In the discussions about cyber threats that continue and expand daily, there is a tendency to lump together all types of threat regardless of where they fall on the spectrum. This lack of precision entails consequences, one of which is that it prevents us from focusing on the highest-end threats that should command our greatest attention. To move forward smartly, the United States needs a way of thinking about the various threat actors that parses and differentiates between and among them, according to the significant ways in which they may differ. Such a typology would help U.S. policy-makers better rack and stack the threat, and respond accordingly. Keep in mind that not all hacks or hackers, nor all actors, are the same.
Nation-states -- especially China, Russia, Iran and North Korea -- pose the high-end cyber threat to the U.S. homeland, but states vary widely in their sophistication, capability, intent, motivation, tradecraft and its application. The United States should focus its resources on this high-end of the threat spectrum, and in doing so, should focus upon actors and their behaviors, rather than on technology or on means and modalities of attack. This means digging deeper into specifics, and factoring those case-by-case details about each of our adversaries into a tailored U.S. response that is designed to dissuade, deter, and compel them.
Consider the relative capabilities and intentions of China, Russia, Iran, and North Korea, with respect to computer network attack (CNA) and computer network exploitation (CNE):
While more sophisticated and/or more determined than other U.S. adversaries in the cyber domain, even these four actors must be distinguished and differentiated in terms of key variables. China and Russia for instance are deeply engaged in CNE -- whereas Iran and North Korea are more likely to turn to CNA, despite lacking the level of capability that China and Russia possess. Note however that the line between CNE and CNA is thin, turning largely on the matter of intent. In other words, if an actor can exploit, that actor can also attack.
To the extent that the United States makes headway in terms of delineating and differentiating between and among actors moreover, it is important to bear in mind that the above assessment is a steady-state one. Yet the countries positions on the grid may well shift -- and shift significantly -- in response to triggering or unforeseen events:
The bottom line is that the United States should re-calibrate its cyber efforts to better meet the threat spectrum that exists -- and in doing so, the U.S. should strike a careful and powerful balance between offense and defense, to include an active defense component, and a well-developed and well-articulated cyber deterrence strategy. A more nuanced approach to understanding the threat, as well as to responding to it, would serve the U.S. well. For more details, see this testimony presented before the House of Representatives, Committee on Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, as part of last week's hearing on "Cyber Threats from China, Russia, and Iran: Protecting Critical Infrastructure."