Battlegrounds
Page 42
To deter attacks, the United States and its allies must be prepared to act against hostile cyber actors beyond the cyber domain. But sanctions or other threats of punitive actions are often inadequate. They require holding something of value to an adversary or an enemy at risk, and that proves difficult with elusive terrorists or criminals whose organizations hide their leadership and other important assets. And as hostile regimes like Iran and North Korea come under increased international and internal pressure, their leaders may conclude that they have little to lose. That is why deterrence by denial—that is, convincing adversaries that they cannot accomplish their objectives through a cyber attack—is essential.
Deterrence by denial requires a combination of offensive and defensive capabilities, improved resilience of systems, and a high degree of cooperation across government, businesses, and academia. Unfortunately, such cooperation is a challenge in our decentralized, democratic systems. According to Director of National Intelligence James Clapper, when North Korea hacked Sony studios in 2014, the response had to go “through some other country’s infrastructure, the lawyers went nuts, so we didn’t do anything on the cyber front.” Instead, “We ended up sanctioning a bunch of North Korean generals.”10
During the first year of the Trump administration, our NSC staff worked to remove these bureaucratic impediments. I was frustrated with the slow progress, but once appropriate authorities were granted, the United States became more responsive and competitive. Cyber defense of the 2018 midterm elections, directed under Gen. Paul Nakasone, the hypercompetent director of the NSA and commander of U.S. Cyber Command, was effective. As Nakasone reported to Congress in February 2019, “We created a persistent presence in cyberspace to monitor adversary actions and crafted tools and tactics to frustrate [the Russians’] efforts.”11
A counterintuitive but key defensive action is ensuring that cyber networks and systems are designed for graceful degradation under the assumption that they will be attacked relentlessly. When Russia attacked Ukraine’s power grid in December 2015, the antiquated nature of the system actually proved an asset, as it permitted the restoration of electrical services in less than six hours through an analog backup. Exquisite systems based on the latest technology may be prone to catastrophic failure. Resiliency must be a critical design parameter for communications, energy, transportation, and financial infrastructure. Resiliency requires keeping suspect hardware and software off networks and continuously identifying and, when appropriate, preempting enemy attacks. A first step is to recognize that allowing companies such as China’s Huawei or ZTE into our communications networks is tantamount to opening Troy’s gates to the mythical Trojan horse. Vigilance should be habitual and integrated into company and governmental operational culture. A best practice is to reward hackers who expose flaws. Microsoft, for example, changed its policy from threatening hackers with lawsuits to inviting them to security conferences and paying them “bug bounties” for uncovering security vulnerabilities.
There must also be a high degree of cooperation across the public and private sectors. As Jason Healey, an expert in cybersecurity at Columbia University, observed, “America’s cyber power is not focused in Fort Meade with NSA and U.S. Cyber Command. The center of U.S. cyber power is instead in Silicon Valley; on Route 128 in Boston; in Redmond, Washington; and in all of our districts where Americans are creating and maintaining cyberspace.”12 U.S. government relations with the technology sector, however, are often contentious.
Competing effectively in the cyber domain requires common understanding. It is important for engineers at tech firms to know how adversaries use cyberspace and emerging technologies and to be aware that their firms are competing against not only other companies, but also hostile nations. Companies that reject opportunities to work with the United States and other democratic governments, while helping authoritarian regimes repress their own people, may not realize the dangers they promote. The decision by Google employees to protest the company’s participation in a U.S. intelligence contract while Google was simultaneously helping the CCP empower its surveillance state must have been based in part on ignorance of what was at stake in the U.S. competition with the CCP.13
Private-sector companies that specialize in cybersecurity and countering cyber espionage hold promise for bridging the divide between the tech sector and government. One example is Strider, a cybersecurity company founded by Greg Levesque, who has experience in both government and industry. Strider uses proprietary data sets, machine learning, and human intelligence to combat intellectual property theft inside companies. More and more private-sector companies will likely conclude that they need to be active on adversary networks to detect and preempt attacks on their systems or intellectual property. And private-sector efforts that overlap with those of governments could lead to better civil-military coordination and cyber defense burden sharing. Because companies that go offensive in cyberspace risk incurring foreign government penalties, assuming liability for harm inflicted on innocent third parties, and sparking an escalation to armed conflict, public- and private-sector coordination is essential for integrating offense and defense in cyberspace.
