Cyberspace has been recognized as a new arena for competition among states ever since it came into existence. In the United States, there have long been warnings of a “cyber–Pearl Harbor”—a massive digital attack that could cripple the country’s critical infrastructure without a single shot being fired. Presidential commissions, military task force reports, and congressional investigations have been calling attention to such a risk for decades. In 1984, the Reagan administration warned of the “significant security challenges” of the coming information age. And just this year, Dan Coats, the director of national intelligence, said of such threats, “the lights are blinking red.”
Yet the Internet has always been much more than a venue for conflict and competition; it is the backbone of global commerce and communication. That said, cyberspace is not, as is often thought, simply part of the global commons in the way that the air or the sea is. States assert jurisdiction over, and companies claim ownership of, the physical infrastructure that composes the Internet and the data that traverses it. States and companies built the Internet, and both are responsible for maintaining it. Actions taken in the public sector affect the private sector, and vice versa. In this way, the Internet has always been hybrid in nature.
So, accordingly, is the real cyberwar threat. It turns out that for all the increasingly vehement warnings about a cyber–Pearl Harbor, states have shown little appetite for using cyberattacks for large-scale destruction. The immediate threat is more corrosive than explosive. States are using the tools of cyberwarfare to undermine the very foundation of the Internet: trust. They are hacking into banks, meddling in elections, stealing intellectual property, and bringing private companies to a standstill. The result is that an arena that the world relies on for economic and informational exchange has turned into an active battlefield.
To reverse this development, the United States and its allies will have to recognize what China, Iran, North Korea, and Russia already have: that state sovereignty is alive and well on the Internet. Washington must accept that the only way to restore trust is to hold those who abuse it accountable, both at home and abroad. It is time, then, for the United States to reassert leadership on the global stage and take greater responsibility for protecting the country’s communities, businesses, and government from digital threats. Leaving the market alone, as some have called for, will not do. What’s required is an inclusive, government-led approach that protects the public in an increasingly dangerous era.
THE NEW, NEW THREAT
Cyber-operations are emblematic of a new style of competition in a world where less power is concentrated in the hands of a single superpower. They are deniable and scalable, and suitable for war, peace, and much in between. In operation after operation, many of them hardly registered by the wider world, states are weaponizing the Internet.
As Russia’s attempts to meddle in the 2016 U.S. presidential election showed, it is now possible to undertake cyber-operations in support of a sophisticated campaign of covert influence. In a textbook information-warfare operation, Moscow hacked into e-mail accounts belonging to the Democratic National Committee and one of Hillary Clinton’s top aides, not only to collect intelligence but also to find embarrassing information to publicize. The hackers shared their trove of stolen e-mails with WikiLeaks, which released them to the public, driving negative media coverage of the Democratic candidate in the run-up to voting day. In the months before the election, Russian companies linked to the Kremlin also went on an ad-buying spree on Facebook and created an army of Twitter accounts backing Donald Trump, the Republican nominee. The Internet gave Russia’s security services the unprecedented ability to reach millions of American voters with propaganda.
Nations have also taken advantage of the Internet to launch asymmetric attacks when more traditional strategies were unavailable or unwise. Perhaps the best example of this type of operation occurred in 2014, when North Korea hacked into Sony Pictures’ network, destroyed its servers, and leaked confidential information in retaliation for the release of The Interview, a comedy depicting the assassination of North Korea’s leader, Kim Jong Un. For months, Sony Pictures had to operate by pen and paper as it rebuilt a functioning IT system. In a 2016 heist linked to North Korea, hackers managed to withdraw tens of millions of dollars from Bangladesh’s central bank, thus undermining the international campaign to isolate North Korea from the global economy.
What’s required is an inclusive, government-led approach that protects the public in an increasingly dangerous era.
In a similar vein, China is also engaging in Internet-enabled theft for economic advantage. For at least a decade, the country has stolen the intellectual property of countless foreign firms to gain the upper hand in economic negotiations and compensate for its lack of homegrown innovation. According to a 2017 report by the Commission on the Theft of American Intellectual Property, U.S. losses from intellectual property theft range from $225 billion to $600 billion per year, much of which can be blamed on China.
