Identifying the adversaries behind a cyberattack is often the toughest part of cybersecurity. Not only are hackers skilled at covering their tracks, but they can plant evidence that implicates an innocent party. This inability to identify an attacker makes it almost impossible to stop them, or more importantly, prevent such attacks.
Nation-states are increasingly exploiting this challenge by conducting cyber operations through third-party groups—so-called cyber mercenaries. But despite this growing threat to national security for policymakers, military leaders and businesses alike, we have not done enough to protect against it.
The American public is beginning to see the dangers of an unsecure cyber domain. Just last week, the Obama administration officially accused Russia of attempting to influence the U.S. presidential election through a cyberattack on the Democratic National Committee. And a major U.S. company seems to announce a new security breach every day, from a 2014 cyberattack attributed to North Korea that targeted Sony to the recent revelation that hackers stole the account data of 500 million Yahoo users.
The cyber domain increasingly is becoming a battleground among nation-states as well. Estonia, Georgia and Ukraine are just a few examples. As a result, the international community is publicly shaming governments who use computer networks and devices to achieve political goals.
Adm. Michael Rogers, head of U.S. Cyber Command, recently testified before Congress that nation-states represent the most significant digital threat we face. Rogers is right that direct cyberattacks from foreign countries pose a real threat to national security. But in the long run, a more dangerous threat to national security comes not from direct cyberattacks by nation-states, but from the growing international marketplace for state-sponsored cyber mercenaries that carry out the surreptitious cyber operations of a government.
While governments may follow treaties, protocol and norms to maintain positive international relations, nonstate actors execute their missions with little regard for the international community. After all, privateers are driven by ideologies or financial gain; they don’t care about the effect of their actions on international relations. While the operations of cyber mercenaries are more akin to asymmetric warfare than conventional, they often operate with significant private resources or the resources of their nation-state benefactors — a dangerous recipe.
As experts in the field, we are seeing more nations outsource their offensive cyber operations. This is happening for three reasons. First, there are not enough experts in the field of cybersecurity for many nations to build a cyber workforce within their own borders. Nonstate actors in the global community provide this resource. Second, attacking without being seen is very appealing to regimes that wish to act with impunity. The nonstate cyber actor adds layers of obfuscation. And finally, maintaining a standing army of cyber warriors is costly. A private, criminally financed industry can also be self-funding — even bringing money into a host country — while serving to grow the talent pool.
One of the most challenging aspects of this threat is its ability to morph into new forms. If we cut off the head of the snake, it is more likely that three more heads will take its place. Hacker networks can thrive and proliferate long after a nation-state ends its sponsorship, and they can move from country to country evading criminal prosecution.
And a nonstate actor will certainly be more willing to push the button on a cyber weapon of mass impact than a nation-state would. These criminal enterprises already have targeted U.S. hospitals and police departments, crippling them by shutting down their critical computer networks. State-sponsored cyber mercenaries could become a frequent threat if we don’t adapt our resources accordingly.
In the past, we have had other misses as the nature of threats changed. For example, when the Soviet Union collapsed, Soviet stockpile of nuclear weapons did not vanish; they were dispersed across the world and continued to pose a threat to the U.S. in the post-Cold War era. And, just as ISIL emerged in the post-9/11 world, new nontraditional groups are likely to surface online. Such groups will be capable of attacking us in ways we have yet to imagine — regardless of the fate of any particular nation-state adversary from which that group may be spawned.
To address this growing cyber threat, government and the private sector will need to collaborate to build better network situational awareness and create a trust of new, more distributed human intelligence networks working in and around cyber black markets. This will require new thinking when it comes to how we develop and operationalize our global intelligence capabilities, and will certainly require the engagement of the private sector in a meaningful way — a challenging proposition in a post-Snowden world.
Ultimately, policymakers will need to prioritize new goals and funding for the intelligence community to address these issues, and new incentives for the private sector to collaborate. After all, fighting adversarial nation-states is quite different than fighting distributed terror networks. And fighting a new culture of cyber-guerilla warfare poses even greater risks; this quickly evolving breed of malicious nonstate actors in cyberspace looks, acts and grows quite differently than traditional terror cells. For instance, weapons trafficking is far easier and quicker in the cyber realm than in the physical world.
The next president should convene a special commission of senior leaders from both the intelligence community and private sector — specifically telecommunications, social media and defense — to examine where common ground and joint interests exist, and identify additional tools to responsibly counter the proliferation of highly distributed networks of cyber mercenaries. While presidential commissions have been proposed and implemented in support of developing a national cybersecurity strategy more broadly, none has focused specifically on how to neutralize cyber-mercenaries and nonstate actors.
Finally, the global community, through members of the United Nations Security Council and beyond, must establish international treaties and norms that discourage the use of criminal organizations in the conduct of cyber operations and promote the prosecution of these criminal organizations within their host countries.
Perhaps most critically, in the age of nonstate actors, the government must improve its ability to identify cyber mercenaries — and any states sponsoring them. Treaties, laws and international norms hold little value if we cannot do so.
The hackings of the DNC and the emails of the chairman of Hillary Clinton’s presidential campaign, John Podesta, have created new interest on cyberthreats to U.S. national security. The country is rapidly becoming aware that cyberthreats come in many forms; cyber mercenaries pose distinct challenges from traditional kinetic actors. We should not forget these lessons once the campaign season ends.