Cyber War: The Next Threat to National Security and What to Do About It
Page 16
While the United States very likely possesses the most sophisticated offensive cyber war capabilities, that offensive prowess cannot make up for the weaknesses in our defensive position. As former Admiral McConnell has noted, “Because we are the most developed technologically—we have the most bandwidth running through our society and are more dependent on that bandwidth—we are the most vulnerable.” We have connected more of our economy to the Internet than any other nation. Of the eighteen civilian infrastructure sectors identified as critical by the Department of Homeland Security, all have grown reliant on the Internet to carry out their basic functions, and all are vulnerable to cyber attacks by nation-state actors. Contrast this with China. While China has been developing its offensive cyber capability, it has also focused on defense. The PLA’s cyber warriors are tasked with both offense and defense in cyberspace, and unlike in the case of the U.S. military, when they say defense, they mean defense of the nation, not just defense of the military’s networks. While I do not advocate an expanded role for the Pentagon in protecting civilian systems in the U.S., there is no other agency or arm of the federal government that has taken on that responsibility. In light of the eschewing of regulation that began in the Clinton Administration and has continued through the Bush Administration and into the Obama Administration, the private sector has not been required to improve security, nor has the government stepped in to actively take on the role. In China, the networks that make up the Chinese Internet infrastructure are all controlled by the government through direct ownership or very close partnership with the private sector. There are no debates about the cost of security when Chinese authorities demand new security measures. The networks are largely segmented between government, academic, and commercial use. The Chinese government has both the power and the means to disconnect China’s slice of the Internet from the rest of the world, which it may very well do in the event of a conflict with the United States. The U.S. government has no such authority or capability. In the U.S., the Federal Communications Commission has the legal power to regulate but it largely chosen not to do that. In China, the government can set and enforce standards, but it also goes many steps further.
The “Internet” in China is more like the internal network of a company, an intranet. The government is the service provider and therefore in charge of the network’s defense. In China, the government is actively defending the network. Not so in the United States. In the U.S., the government’s role is at least one step removed. As mentioned briefly in chapter 2, China’s much-discussed Internet censorship, including “the Great Firewall of China,” can also provide security advantages. The technology that the Chinese use to screen e-mails for speech deemed illegal can also provide the infrastructure to stop malware. China has also invested in developing its own proprietary operating system that would not be susceptible to existing network attacks, though technical problems have delayed its implementation. China launched and then temporarily halted an effort to install software on all computers in China, software allegedly meant to keep children from gaining access to pornography. The real intent, most experts believe, was to give China control over every desktop in the country. (When word of the plan got out in the hacker community, they quickly found vulnerabilities that could have given almost anyone control over the system, and the Chinese promptly delayed the program.) These efforts show how seriously the Chinese take their defense, as well as the direction their efforts are headed. China, meanwhile, remains behind the United States in the automation of its critical systems. Its electric power system, for example, relies on control systems that require a large degree of manual control. This is an advantage in cyber war.
MEASURING CYBER WAR STRENGTH
It would be great if the only thing we had to take into account in measuring our cyber war strength was one factor, our ability to attack other nations. If that were the only consideration, the United States might do really well when compared to other nations. Unfortunately for us, a realistic measurement of cyber war strength also needs to include an assessment of two other factors: defense and dependence. “Defense” is a measure of a nation’s ability to take actions that under attack, actions which will block or mitigate the attack. “Dependence” is the extent to which a nation is wired, reliant upon networks and systems that could be vulnerable in the event of cyber war attack.
To illustrate how these three factors (offense, defense, and dependence) interact, I have created a chart. The chart assigns scores to several countries for each of the three factors. Quibblers will argue with the overly simplistic methodology: I gave each of the three measures equal weight and then added the three scores together to get an overall score for a nation. The scores assigned to each nation are based on my assessment of their offense power, their defensive capability, and the extent to which they are dependent on cyber systems. There is one counterintuitive aspect to the chart: the less wired a nation is, the higher its score on the dependence ranking. Being a wired nation is generally a good thing, but not when you are measuring its ability to withstand cyber war.
OVERALL CYBER WAR STRENGTH
Nation: U.S.
Cyber Offense: 8
Cyber Dependence: 2
Cyber Defense: 1
Total: 11
Nation: Russia
Cyber Offense: 7
Cyber Dependence: 5
Cyber Defense: 4
Total: 16
Nation: China
Cyber Offense: 5
Cyber Dependence: 4
Cyber Defense: 6
Total: 15
Nation: Iran
Cyber Offense: 4
Cyber Dependence: 5
Cyber Defense: 3
Total: 12
Nation: North Korea
Cyber Offense: 2
Cyber Dependence: 9
Cyber Defense: 7
Total: 18
The results are revelatory. China has a high “defense” score, in part because it has plans and capability to disconnect the entire nation’s networks from the rest of cyberspace. The U.S., by contrast, has neither the plans nor the capability to do that because the cyber connections into the U.S. are privately owned and operated. China can limit cyberspace utilization in a crisis by disconnecting nonessential users. The U.S. cannot. North Korea gets a high score for both “defense” and “lack of dependence.” North Korea can sever its limited connection to cyberspace even more easily and effectively than China can. Moreover, North Korea has so few systems dependent upon cyberspace that a major cyber war attack on North Korea would cause almost no damage. Remember that cyber dependence is not about the percentage of homes with broadband or the per capita number of smart phones; it’s about the extent to which critical infrastructures (electric power, rails, pipelines, supply chains) are dependent upon networked systems and have no real backup.