* * *
IN THE last century, space was the new competitive domain. In 1957, when the Soviet Union launched Sputnik into orbit, U.S. leaders feared that they were losing that competition. Fear inspired a range of reforms, including a rejuvenation of science education, an intensified focus on missile development, and the creation of the National Aeronautics and Space Administration (NASA).14 In the wake of the Cold War, however, U.S. commitment to leadership in space waned as some assumed that space would become a benign environment in which the world’s powers would cooperate for mutual benefit.15 Showing optimism bias similar to that about the free and open internet, the United States assumed that if it chose not to weaponize space assets, that others would follow its example. Predictably, this bout of strategic narcissism applied to space caused the United States to fall behind. After the retirement of the Space Shuttle in 2011, the United States became dependent on Russia for manned spaceflight. International cooperation in space did expand, but recognizing that space capabilities gave the United States significant economic and military advantages, Russia and China chose not only to develop their own programs, but also to build weapons to disable or destroy those of the United States and its allies.16
In 2007, China shot down one of its own satellites with a missile. In the ensuing years, Russia and China developed a range of disruptive counter-space capabilities, which ranged from anti-satellite laser weapons and missiles to orbiting weapons to electronic warfare jammers.17 Countries friendly to the United States are developing their own capabilities to deter hostile actors. In March 2019, for example, India used an anti-satellite missile to blow up one of its own satellites and show the world that it, too, had offensive counter-space weapons.
In 2017, recognizing the need to compete more effectively in space across the government and commercial sectors, the Trump administration reestablished the National Space Council under Vice President Mike Pence. I asked the NSC staff to work with Vice President Pence’s team to develop a strategy for reinvigorating our space program. Our team got to work under an extremely knowledgeable and effective air force officer, then-Maj. Gen. Bill Liquori. Bill understood that the stakes were high and that cooperation with allies and the private sector was necessary to combat the potential dangers stemming from the militarization of space and to take full advantage of opportunities associated with the commercialization of space. The Space Council established objectives to deter and, when necessary, defeat adversary space and counter-space threats; to ensure that American companies continued to lead in innovative space technologies; and to use space exploration to “transform knowledge of ourselves, our planet, our solar system, and the universe.”18
As in cyberspace, deterring aggression depends on convincing an adversary that it cannot accomplish objectives through offensive action against U.S. space ass
ets. The U.S. government and industry should protect technology that might assist China or Russia in developing advanced space capabilities that could be used against us. U.S. companies should be suspicious of foreign investors like the Chinese company Tencent, which has taken large stakes in U.S. space start-ups such as Moon Express, Planetary Resources, NanoRacks, and World View Enterprises.19 Tencent, the company that owns WeChat and QQ, two of the largest social media applications, acts as an extension of the CCP by censoring, monitoring, and reporting private communications and personal data. It will continue to act as an extension of the party in space.
Despite these dangers, space competition provides real opportunities to improve security and prosperity and address some of earth’s most pressing needs. Systems delivered into space will deliver persistent global access to the cloud as nongeostationary (NGSO) satellites (satellites that move in relation to Earth’s surface) process data and communications. These satellites can provide real-time persistent remote sensing of the surface of Earth, which can contribute to environmental protection and rapid response to natural and man-made disasters. Planet, a company founded in 2010 by a team of ex-NASA scientists, aims to image the entire Earth every day and make changes visible, accessible, and actionable. The transparency its 150 earth observation satellites provide can identify diverse activities important to security, such as missile activity in North Korea, destruction of rainforests in Brazil, wildfires in Australia, pollution and damage to ecosystems in India and China, and protests in Iran. More opportunities to use space for solving problems on Earth are reaching technical feasibility and economic viability. One example is space-based solar power generation.
To take full advantage of opportunities and protect against dangers in space and cyberspace requires an understanding of how technologies interact with one another and humanity. Too often the application of a promising technology lags because it is viewed in isolation of others that, when combined, unleash tremendous potential. That is why collaboration among scientists and between scientists and policy makers is vital for innovation. The need for collaboration on crucial challenges to national security is growing because technology-based innovation is shifting away from governments and toward the private sector.
* * *
PRIOR TO the end of the Cold War, the U.S. model of technological development was relatively closed, meaning that the government funded and controlled access to major initiatives such as nuclear weapons, jet fighters, and precision-guided munitions. These programs were protected by security classifications, patents, and copyrights. When the government decided to declassify technologies such as microchips, touch screens, and voice-activated systems, private-sector engineers and entrepreneurs combined and refined those technologies to kick-start new industries such as the smartphone.
In the twenty-first century, technological innovation truly opened up. Innovations increasingly derive from diffuse publicly financed research. Meanwhile, China has implemented its top-down military-civilian fusion strategy to steal technology and direct investments with the intention of surpassing the United States in strategic emerging industries (SEIs) and military capabilities. A new model for applying new technologies to national security challenges is overdue lest the United States and its allies find themselves at a significant disadvantage.
Much of academia, the private sector, and the government has been oblivious to how adversaries can steal and apply technologies developed in the United States to threaten security and human rights. I have discussed many of these in my earlier chapter on China, but I would emphasize here that U.S. capital is accelerating the CCP’s efforts to surpass the United States in a range of critical emerging technologies, such as AI technologies and others, important to achieving military superiority. Seven hundred Chinese companies, the majority of which are state-owned or controlled, are traded in the U.S. debt and equity markets. U.S. citizens fund companies that are building the next generation of the PLA’s military aircraft, ships, submarines, unmanned systems, and airborne weapons. In 2018, U.S. venture capital investment in Chinese AI companies exceeded investment in U.S. companies. Many U.S. and allied executives and financiers go beyond the quotation attributed to Vladimir Lenin that “The capitalists will sell us the rope with which to hang them.” They are actually financing the CCP’s acquisition of the rope.
