Michael Chertoff is a co-founder and executive chairman of The Chertoff Group, a global risk-management and security consulting advisory firm. He served as secretary of the US Department of Homeland Security from 2005 to 2009. We asked him questions about cybersecurity, the United States’ changing relationship with China, and his proudest moments during his time at the Department of Homeland Security.
How should a successful cyber attack by a foreign actor that destabilizes US national security be viewed by Congress or President? If there is no loss of life, is this considered an act of war?
I am the co-chair of the non-governmental Global Commission on Stability in Cyberspace which focuses on developing proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace. We are currently in the process of developing recommendations to help governments clearly define the rules of engagement for offensive cyber operations. Nation-states are still divided over the principles underpinning when to escalate responsibility for cyberattacks to the nation-state level in cyber norms accords. Similar to the physical world, we don’t bomb civilian power plants when we’re involved in conflict because it violates the laws of armed conflict, we ought to have a similar set of rules for cyber conflict.
What kind of response does a cyber attack warrant? How should it be handled by the international community?
We need to ensure that when we respond to a cyber attack we have a full range of options at our disposal to properly deter future attacks. Like in the physical world, those responses must ultimately be calibrated to the severity of the attack and specifics of the circumstance. As a result, the potential responses will range from diplomatic warnings to a proportional cyber response; from a criminal indictment to a kinetic strike on a physical battlefield. We must be prepared to leverage all of our options.
We must also make it clear that we are willing to use all of the options at our disposal. Broader sanctions, including economic and banking sanctions, can also be leveraged as both a response to a cyber attack and as a deterrent against future attacks. Offensive cyber activities and even kinetic military strikes may also be justified in certain circumstances. What is important is that the United States responds in a proportional manner and in one that deters our adversaries from taking similar action in the future. We must also consider new ways in which we can cooperate and coordinate with our allies on cybersecurity, not just in terms of sharing intelligence and capabilities, but in deterrence as well.
The US’ relationship with China is at a crossroads— both in terms of trade and security. Since much of China’s industry is a government-owned or government-sponsored enterprise, how does the US protect its open, market-based economy from stealth attempts to obtain US technology and intellectual property?
The rapid technological rise of China and its intellectual property theft have eroded America’s advantages, while globalization has made it prohibitively expensive to manufacture certain technologies in the US. In such an environment, it is imperative that we take the actions necessary to ensure the US will have access to secure forms of the advanced technologies that underlie both our economy and military. I recently co-authored a piece with Mike McConnell that outlines how the government can take a more active role in the roll-out of vital technologies. In the case of 5G, the US should follow the lead of other countries, freeing vital spectrum and easing the deployment of new base stations. In developing this network, we must consider both security and the need for competition—the network has little value if there is no trust in it and an ecosystem without competition stifles innovation and increases costs. Users and providers must have trust in the 5G supply chain if they are going to allow their private data to traverse the network. A non-competitive marketplace, both in 5G network infrastructure and 5G chipsets, is likely to leave providers and end-users more susceptible to potential security vulnerabilities in the equipment of a particular provider. The US can benefit greatly from enhanced coordination with its allies, leveraging their innovations to address our own technological and manufacturing gaps. Coordination can come in varying forms, including multi-lateral purchase arrangements, like those for the F-35, or by purchasing 5G technologies from Sweden’s Ericsson rather than China’s Huawei.
There have been calls by some, most recently Congresswoman Alexandria Ocasio-Cortez, to disband the Department of Homeland Security. What are your thoughts on the proposition?
The Department of Homeland Security has an invaluable mission: to secure the nation from the many threats we face. Disbanding the department would be a bad idea because it could create serious vulnerabilities to our national security functions and cause lasting damage to our security. DHS was born out of 9/11, when 23 different agencies were pulled into one department in an effort to provide greater organization and communication in the government’s ability to address threats to the homeland. It’s a different world today than when DHS was created, and the threats today are now more varied, complicated, and digital than they were when the department was formed. And with the evolution of cyber threats from criminal groups and nation states, DHS’ ability to work with the private sector is even more important.
The threat landscape has changed in a number of ways. We’ve done a good job building an architecture to protect against foreign operatives coming into the US as they did on 9/11. We’ve done that through better collection of intelligence, the National Targeting Center, and other capabilities that we use to identify people who might be risks to the nation. But what has changed is that we’re now dealing with what I call Terrorism 2.0 and 3.0. Not necessarily the big attack like a 9/11, or like the plot in August 2006 to blow up a dozen airliners, but rather small-scale attacks like we saw at the nightclub in Paris or in Mumbai or what I call “3.0” which are inspired attacks— people who are radicalized and get behind the wheel of a car to run people over, or pick up a gun or a knife. Those are very hard to detect. The key in those cases is how quickly and effectively you respond. I also believe the possibilities of ideologically motivated violence are now not only jihadi violence, but extremists on the right and the left. We could see a return to the days of the late 50s/60s when we had very left-wing or right-wing extremists carrying out attacks against Americans.
Along with the FBI, DHS plays a lead role in protecting the homeland from those threats. And it plays a leading role now in working with the private sector which finds itself under constant cyber threat. The way we’ve organized the government, which is what we envisioned back under President Bush, is that the responsibility rests with three agencies to deal with cyber threats. Cyber warfare and the protection of the military is Department of Defense. Investigation of cyber criminals is the Department of Justice. Protection of infrastructure is DHS— that includes protection against bombs and against cyber attacks. We’ve got the lanes in the road marked and the concern now is promoting close relations with the private sector to help them raise their capability and their level of awareness.
Looking back on your time at the Department of Homeland Security, what are some of your proudest moments?
I am most proud of the men and women on the front line of our homeland security who stopped any successful attacks on the US from international terrorists, including the thwarted 2006 al-Qaeda plot to blow up 10 airplanes. My first act as Secretary was to initiate a comprehensive review of the Department’s operations, policies, and organization, known as the Second Stage Review. This initiative resulted in department-wide and Congressionally supported realignments and functional consolidations to improve the Department’s capacity to address identified vulnerabilities, threats, and consequences. I’m very proud of our team for building a risk management architecture to deal with fundamental challenges: prevention, protection, and all-hazards response and recovery.
The views and opinions of the author are his own and do not necessarily reflect those of the Aspen Institute.