How Should the U.S. Approach Cyberwarfare?
As the age of cyber-conflict dawns, the U.S. is wholly unprepared to respond to emerging threats.
The cyberwarfare sphere only emerged two decades ago, but it has already had a significant effect on the security of nations. The United States’ openness of its information systems has made its government and private sector daily targets of hacks at different levels of severity. As technological innovations rapidly occur, cyber-attacks will become even more sophisticated and state and non-state actors may be able to hide their actions. And although the U.S. successfully implemented the largest known cyber-attack against a nation-state, its defensive capabilities are sorely lacking. The U.S. has not developed cyber-weapons as quickly as its adversaries, nor a consistent cyberwarfare strategy. Over the next decade, the U.S. government will need to secure information systems supporting the military and national infrastructure, develop detailed plans to identify the most likely threats facing the country concerning cyberwarfare, and promote digital and media literacy to defend itself from cyber-attacks.
America in the Cyber Age
American efforts to develop cyber-weapons and improve its capabilities are largely kept secret, as top leaders in the defense and intelligence communities have been reticent to disclose information over fear that their strategic advantage over adversaries may be revealed. But David Sanger lays out a comprehensive history of American cyber efforts in The Perfect Weapon. Leaders saw the signs that cyberterrorism was emerging as a major issue in the early 2000s, but did not adapt quickly. In the Department of Defense (DoD), a few officials initially handled cyber issues at Strategic Command while, in the intelligence community, the National Security Agency (NSA) started building up a cadre of civilian coders to develop nascent cyberweapons. Initial offensive efforts in cyber focused on retrieving “data at rest” (e.g. database, hard drive files, and spreadsheets).
But the U.S. did not fully realize that it would need to make investments in cybersecurity until 2008 when Russians hacked into the Pentagon’s computer systems. In response, the DoD created Cyber Command in 2009, housed at Fort Meade (also home to the NSA). Cyber Command is composed of 6,000 troops split up into 133 teams. This gave the U.S. the human power it needed to build cyber-weapons to use against Iran, its first major nation-state target. Stuxnet was a collaboration between the U.S. and Israel and sought to shut down centrifuges at Iran’s largest nuclear enrichment facility in Natanz. Both teams in the U.S. and Israel devised simulations before putting the malware on Iranian engineers’ USB drives. Stuxnet ended up impeding Iran in its nuclear enrichment efforts for a year. Cyber Command then started planning an attack, nicknamed Nitro Zeus, during the negotiations of the Joint Comprehensive Plan of Action. Nitro Zeus sought to impair Iran’s air defense, communication systems, and power grid and was in place if JCPoA negotiations failed. This potential attack would essentially be an act of war in that it would shut down all critical infrastructures, so the planning process could not afford to be detected by Iran or tensions could escalate to armed conflict. During the planning stage of Nitro Zeus, Cyber Command teams successfully infiltrated Iranian cell phone networks and the Revolutionary Guard Corps’ command-and-control systems (i.e. systems that control nuclear launchers). Much of Cyber Command’s recent work is unknown.
NSA staff mainly focus on accessing many foreign systems and hiding malware in “corners” of the systems where they would not be detectable. These locations are relayed to Cyber Command, who can devise plans that integrate this malware. The problem with NSA-Cyber Command coordination is that they frequently argue about their respective roles in American cyber strategy. NSA writes most of the code included in cyber weapons, but soldiers in Cyber Command execute cyber-attacks. However, both the military and intelligence communities not only remain committed to keeping their work a secret but also have yet to define the parameters of cyber-conflict. The unspoken rule of American cyber strategy is to wage constant, small-scale cyber-attacks under a level that would provoke armed conflict. Coming up with analogies on how to counter threats in cyber defense does not work well. The destruction inflicted by cyber-weapons is not comparable to that of a nuclear weapon, for example. Besides defining what American “red lines” are when devising technical plans, leaders must define and set norms around cyber geostrategy.
Within American information systems, the private sector is perhaps most vulnerable to attacks from other states because the cyber community rarely tells companies that they have been affected by attacks (typically fraud-related). Often, affected companies learn about the attacks from their in-house IT department up to two months after the attack or remain ignorant, potentially exposing them to even more attacks from malicious actors. Companies also suffer greater consequences to their images if they publicize their attack to customers. In the past, affected companies have experienced fewer sales or have been required to pay for customers’ credit card replacement fees or consumer credit-monitoring services.
Cyberattacks’ potentially damaging effect on commerce is a problem unique to America’s infrastructure compared to its adversaries in cyberwarfare. China, Russia, Iran, and North Korea are all states that exercise an exorbitant amount of control over citizens’ internet access, making it easier for them to contain private information that the U.S. would want to target. In the U.S., regulation of the Internet and surveillance are deeply unpopular, yet U.S. national security was harmed most by cyber-attacks that divulged personal information (e.g. the 2013–2014 Chinese hack of the Office of Personnel Management, the 2016 Russian hack of the Democratic National Committee and attempts to spread disinformation about the presidential election) rather than state secrets. Therefore, the following policy recommendations are primarily aimed at improving and preserving private information systems.
