2018 was in many ways a watershed year for the United States in cyberspace. Washington revamped its cyber strategy. It loosened authorities for military cyber operators. It responded to large-scale global cyberattacks. And it dealt with chilling intrusions on its critical infrastructure. Looking back, though, what did all these changes mean, and how well did U.S. cyber policy fare?
Let’s start with the good news. In two particular areas—attribution and indictments—the United States has shown clear improvements in responding to inappropriate behavior in cyberspace. Over the past year, the Department of Justice significantly increased the pace of indictments against Chinese, Russian, Iranian and North Korean individuals for state-linked cyber activities. The department announced, for example, only one such indictment in 2014, but at least eight in 2018. Such steps, with some exceptions, are not usually enough to change national policies, and more data and analysis are needed to judge their real impact. In theory, though, and especially over the longer term, indictments and sanctions can make it harder for countries to recruit young talented hackers, who may not want to be restricted from travelling to or dealing financially with the United States and Europe.
Another important shift has been the increase in coordinated international attribution of malicious behavior in cyberspace. In the past, official U.S. statements of attribution for cyberattacks were unusual; the rare public finger-pointing at North Korea for the 2014 hack on Sony Pictures Entertainment was a notable exception. In 2018, however, governments became much more willing to attribute cyberattacks, and to do it together. This demonstrates that attribution is increasingly possible, if often slow. And when a state makes a public attribution, they are more likely to step up with additional measures.