NEW YORK – The U.S. is “just not there yet” when it comes to defining an international standard for declaring a cyber event an act of warfare, according to retired Admiral Michael S. Rogers.
Speaking here at Advisen’s Cyber Risk Insights Conference, Rogers said the U.S. considered the declaration following the Sony hack by North Korea in 2014 and the NotPetya event launched by the Russians in 2017 but took alternative actions instead, such as economic sanctions against North Korea. Though it caused billions of dollars in damages worldwide, the NotPetya attack did not affect the U.S. as much as other regions, especially the Ukraine.
“Ultimately we made the decision that [the NotPetya attack] did not trip the threshold in the United States. I wonder what would have happened if it did,” the former commander of the U.S. Cyber Command and the director of the National Security Agency said. But for now he said “there is no one scenario” that would trigger an act of war from a cyberattack. Events will be handled on a case-by-case basis.
Rogers was the head of USCYBERCOM and the NSA for both events. He was relieved from the roles in May 2018 and retired the following month.
Economic, political, and military implications need to be carefully considered for an act of war. Attribution would need to be certain. Injuries or loss of life, or an attack against one of our country’s core values such as freedom of speech, would also come into play, Rogers said.
“Tripping that threshold for the first time – actually declaring a cyber event as an act of war – would be huge,” Rogers said at the October 25 conference. “There is a definite desire to make sure that the circumstances under which we cross that Rubicon are very specific. This is not something the government will do lightly.”
Looking ahead to the evolution of cyber risk, Rogers revealed some potentially harrowing developments. He said much of the cyber activity today is generally focused on the “extraction of data for a specific purpose,” whether for monetary gain, theft of intellectual property, or economic advantage.
“What if the focus becomes changing or amending data?” Rogers asked. “We make a lot of decisions in our everyday lives based on the assumption the data is accurate. Remember, our global financial system at its heart is built on the premise of trust – you can at any time find out where the money is, who has it, and how much.
“What happens when that just-in-time approach we use in our professional and personal lives suddenly doesn’t work so well?” he proposed. “The manipulation of data really concerns me, particularly if it is done in a way that the user doesn’t realize there is something wrong.”
Other possible cyber scenarios that concern Rogers include non-state actors using cyberattacks against the West. Groups like ISIS, who have used cyber means to spread its ideology and recruit, could decide to employ cyber as a destructive tool. “They want to destroy the status quo,” he said of these types of non-state actors. He said maintaining the status quo “is not part of the risk analysis” with these groups, whereas nation-states have used cyber to gain an advantage but have yet to use it to cause destruction.
“You need to be prepared to operate in a world in which the list of actors is growing, the complexity of what they are doing is growing, and effort is growing,” he told the conference audience. In terms of an approach to these threats from an insurance perspective, Rogers said: “Don’t build a strategy on [the hope that] it’ll get better in the near term.”
There is no technological advancement in the near term that is going to give the defense an advantage. “I just don’t see that happening,” he said.
Rogers said he sees cyber insurance as “a good tool for us. I believe it fills a need out there.” He said he hopes insurers find a way to incentivize customers like the auto insurance industry has for owners of cars with certain safety features.
“Insurance in general – cyber insurance in particular – has the opportunity to increase the level of cybersecurity in our nation by economically incentivizing smart cybersecurity choices on the part of consumers – individuals or companies,” Rogers said.
In the next breath, Rogers acknowledged the challenges of attempting to understand the probability and severity of cyber events without centuries of historic data. Additionally, the cyber data the industry has does not necessarily predict the likelihood of events or how much they could cost since the definition of cyber risk is always being rewritten.
Managing editor Chad Hemenway can be reached at firstname.lastname@example.org