I. The U.S. must create many tailored plans to deter a range of attacks from each possible adversary.
“We currently cannot put a lot of stock…in cyber deterrence. Unlike nuclear weapons, cyber capabilities are difficult to see and evaluate and are ephemeral. It is very hard to create the substance and psychology of deterrence in my view.” — Former Director of National Intelligence James Clapper
The Defense Science Board fashioned guiding principles of cyber warfare and made policy recommendations to the DoD in 2017 based on the concepts of “deterrence by denial” or “deterrence by cost imposition.” This recommendation will also incorporate these two principles. Because the U.S. faces various risks depending on the potential adversary and their motives, the cyber community must plan responses to confront every possible attack scenario. This planning process should involve actors beyond Cyber Command and the NSA in various scenarios. For example, China and Russia are believed to be the U.S.’s greatest adversaries in cyber warfare. Although both countries have different reasons for attacking the U.S. (China aims to steal intellectual property while Russia spreads misinformation), China, and Russia share strong stakes in avoiding a major cyberwar. In response, the U.S. should communicate that it has both the defenses and resilience to respond to an attack, so the adversaries understand that their potential cyber-attacks will be unsuccessful. These plans should be subordinate to policy guidance on engagement with these two countries, so Department of State officials should be involved in public affairs-related actions. Finally, the U.S. should implement “whole-of-government” response options (e.g. diplomatic expulsions, economic sanctions) in plans as additional retaliation against these two major countries in the event of a cyber-attack.
In contrast, it would be best to impose costs in deterrence strategies against minor countries (e.g. North Korea and Iran) and non-state actors. These actors may not have as many resources to carry out destructive cyber-attacks but adopt a “death by 1,000 hacks” approach (e.g. carrying out repeated, small attacks that eventually wear out the target) to their cyber strategy by undermining the credibility of a targets’ responses. To impose costs, American leaders must credibly threaten the values and/or assets of the individuals leading potential adversarial attacks. The U.S. must also communicate in advance its credible threats to an adversary. In both approaches to deterrence, multi-agency teams must conduct frequent war gaming to test out plans and identify potential risks. At this stage in the planning process, leadership would want to establish firm rules and norms that it could share with allies with vibrant information systems to better navigate the anarchical cyber frontier. Defining norms would also help the U.S. reduce the possibility of a cyberweapons race among major powers like Russia and China.
II. The U.S. must protect critical infrastructure by further securing weapons and creating a public-private cybersecurity communication channel.
U.S. deterrence strategy has primarily relied on the American nuclear arsenal to impose costs on adversaries in all realms of conflict and warfare. If adversaries believe that these weapons are vulnerable to attacks, this would be extremely damaging to the U.S.’s credibility. The Department of Energy and DoD should immediately work to make nuclear weapons highly resilient to cyber-attacks. Security measures such as two-factor and/or biometric authentications and behavior analytics would keep weapons under American control. And if an adversary breaks into the networks that control these weapons, these measures would at least increase the probability of determining who the attacker is so the U.S. can prepare to retaliate. This would protect much of the publicly owned part of the “critical” national infrastructure as designated by the Department of Homeland Security (DHS).
85% of American critical infrastructure is privately owned, so the public-private relationship must be strengthened to implement a successful cyber defense. First, Cyber Command and the NSA must increase information sharing with American corporations and organizations. The cyber community must guide the private sector in developing risk management plans. It should also inform private sector policies of new types of attacks, malware, viruses, and threats emerging in cyberwarfare. Organizations can then urge their IT departments to change computer systems. The private sector must be able to relay its concerns and issues to the cyber community. If a confidential channel was established between companies and the cyber community, companies could respond after attacks without having to publicize the attacks and receive additional technological support from the government.
Affected corporations should also reach out to DHS’s Critical Infrastructure Security Agency (CISA). CISA reinforces public-private partnerships and provides cybersecurity training and assistance (Brooks). CISA goes one step beyond the cyber community outreach efforts by producing risk assessments for concerned organizations. By collaborating with CISA, corporations would undertake a cycle of efforts to improve their cybersecurity broadly. Although protecting critical infrastructure is difficult in democracies because information is open and accessible, U.S. national security is dependent on reducing the vulnerabilities in the infrastructure that the Defense Science Board estimates will persist for the next five to ten years, even with swift, public-private action.
III. The U.S. must establish a campaign to increase Internet literacy and fight misinformation.
After the Russians used a “troll” factory to spread misinformation on social media before the 2016 presidential campaign, the cyber community realized that states can use cyber-attacks to influence social dynamics besides causing technical destruction. Although these types of cyber-attacks do not violate the integrity of computer systems, they seek to undermine the integrity of national values and institutions. Although the U.S. did retaliate against Russian for attempts to influence (e.g. via diplomatic expulsion), this type of cyber-attack remains difficult to fight. However, some countries have been successful in deterring other states’ digital influence campaigns.
Estonia was the victim of the first state-to-state cyber-attack in 2007 when Russians turned off Estonian communication systems for days. Since then, Estonia has improved its cybersecurity by promoting Cyber Defense Leagues whose volunteers meet with citizens to promote digital literacy. The Estonian government has a strategic communication team that monitors and flags potential Russian propaganda on Estonian social media and requires all high school students to take a week-long media and manipulation course. Finally, the country’s electoral office runs a working group that monitors efforts to influence elections.
Although it is questionable whether the U.S. federal government would do much to fight misinformation, U.S. states are well suited to implement digital literacy programs in their classrooms, similar to the Estonian model. Silicon Valley-based companies are also incentivized to confront misinformation after receiving criticism for their handling of Russian interference efforts in 2016. Most Americans receive their news from Facebook or Twitter. If these platforms are unwilling to remove fake content, then they should at least provide assessments of the validity of media sources. Assessments could be simplified into one numeric or visual score that would appear next to each news post. With this method, Americans would have more control over their news consumption.
As technology becomes more integrated into our lives, particularly as the “Internet of Things” expands and more everyday items become computerized, the U.S. must take action to minimize or eliminate vulnerabilities in its critical infrastructure. Cybersecurity needs to be improved on both technical and social fronts. And because the U.S. has an open Internet, diverse corporations, agencies, and actors must unite to improve their cyber capabilities and resilience. Only then will the U.S. be prepared to defend itself against the multifarious threats it faces.