When you think about “defense” capability and “lack of dependence” together, many nations score far better than the U.S. Their ability to survive a cyber war, with lower costs, compared to what would happen to the U.S., creates a “cyber war gap.” They can use cyber war against us and do great damage, while at the same time they may be able to withstand a U.S. cyber war response. The existence of that “cyber war gap” may tempt some nation to attack the United States. Closing that gap should be the highest priority of U.S. cyber warriors. Improving our offensive capability does not close the gap. It is impossible to reduce our dependence on networked systems at this point. Hence, the only way we can close the gap, the only way we can improve our overall Cyber War Strength score, is to improve our defenses. Let’s take a look at how we might do that.
CHAPTER FIVE
TOWARD A DEFENSIVE STRATEGY
Military theorists and statesmen, from Sun Tzu to von Clausewitz to Herman Kahn, have for centuries defined and redefined military strategy in varying ways, but they tend to agree that it involves an articulation of goals, means (broadly defined), limits (perhaps), and possibly sequencing. In sho
rt, military strategy is an integrated theory about what we want do and how, in general, we plan to do it. In part because Congress has required it, successive U.S. administrations have periodically published a National Security Strategy and a National Military Strategy for all the world to read. Within the military, the U.S. has many substrategies, such as a naval strategy, a counterinsurgency strategy, and a strategic nuclear strategy. The U.S. government has also publicly published strategies for dealing with issues wherein the military plays only a limited role, such as controlling illegal narcotics trafficking, countering terrorism, and stopping the proliferation of weapons of mass destruction. Oh yes, there is also that National Strategy to Secure Cyberspace dating back to 2003; but there is no publicly available cyber war strategy.
In the absence of a strategy for cyber war, we do not have an integrated theory about how to address key issues. To prove that, let’s play Twenty Questions and see if there are agreed-upon answers to some pretty obvious questions about how to conduct cyber war:
What do we do if we wake up one day and find the western half of the U.S. without electrical power as the result of a cyber attack?
Is the advent of cyber war a good thing, or does it place us at a disadvantage?
Do we envision the use of cyber war weapons only in response to the use of cyber war weapons against us?
Are cyber weapons something that we will employ routinely in both small and large conflicts? Will we use them early in a conflict because they give us a unique advantage in seeking our goals, such as maybe effecting a rapid end to the conflict?
Do we think we want to have plans and capabilities to conduct “stand-alone” cyber war against another nation? And will we fight in cyberspace even when we’re not shooting at the other side in physical space?
Do we see cyberspace as another domain (like the sea, airspace, or outer space) in which we must be militarily dominant and in which we will engage an opponent while simultaneously conducting operations in other domains?
How surely do we have to identify who attacked us in cyberspace before we respond? What standards will we use for these identifications?
Will we ever hide the fact that it was us who attacked with cyber weapons?
Should we be hacking into other nations’ networks in peacetime? If so, should there be any constraints on what we would do in peacetime?
What do we do if we find that other nations have hacked into our networks in peacetime? What if they left behind logic bombs in our infrastructure networks?
Do we intend to use cyber weapons primarily or initially against military targets only? How do we define military targets?
Or do we see the utility of cyber weapons being their ability to inflict disruption on the economic infrastructure or the society at large?
What is the importance of avoiding collateral damage with our cyber weapons? How might avoiding it limit our use of the weapons?
If we are attacked with cyber weapons, under what circumstances would, or should, we respond with kinetic weapons? How much of the answer to this question should be publicly known in advance?
What kind of goals specific to the employment of cyber weapons would we want to achieve if we conducted cyber war, either in conjunction with kinetic war or as a stand-alone activity?
Should the line between peace and cyber war be brightly delineated, or is there an advantage to us in blurring that distinction?
Would we fight cyber war in a coalition with other nations, helping to defend their cyberspace and sharing our cyber weapons, tactics, and targets?
What level of command authority should authorize the use of cyber weapons, select the weapons, and approve the targets?
Are there types of targets that we believe should not be attacked using cyber weapons? Do we attack them anyway if similar U.S. facilities are hit first by cyber or other weapons?
How do we signal our intentions with regard to cyber weapons in peacetime and in crisis? Are there ways that we can use our possession of cyber weapons to deter an opponent?
