Espionage Attempts Like the SolarWinds Hack Are Inevitable, So It’s Safer to Focus on Defense – Not Retaliation
Under President Barack Obama, for instance, the U.S. leveled economic and diplomatic sanctions against the people and governments responsible for cyberespionage, including North Korea and Russia. The Trump administration likewise imposed sanctions against Iranian and North Korean hackers for a range of cyberattacks targeting U.S. companies, universities and government agencies.
Several scholars, including my collaborators and me, have shown that though economic sanctions do hurt their targets, they also hurt the country imposing the restrictions – in this case, the United States – which misses out on business opportunities in the targeted countries. Newer rounds of sanctions also bar U.S. companies from doing business with third-country firms that operate in targeted countries.
Sanctions don’t actually deter future attacks.
Government Actions Haven’t Been Enough
Beyond punishing hacker countries with sanctions, the U.S. has undertaken operations to directly attack the digital capabilities of those nations. For instance, U.S. Cyber Command, the arm of the military charged with defending the U.S. in cyberspace, cut off a key Russian agency’s internet access during the 2018 congressional midterm election. The U.S. has also sent military cybersecurity experts overseas to learn more about Russian, Chinese and Iranian capabilities. It’s also possible that Cyber Command has secretly undertaken other responses.
None of this has dissuaded hackers from repeatedly targeting American firms and government agencies. Indeed, prior research confirms that the threat of formal sanctions has very little effect on deterring cyberattacks in lab settings.
If Deterrence Won’t Work …
Ignoring cyberattacks, of course, is not a solution either. But I believe the challenge is to determine how to make clear to the perpetrators that large-scale cyber intrusions will not be tolerated – and to do so without escalating the online conflict. I believe there is only one way to prepare – and it’s to accept that hackers will keep trying to attack.
There are some ways to adjust to this new reality, just as there are with other complex and intractable problems. For instance, governments seek to mitigate harm from climate change by limiting greenhouse gas emissions and discouraging new construction in flood zones.
The cybersecurity equivalent could be building and programming computer systems that can withstand faults, failures and hacking while still performing essential functions and protecting data security. The ultimate objective would be not to prevent systems from being breached, but to limit the damage and speed the recovery when they are broken into. My research, and others’, indicates this could be an effective way to address the new reality of state-sponsored hacking while realizing there is no way to truly prevent future attacks.
William Akoto is Assistant Professor of International Politics, Fordham University. This article is published courtesy of The Conversation.