In 2017, it was clear to Matt Pottinger, Nadia Schadlow, Brig. Gen. Robert Spalding, and others on the NSC staff that it was past time for the United States to reenter the arena of technological competition. Any decisions involving technological and infrastructure development must consider how the proposed technology and infrastructure would interact with geopolitical competitions. One of the most important competitions is over control of data. Whoever controls 5G hardware will have access to data flows and influence over establishing data protocols that could not only impinge on privacy but also bestow unfair economic advantage. Control of data, when combined with AI technologies, can permit dominance of key sectors of the global economy.
But even an expansive view of Chinese designs on AI and military technologies may be too myopic, as the CCP’s ambitious strategy is to control physical as well as digital infrastructure to achieve dominance of future global logistics and supply chains. The vanguard of this twenty-first-century conquest is China’s state-owned and state-sponsored enterprises, including telecommunications, port management, and shipping companies. Democratic, free-market economies continue to furnish the CCP with “rope” as China has set about acquiring a global maritime infrastructure that complements its control of communications infrastructure. China has targeted EU countries and other U.S. allies such as Israel for control of ports. And many of these ports under Chinese control, such as Antwerp, Trieste, Marseille, and Haifa, are located near clusters of scientific and industrial research facilities. By 2020, according to China’s Ministry of Transport, fifty-two ports in thirty-four countries were managed or constructed by Chinese companies, and that number was growing.20
The United States and other nations are at a disadvantage due to a failure to understand China’s ambition holistically and the growing cultural, philosophical, and business process gap between their national security communities and innovation ecosystems such as Silicon Valley. That cannot continue. In the United States, tech executives and senior government officials are beginning to acknowledge that their lack of cooperation has helped shift power from free societies and free-market economic systems to closed, authoritarian systems. They have identified three obstacles to cooperation: the misalignment of government and business processes, a lack of understanding among scientists and engineers concerning the security implications of technological competitions, and the difficulty of moving people between public- and private-sector positions. Overcoming those obstacles requires action. Organizations like the Defense Innovation Unit, which gives the U.S. Department of Defense a presence in Silicon Valley, is an organizational best practice that could easily be replicated.
The United States, China, and the European Union are all taking different approaches to the degree to which the state, companies, or individuals control data. The United States should work with like-minded countries on a policy that ensures access to needed data while safeguarding privacy and maintaining consumer trust. Free and open societies should have common standards for how their governments interact with the private sector and with one another when it comes to how data is managed and how it is collected, processed, stored, and shared.21 There is a growing rift between free and autocratic models of data governance. The United States and other free nations should agree on common standards consistent with their democratic principles.
* * *
SOME CHALLENGES require cooperation not only with allies and partners, but also with competitors and adversaries. Cooperation is necessary to prevent the spread or use of the most destructive weapons on earth. Halting the proliferation of nuclear weapons to hostile regimes like Iran and North Korea should be in all nations’ interests.
So should nuclear arms control agreements that put in place confidence-building measures critical for preventing a misunderstanding or miscalculation that could lead to the use of nuclear weapons. Arms control agreements and international conventions can limit nuclear stockpiles and arrest the development of, or eliminate, destabilizing classes of weapons such as chemical or biological weapons. The Chemical Weapons Convention of 1997 outlaws the production, stockpiling, and use of chemical weapons and their precursors. The New START treaty of 2010 between the United States and Russia reduced the number of strategic missile launchers each country had by half while also establishing a new inspection and verification regime. The Intermediate-Range Nuclear Forces (INF) Treaty of 1988 eliminated land-based intermediate-range nuclear weapons, but since 2014, Russia has violated the agreement, and China, which was not a signatory, has developed the prohibited missiles.
Obviously, an arms control agreement to which only one party adheres is an imaginary one. In 2017, the State Department let Russia know of the U.S. intention to withdraw from the INF in the hope of motivating the Kremlin to return to compliance. It did not work, and in February 2019 the Trump administration announced the U.S. withdrawal from the treaty, a decision I believed was right and long overdue. Concerns mounted that the New START, which expires in 2021, would suffer the same fate. By early 2020, it seemed that efforts to renew START and engage both Russia and China on a successor to the INF Treaty were strong possibilities. Arms control agreements that limit nuclear weapons and other weapons of mass destruction, if well monitored and enforced, besides helping to reduce the risk of the unimaginable, can make funds available for projects that benefit humanity rather than threaten us with Armageddon.
But as nuclear weapons and long-range missiles proliferate, missile defense becomes even more important for safeguarding the American homeland as well as allies and U.S. citizens overseas. In 2019, the Trump administration completed a missile defense review that concluded that there was a need for significant investment in improving homeland and regional missile defense. It should not be controversial to support science and technology research programs to deliver cost-effective solutions to expanding missile threats. As the 2019 review directed, these solutions should integrate “offensive and defensive capabilities for deterrence” and ensure the ability to “intercept missiles in all phases of flight after launch.”22