All these incidents occurred in a gray zone of conflict—below the threshold of outright war but above that of purely peacetime behavior. But states are increasingly drawing on cyber-capabilities during traditional military operations, too. During the 1999 NATO bombing of Yugoslavia, as the journalist Fred Kaplan has reported, a Pentagon unit hacked into Serbia’s air defense systems to make it appear as if U.S. planes were coming from a different direction than they really were. Many of the details remain classified, but U.S. officials have admitted that the Pentagon has also used cyberattacks in the fight against the Islamic State (or ISIS). In 2016, Robert Work, then the U.S. deputy secretary of defense, admitted that the United States was dropping “cyberbombs” on ISIS (although he did not elaborate on what that entailed). In at least one instance, such attacks forced ISIS fighters to abandon a primary command post and flee toward other outposts, thereby revealing their location.
Of course, it’s not just the United States that is using such tactics. During its invasion of Georgia in 2008, Russia employed denial-of-service attacks to silence Georgian television stations ahead of tank incursions to create panic. Almost certainly, Russia was also behind the 2015 hack of Ukraine’s electrical grid, which interrupted the power supply for some 225,000 customers. Now, dozens of militaries have established or are establishing cyber commands and are incorporating cyber-operations into official doctrine.
Military strategists have focused much of their attention on how online operations could affect combat outside cyberspace. In theory, at least—with no track record in a major war, it is too soon to tell for sure—cybertools give a military the ability to overcome physical distance, generate disruptive effects that can be turned off at a moment’s notice, and reduce collateral damage relative to even the most sophisticated conventional ordnance.
For the U.S. military, this represents a particularly acute risk. It is so reliant on the Internet that an attack on its command-and-control, supply, or communications networks could undermine its ability to project power overseas and leave forces disconnected and vulnerable. As William Lynn, then the U.S. deputy secretary of defense, revealed in this magazine, the Pentagon fell victim to a hacking attack undertaken by a foreign intelligence agency in 2008. The malware was eventually quarantined, but not before it made its way into classified military networks. A 2014 congressional investigation of the Pentagon’s Transportation Command revealed something else that many had long feared: U.S. adversaries were exploring how to threaten not just its important military networks but also its ability to move forces and materiel.
But given the unique nature of the online battlefield, the relevance of this trend extends beyond military operations, since civilians will likely suffer major collateral damage from attacks directed at governments. Imagine, for instance, that a cyberattack were launched against parts of the U.S. electrical grid in an attempt to cut off power to military bases. The malware used could spread beyond the intended targets to interrupt the power supply to the surrounding civilian population, making hospitals go dark, shutting down heating or cooling systems, and disrupting the supply chains for basic goods. This scenario is not so remote: in 2017, malware that was spread through a Ukrainian tax preparation software program (an attack presumably launched by Russia and intended to compromise Ukrainian companies) ended up catching Western firms in the crossfire. The Danish shipping conglomerate Maersk estimated its costs from the attack at between $200 million and $300 million.
In that case, many of the private companies affected were inadvertent victims, but in the future, states may increasingly threaten nonmilitary targets deliberately. Despite international law’s prohibition against targeting civilians on the battlefield, states are already doing so online. The bulk of Estonian society was knocked offline in a 2007 attack carried out by patriotic hackers tied to Russia, and South Korean banks and their customers were the target of a cyberattack in 2013, no doubt launched by North Korea.
The first task is to go beyond merely naming and shaming hackers and their government backers and to set forth clear consequences for cyberattacks.
To date, no one has produced evidence that anyone has ever died from a cyberattack, but that may change as more and more infrastructure that was once isolated, such as electrical grids and hospitals, goes online. Cars are connecting to WiFi and Bluetooth, and the Internet of Things is already penetrating the most private spaces of people’s homes. Some technologists are even promoting an “Internet of Bodies,” which envisions networked implants. All these devices are, or will soon be, targets.
