John Bolton has spent years imploring the U.S. to go on the attack in cyberspace a stance that some digital warfare experts caution could set up the nation for a conflict it would be better off avoiding.
President Donald Trump’s incoming national security adviser has made this point in a series of op-eds, speeches and appearances on panels and television, arguing that America should deploy its “muscular cyber capabilities” to strike back against digital adversaries like China, Russia, Iran and North Korea. The point, he said, would be to impose costs “so high that they will simply consign all their cyber warfare plans to their computer memories to gather electronic dust.”
Starting April 9, Bolton won’t have to make these pitches in public. He’ll have Trump’s ear — every single day. And with the president preparing to meet with North Korean leader Kim Jong Un, a trade war looming with China, an expected Russian digital assault on the 2018 midterms, and a deadline nearing to re certify the Iran nuclear deal, Bolton’s cyber hawkishness could have significant ramifications.
While officials and cyber specialists agree with Bolton’s push for a clearly articulated digital strike policy, the government has hesitated to dive headlong into what Bolton calls “a retaliatory cyber campaign,” wary of blow back on American businesses and infrastructure, the lack of global rules for online warfare and the debatable effectiveness of digital strikes in the first place.
“If you’re covered in gasoline, be careful throwing matches,” said Michael Sulmeyer, a former cyber-policy adviser to Obama administration Defense Secretary Ash Carter.
“[Bolton’s] rhetoric here is putting any sense of balance we have here at risk,” added Robert Lee, a former cyber officer in the Air Force and co-founder of cyber firm Dragos Security.
While Bolton hasn’t made clear exactly what type of digital strikes he would like to see, offensive hacks could mean anything from infiltrating a political opponent’s email account to blocking communications, cutting off networks, shutting down a power grid or even physically destroying machinery, as it’s widely believed the U.S. did years ago when its Stuxnet malware destroyed nearly 1,000 Iranian nuclear centrifuges.
But starting a back-and-forth cyber war with an adversary like Russia could pose huge risks for a nation as open and wired as the United States. Just two weeks ago, federal prosecutors accused Kremlin-linked hackers of penetrating the U.S. electric grid and copying information that could allow them to take control of power plants’ computers — and potentially even shut off the lights.
The U.S. can’t go “too muscular, too early, without recognizing what could go wrong,” said Sulmeyer, who now helms the Cyber Security Project at the Harvard Kennedy School’s Belfer Center.
Bolton has been beating the drum for going on the online offense since shortly after North Korea hacked Sony Pictures Entertainment in late 2014. The North Koreans seized the company’s networks and released embarrassing internal emails in retaliation for its decision to produce “The Interview,” a comedy about assassinating Kim Jong Un.
Bolton, who served in the administrations of both presidents Bush, took issue with then-President Barack Obama’s classification of the incident as “cyber vandalism.” Obama also vowed to respond “proportionally.”
“North Korea’s attack on Sony should be seen, at a minimum, as state terrorism, verging on an act of war, not mere vandalism, as Obama opined,” the former diplomat argued in a Pittsburgh Tribune-Review op-ed.
When China infiltrated the Office of Personnel Management in 2015 — pilfering over 20 million security clearance reviews, a historic espionage haul — Bolton admonished Obama for his “cyber silence.”