When Is a Hack an Act of War?
And other questions Obama’s new cyber policy doesn’t answer.
Obama. Photo: USAID/Flickr
In the political fog following the DNC email leak, President Obama has released Presidential Policy Directive 41, the first federal directive to offer guidance on how the country should respond to "cyber incidents" and attacks.
Unfortunately for anyone looking to our nation's leaders to help us navigate the new reality of political and corporate hacking, the announcement was very business as usual. The directive doesn't fix any of the now-familiar issues with US cyber policy, but, for once, doesn't create any new ones either. Keeping the internet safe for commerce and government activities and enshrining the FBI as the go-to agency for serious "cyber incidents" are its main concerns.
The directive is high on "we're all in this together" rhetoric about the "shared vital interests" of "individuals, the private sector, and government agencies" when it comes to "protecting the Nation from malicious cyber activity," but low on defining what that activity might be, or what responses it might provoke from the government.
As usual, the directive cares about keeping the internet safe for commerce but not, say, women, minorities, or the First Amendment
The memorandum isn't exactly new: it organizes, describes, and codifies practices already in use. It lays out five "Incidence Response Principles" to cyber incidents, which includes a lot of cooperation between the private sector and government agencies, and between government agencies themselves. The directive does gives us a fancy new color-coded "Cyber Incident Severity Schema," which goes from Green or "unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence," up to Level Five or Black, "poses an imminent threat to the provision of wide-scale critical infrastructure services, national gov't stability, or to the lives of U.S. persons."
Sources close to the policy discussion told Reuters that no known hacks have reached Level Five. At this point, though, squirrels pose a greater existential threat to our aging electrical infrastructure (and all that depends on it) than malicious hackers. As usual, the drama of potential cyber-apocalypses, Live Free or Die Hard style, is belied by the banality of the current threat landscape: If anything is going to bring down the North American grid, it'll be closer to Rocky the Flying Squirrel than Mr Robot.
Like the CFAA and other Beltway attempts to regulate the "cyber arena," this policy directive is low on definitions, presumably to allow investigatory agencies wide leeway in determining whether a given action is likely to have, say, a "significant" or merely "demonstrable" impact on "national security, economic security, foreign relations, civil liberties, or public confidence."
While in many ways, the definitional looseness is necessary for laws and regulations intended to guide the response to technologies that may not exist yet, we have also seen time and time again prosecutors exploit the vague wording of anti-hacking laws to launch cases against individuals for iterating numbers in a URL, giving their own log-in information to a third party, or downloading too many academic articles too fast.
As I've written before, regulatory vagueness combined with a popular culture of techno-paranoia means political activists, security researchers, and bored teenagers are the ones more often caught in the teeth of the justice system than criminals. This directive focuses on threats that might be faced by industry, infrastructure, or government agencies, but doesn't mention those more commonly faced by individuals, like harassment, stalking, or doxxing. As usual, the directive cares about keeping the internet safe for commerce but not, say, women, minorities, or the First Amendment.
This directive anticipates nation-state-led acts of cyber-something (though it doesn't necessary say what), and assigns the Departments of Justice, Homeland Security, and the Office of the Director of National Intelligence all roles in the event of "significant cyber incidents."
It doesn't give any hints as to what thoughts, if any, the administration might have on whether an act of "cyberwar" could trigger a shooting war. Nor does it provide insight into how the administration plans to tackle the thorny problem of attribution in the online space, beyond indicating that it's the FBI's problem now.
The underdefined nature of this directive is both familiar and disquieting. While it encourages a great deal of cooperation, it doesn't strenuously define when, for example, a corporation can expect its latest appearance on pastebin to trigger a helpful visit from the FBI. It doesn't indicate what potential acts could trigger overt hostilities between the United States and another nation-state, or how we might solve the attribution problem to identify the nation of origin of a given hack in the first place.
It doesn't give any hints as to what thoughts, if any, the administration might have on whether an act of "cyberwar" could trigger a shooting war
When contacted for comment as to what type of incident would bring G-men to industry's door, badge in hand, the FBI provided the following statement:
"The FBI is proud to be part of the interagency coordination structure to strengthen and streamline the USG response to significant cyber incidents. As the lead for threat response, the FBI will continue to protect the United States from cyber attacks and intrusions by criminals, overseas adversaries, and terrorists. The threat of significant cyber incidents continues to grow and evolve, and we support the creation of this refined, integrated strategy to protect the American public, businesses, organizations, and our national security."
So no help there.
This directive has been in the works for some time. It wasn't created in response to the recent DNC hack, which has been widely attributed, in a bizarre turn, to the Russians. But the timing of its release is interesting.
Large scale data leaks are not going away, and recent history shows they can be effectively used as tools of activism and political change, as in the Mossack Fonseca case, just as they can be the result of criminally motivated hacks. Directive 41, in following the pattern of previous pieces of cyber legislation, seems to be underdefining its objectives to facilitate a future it can't quite see. But each time the government casts such a wide net into the future, it catches a lot of activists, researchers, and civilians along with the criminals and terrorists it was going for.
The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.