These threats to the stable operation of the Internet mean that the trust that everyone places in it will erode even further, and people and governments may seek to wall themselves off. Many have tried “air-gapping” important systems—that is, physically isolating secure networks from the Internet—but the method is not foolproof. Air-gapped systems still need to receive outside software updates, and computer scientists have even shown that it is possible to “jump” the gap by way of acoustic resonance or radio frequencies. Some states have acted on the same impulse at the national level, trying to create their own separate internets, with mixed results. China’s Great Firewall is designed to limit what people can read online, but clever citizens can evade it. The same is true in Iran, where authorities have set up a restrictive “halal net.”
The many gaping vulnerabilities in cyberspace have long been obvious to governments and companies, but they have consistently failed to patch the holes. For decades, information sharing has been the clarion call, the idea being that the sooner potential victims are tipped off about impending threats and the sooner actual victims reveal how they have been compromised, the better defended the entire system will be. In practice, however, information sharing has taken hold only in certain sectors—in the United States, mostly among financial institutions and between defense contractors and the military. And these are exceptions: government and corporate cultures still disincentivize acknowledging a breach, which makes it more likely that others will remain vulnerable to attack.
In addition, companies have often resisted investing fully in cybersecurity, believing it cheaper to clean up a mess than to prevent it in the first place. But this hack-by-hack approach has resulted in devastating losses in the aggregate. Beyond the billions of dollars in intellectual property stolen from companies every year, there is also damage inflicted by the pilfering of defense secrets from military contractors and by the deep reconnaissance that adversaries have undertaken to understand critical infra--structure such as water and power systems—intrusions that have dealt the United States a strategic blow.
At the international level, Washington and over a dozen other governments have sought to fashion “rules of the road,” norms for conduct in cyberspace during peacetime. Both the G-7 and the G-20, for example, have issued joint statements committing their members to good behavior online. But despite the little consensus these efforts have reached, malicious conduct has continued unabated. These endeavors fall far short of what is really needed: a concerted diplomatic push to build a substantial coalition of like-minded states willing not just to sign on to these norms but also to impose serious economic and political costs on those who violate them.
Another effort has centered on public-private partnerships, through which government and industry can work together to secure the Internet and promote better behavior online. Building such partnerships is essential, but it is also difficult, as the two sides often have competing interests. For example, the U.S. government has pressed Facebook, Twitter, and YouTube to remove terrorist-related content and “fake news” from their sites, yet in complying, these companies have found themselves uncomfortable with acting as arbiters of good and bad content. What’s more, the technology sector is not a monolith: Apple, Facebook, Google, and Twitter have very different business models and approaches to such issues as data privacy and data sharing. Despite this complexity, the U.S. government cannot meaningfully enhance the nation’s cybersecurity by itself; it must work with the private sector.
What is needed most is leadership from the United States, which should work with governments that share its commitment to privacy, freedom, and stability in cyberspace. The first task is to go beyond merely naming and shaming hackers and their government backers and to set forth clear consequences for cyberattacks. For starters, the United States could assert that as a matter of policy, any cyberattacks that result in civilian harm will be treated as equivalent to comparable physical attacks and will be met with equally serious consequences. The perils of such redlines are no secret: too specific, and the adversary will press right up against the line; too vague, and the opponent will be left unsure about what conduct will trigger a response. Multiple administrations, both Democratic and Republican, have struggled with this challenge, and the specific message will undoubtedly evolve, but it is long past time for the United States to lead its allies in responding to online aggression more seriously. An obvious and long-overdue first step would be for the Trump administration to warn Russia against meddling in future U.S. elections and to spell out in no uncertain terms the consequences it could expect if it does so.
