House bill would create a 'naughty list' for nation-state hacking groups

Last week, the Trump administration delivered a classified report to Congress outlining a new national cyber doctrine. Beyond naming the congressional committees that received the report, the White House has thus far publicly provided no additional details about the document or the strategy that it promotes.

The Trump administration and its predecessor took heat from Congress for failing to articulate a comprehensive doctrine to guide U.S. cyber policy and steer the dispersed authorities over offensive and defensive cyber operations.

John Bolton, who recently succeeded H.R. McMaster as national security advisor, has a history of favoring aggressive and confrontational tactics in cyberspace. But Bolton has been on the job for less than a month and it is unclear how much influence he had on the strategy delivered to Congress.

While the details of the new cyber doctrine remain secret, the Trump administration has spent the past year publicly sketching the outlines of their national strategy for deterring nation-state hacking operations, marshalling the federal government's technical and intelligence resources on a number of occasions to trace and attribute major cyber attacks back to nation-state sponsors.

Such "name and shame" tactics are often paired with additional independent attribution from allies like the United Kingdom and Australia that lay the groundwork for additional economic and diplomatic sanctions. Administration officials have argued this helps establish international norms around clandestine cyber activity and imposes a tangible cost on bad actor governments.

Christopher Painter, who served for six years as the nation's top cyber diplomat at the State Department before stepping down last year, said the importance of cyber has been elevated in recent years to the point where the issue has bubbled up to senior policymakers, who now want to embed good cyber practices into larger economic and security policy debates on the international stage.

"It still has some of these characteristics of being a niche policy issue, but increasingly governments are seeing it as a national security issue, a core issue of their national security, [and] a core issue of their economic security as well," Painter said at an April 25 Center for Strategic and International Studies.

In an environment where governments have at times created uncertainty, private sector tech companies have attempted to draw public lines around their willingness to cooperate with nation-states on offensive cyber. On April 18, a collection of more than 30 companies signed a pledge not to assist any government launching cyberattacks "against innocent citizens and enterprises from anywhere."

Some members of Congress have chosen not to wait for the administration, rolling out legislation to establish a formal process for responding to state-sponsored cyberattacks against the United States government and businesses.

Last week Rep. Ted Yoho (R-Fl.) introduced the Cyber Deterrence and Response Act, which would require the president to designate as a "critical cyber threat" any foreign persons or entities determined to be responsible for such attacks as well as any person or organization that "knowingly materially assisted or attempted such activities."

Foreigners or organizations on the list would be subject to both travel-related and non-travel-related U.S. sanctions, including limitations on doing business with U.S. companies and a prohibition on travel and immigration to the U.S.. The bill, which has 10 cosponsors including cybersecurity-focused lawmakers like Reps. Jim Langevin (D-R.I.) and and Ted Lieu (D-Calif.), also authorizes the president to impose those same sanctions on foreign governments found to have aided, abetted or directed such attacks.

The White House and executive branch agencies already have authority to use all the sanctions and tools mentioned in the bill, but Yoho's office characterized the status quo as an ad hoc process that could benefit from a more formal structure.

While Painter pointed to the attribution of attacks like WannaCry and NotPetya as encouraging signs of increased coordination, he told FCW that the U.S. government and its allies need to work together to deliver quicker and more substantive penalties for offending governments.

"I think we still need to do a better job of actually imposing consequences on those countries that actually make a difference, and I think that requires a lot more strategic thought," said Painter. "I think we're creating a norm of inactivity, that these are acceptable [behaviors] because no one does anything about it."