If an opponent is successful in launching a widespread, disabling attack on our military or on our economic infrastructure, how does that affect our other military and political strategies?
Didn’t do too well finding the answers anywhere in U.S. government documents, congressional hearings, or officials’ speeches? I didn’t, either. To be fair, these are not easy questions to answer, which is, no doubt, part of the reason they have not yet been knitted together into a strategy. As with much else, how one answers these and other questions will depend upon one’s experience and responsibilities, as well as the perspective that both create. Any general would like to be able to flip a switch and turn off the opposing force, especially if the same cannot be done to his forces in return. Modern generals know, however, that militaries are one of many instruments of the state, and the ultimate success of a military is now judged not just by what it does to the opponent, but by how well it protects and supports the rest of the state, including its underpinning economy. Military leaders and diplomats have also learned from past experiences that there is a fine line between prudent preparation to defend oneself and provocative activities that may actually increase the probability of conflict. Thus, crafting a cyber war strategy is not as obvious as simply embracing our newly discovered weapons, as the U.S. military did with nuclear weapons following Hiroshima.
It took a decade and a half after nuclear weapons were first used before a complex strategy for employing them, and, better yet, for not using them, was articulated and implemented. During those first years of the nuclear weapons era, accidental war almost occurred several times. The nuclear weapons strategy that eventually emerged reduced that risk significantly. Nuclear war strategy will be referenced a lot in this and the next chapter. The big differences between cyber war and nuclear war are obvious, but some of the concepts developed in the creation of nuclear war strategy have applicability to this new field. Others do not. Nonetheless, we can learn something about how a complex strategy for using new weapons can be developed by reviewing what went on in the 1950s and 1960s. And, where appropriate, we can borrow and adapt some of those concepts as we try to piece together a cyber war strategy.
THE ROLE OF DEFENSE IN OUR CYBER WAR STRATEGY
I asked at the beginning of this book: Are we better off in a world with cyber weapons and cyber war than in a theoretical world in which they never existed? The discussion in the ensuing chapters demonstrated, at least to me, that as things stand today the United States has gaping new vulnerabilities because others have cyber war capabilities. Indeed, because of its greater dependence on cyber-controlled systems and its inability thus far to create national cyber defenses, the United States is currently far more vulnerable to cyber war than Russia or China. The U.S. is more at risk from cyber war than are minor states like North Korea. We may even be at risk some day from nations or nonstate actors lacking cyber war capabilities, but who can hire teams of highly capable hackers.
Put aside for the moment the question of how it would start and consider a U.S.-Chinese cyber war as an example. We might have better offensive cyber weapons than others, but the fact that we might be able to turn off the Chinese air defense system will give most Americans limited comfort if in some future crisis the cyber warriors of the People’s Liberation Army have kept power off in most American cities for weeks, shut the financial markets by corrupting their data, and created food and parts shortages nationwide by scrambling the routing systems at major U.S. railroads. Although much of China is highly advanced, a lot of it is still far from dependent upon networks controlled in cyberspace. The Chinese government may also have to worry less about temporary inconveniences experienced by its citizens or the political acceptability of measures it might impose in an emergency.
Net/net, cyber war puts America at a disadvantage right now. Whatever we can do to “them,” chances are they can do more to us. We need to change that situation.
Unless we reduce our vu
lnerabilities to cyber attack, we will suffer from self-deterrence. Our knowing about what others could do to us may create a situation in which we are reluctant to use our superiority in other areas, like conventional weapons, in situations where it might be warranted for us to get involved. Other nations’ cyber weapons may deter us from acting, not just in cyberspace but in other ways as well. In future scenarios, like ones involving China and Taiwan, or China and the offshore oil dispute, will an American President really still have the option of sending carrier battle groups to prevent Chinese action? What President would order the Navy into the Taiwan Straits, as Clinton did in 1996, if he or she thought that a power blackout that had just hit Chicago was a signal and that blackouts could spread to every major American city if we got involved? Or maybe the data difficulties the Chicago Mercantile Exchange might have just experienced could happen to every major financial institution? Worse yet, what if the Chairman of the Joint Chiefs tells the President that he does not really know whether the Chinese can launch a damaging cyber attack that would leave the carrier battle group sitting helpless in the water? Would the President run the risk of deploying our naval superiority if trying to do so might only demonstrate that an opponent can shut down, blind, or confuse our forces?
The fact that our vital systems are so vulnerable to cyber war also increases crisis instability. As long as our economic and military systems are so obviously vulnerable to cyber war, they will tempt opponents to attack in a period of tensions. Opponents may think that they have an opportunity to reshape the political, economic, and military balance by demonstrating to the world what they can do to America. They may believe that the threat of even greater damage will appear credible and will prevent a U.S. response. Once they do launch a cyber attack, however, the U.S. leadership may feel compelled to respond. That response might not be limited to cyberspace, and the conflict could quickly escalate and get out of control.