Since public declarations alone are unlikely to deter all nations from conducting cyberattacks, the United States must back up its threats by imposing real costs on perpetrators. That means not only developing offensive options, such as retaliatory cyberattacks, but also drawing on a broad array of national tools. For too long, officials have been unwilling to upset areas of policy that do not directly involve the Internet when responding to cyberattacks, but there is no reason the United States cannot punish an aggressor through, say, increased eco-nomic sanctions, tariffs, diplomatic isolation, or military pressure. Deterrence will not be established overnight, but demonstrating credibility through consequences will bolster it over time.
In the meantime, the United States needs to break through the conceptual block of looking at its own cyber-capabilities primarily as instruments of foreign surveillance. It can also use them judiciously to degrade its adversaries’ ability to perpetrate cyberattacks by hacking foreign hackers before they hack U.S. targets. The U.S. military and the FBI should proactively thwart imminent attacks, and Washington should work more aggressively with its partners abroad to form mutual cyberdefense pacts, in which countries pledge to come to one another’s aid in the event of a serious attack.
At home, the U.S. government needs to fundamentally rethink its approach to cyberdefense. Historically, the government has seen itself as responsible for protecting only government systems and has left everyone else to fend for themselves. That must change. Just as the federal government takes responsibility for protecting Americans from physical attacks, so must it protect them from digital ones. The United States can look to its close ally for inspiration: in 2016, the United Kingdom set up the National Cyber Security Centre, which is designed to protect both government and society from cyberattacks. The United States should set up something similar: a new cyberdefense agency whose purpose would be not to share information or build criminal cases but to help agencies, companies, and communities prevent attacks. One of its top priorities would have to be bolstering the resilience of the United States’ most critical systems—its electrical grid and emergency services chief among them. It could also work with state and local authorities to help them improve election security.
To be successful, this new organization would have to be an independent, cabinet-level agency, insulated from politics while subject to congressional oversight. Creating such an agency would require some painful reorganization within the executive branch and Congress, but continuing to rely on an outdated structure to achieve an ever-expanding set of cybersecurity objectives all but guarantees failure. It is not enough to merely raise the profile of cybersecurity within the Department of Homeland Security, as some have proposed, given how many competing priorities there are within that department. Creating a standalone agency would also enable that agency to change the culture of cybersecurity within the government, blending the spirit of innovation from the private sector with the responsibility of security from the government.
For the government to be an effective player in this space, it will have to do far more than reorganize: it will have to invest more in the appropriate human capital. To that end, it should create a program modeled on the Reserve Officer Training Corps, or ROTC, but for civilians interested in cyberdefense. Participating students would have their college or graduate school tuition paid for in exchange for a set number of years of government service. Washington should also create more opportunities for midcareer experts from technology hubs such as Silicon Valley to do a tour of service in the federal government. Not every computer engineer will want to contribute to national cyberdefense, of course, but the success of the U.S. Digital Service, a program created after the failure of HealthCare.gov that brings private-sector talent into the government, shows how much is possible.
The final challenge is to promote greater accountability in the technology sector for the products and services its companies put into the market. Just as the federal government regulates prescription drugs, mutual funds, electronics, and more, so should it ensure that when companies sell flawed services and products in the digital marketplace, those harmed can seek redress.
A CALL TO ACTION
Cyberspace has already become a domain of intense economic competition and information warfare, and states have begun testing the waters in preparation for weaponizing it during actual wars. The United States and its allies have responded to these rapidly changing realities far too slowly. For many in the U.S. government, cybersecurity has been seen as a matter for the it help desk to address. But as new vulnerabilities crop up in nearly every corner of Americans’ lives and American infrastructure, it is more important than ever to safeguard the country against cyberattacks.
In 1998, L0pht, a security-minded hacking collective from Boston, testified before Congress about just how vulnerable the online world was. One of the group’s members warned that it would take any one of them just 30 minutes to bring down the entire Internet. Had such an attack come to fruition then, it would have been an annoyance. Today, it would be a catastrophe. Cyberattacks are not merely a problem for Americans, for businesses, or for governments. Everyone who values trust and stability online loses out if the threat grows. But with U.S. leadership, there is much that can be done to make these attacks happen less frequently and inflict less damage.