” Jenkins said. He said the alternative to this “hawkish” approach was not a “dovish” cyber philosophy but rather an “owlish” approach that’s more cautious than the line Bolton has embraced and more aware of potential blowback from U.S.-launched cyber attacks.
Asked for a show of hands in the crowded ballroom here, the security pros, researchers and others appeared to favor “owlish” by a two-to-one margin in a nonscientific survey.
But Jenkins underscored a key concern for policymakers: There’s little data to support either view.
“We have to do better,” Healey said, because “it’s getting down to a policy question: Are we meeting the goals of policy makers? We need a structured theory of cause and effect.”
He said the persistent engagement camp posits that adversaries are “conducting a free for all” in cyberspace, and that the new U.S. approach can ensure both superiority and stability.
Jenkins said the question to measure is whether persistent engagement “shepherds adversaries back to stable norms” or “amplifies current trends” and leads to more cyber attacks on the U.S.
Making the grade
The U.S. government is emphatically not explaining how it intends to measure success, Healey said, while assessments coming out of either Cyber Command or the Intelligence Community translate into protagonists “grading their own homework."
Instead, Healey and Jenkins offered three alternatives for assessment.
First, they discussed the U.S. government’s own Incident Severity System, which Healey called “messy but simple.” It assesses impacts of cyber attacks on a 0-5 scale and “may be a place to start” in determining whether serious cyber incidents are diminishing.
Healey cautioned that it “can’t get close to causation” and Jenkins said “it may be a little too simple, but maybe it’s a place to start.”
Second, they turned to Bolton’s remarks in unveiling the Trump administration’s National Cybersecurity Strategy, that the goal was to deter incidents like the breach at the Office of Personnel Management. “OK, let’s figure out what that means,” Healey said, by describing an OPM-type incident, and classifying past incidents against that marker.
“The hawks say we will see a decrease in significant attacks,” Healey said. “But what if the new policy leads to a sharp increase? If there’s a spike, the hawks will have to explain that.”
This approach “does allow analytical transparency, we know what we’re counting,” Healey said. “But we still don’t get to correlation/causation.”
Finally, Healey and Jenkins offered “a deep dive” on goals related to a particular adversary, such as decreasing Chinese commercial espionage.
Jenkins noted shortcomings in each of the three methods of assessing effectiveness, but said they provide tools for making determinations on whether the policy is meeting the goals.
In the debate between hawks and owls, Healey said, “It’s not even a matter of convincing each other. It’s about being more ‘correct’” in assessing actual results of the policy choices.
“The direction we’re going in is potentially very dangerous,” Healey said. “And right now we’re letting the government grade its own work.” – Charlie Mitchell (firstname.lastname@example.org)