The head of the UN agency on information technology fears “the next world war could happen in cyberspace.” In fact, if the actions of power-projecting countries like China and Russia—and for that matter, the United States—are any indication, that war in cyberspace may already be underway.
To prevent cyber-skirmishes from triggering real-world conflicts, several nations are calling on the UN to “create norms of accepted behavior in cyberspace [and] exchange information on national legislation and cyber-security strategies,” as The Washington Post recently reported. But given that two of the governments calling for cyber-cooperation are Russia and China—each guilty of some of the most egregious cyber-assaults to date—the UN’s plan for cyber-peace in our time probably won’t deliver much.
A more likely source of peace and security in this new frontier is developing the assets, doctrine and resolve to deter and, if necessary, answer in kind cyberattacks. The U.S. military and its closest allies are doing just that. President Ronald Reagan might have called it “cyber-peace through cyber-strength.”
A New Domain
To get a sense of how important cyberspace is to the United States and its military, think of this invisible domain as a part of the global commons, just like the sea, sky and space. Indeed, Gen. Keith Alexander, commander of U.S. Cyber Command (CYBERCOM), likens “freedom of action in cyberspace in the 21st century” to “freedom of the seas…in the 19th century and access to air and space in the 20th century.”
That helps explain why the Bush and Obama administrations have made cyber defense a top priority.
President George W. Bush, who called cyberspace “the nervous system” of America’s critical infrastructure, launched the Comprehensive National Cybersecurity Initiative, which committed some $30 billion to strengthening government networks. Bush also initiated a series of readiness exercises under the Department of Homeland Security. These “Cyber Storm” exercises test the ability of industry, government, allied partners and the U.S. military to weather cyberattacks.
However, the Bush administration refused to stay on the defensive in cyberspace. In 2006, Bush authorized the so-called “Olympic Games” cyber attacks against computer systems that run Iran’s nuclear program. The Obama administration eagerly continued the effort, which included the now-famous Stuxnet computer worm.
Taking the baton—or mouse, as it were—from his predecessor, President Barack Obama created a special White House office to coordinate cybersecurity. He also stood up CYBERCOM in 2010, in a clear sign of the Pentagon’s expanding role in this new and mysterious area of operations. And he gave the Pentagon a green light to treat cyberspace like any other military domain, authorizing Alexander’s cyber warriors to develop capabilities to “deceive, deny, disrupt, degrade and destroy” enemy information systems. Toward that end, the Pentagon is spending $3.4 billion this year on offensive and defensive cyber-technologies.
Obama also has pressed lawmakers to pass the Cybersecurity Act, which is currently pending in Congress. Although the bill has its critics, its goals are laudable: implementing cyber response and restoration plans, exploring U.S. vulnerabilities in cyberspace, identifying critical infrastructure, updating information security requirements, promoting cyber-security awareness nationwide, developing new technologies to defend against cyber attacks, promoting cooperation across agencies and between government and industry, and training new generations of cyber security professionals.
That last item is crucial. According to Rep. Jim Langevin, “We only have about a thousand people that can operate at world-class levels in cyberspace. What we need is more like 20,000 or 30,000 people.”
Indeed, Gen. James Cartwright (USMC RET) has warned that “Unlike the air, land and sea domains, we lack dominance in cyberspace and could grow increasingly vulnerable if we do not fundamentally change how we view this battle-space.”
He was speaking not so much to the military as to policymakers and the public at large. Cyberspace is a vast, ungoverned and largely unguarded frontier that provides America’s enemies—from anarchist hacker groups like Anonymous to terrorist syndicates like al Qaeda to near-peer competitors like China and Russia—with access to the nervous system that controls the U.S. economy and military.
Given the risks, U.S. military leaders recently recommended the elevation of CYBERCOM to full combatant command status. That makes sense. But there’s more to do.
Cyber-Offense in Action
“We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us,” according to Alexander. Perhaps some of those capabilities were put on display with Stuxnet.
Launched sometime in 2008, Stuxnet sabotaged the computers running Iran’s uranium-enrichment program and centrifuges. Once it found its intended target, Stuxnet quietly ripped through Iran’s nuclear program. For 17 months, it targeted the operating systems running the program; tricked centrifuges into running faster than normal, then abruptly slowed them down; and corrupted the uranium that was produced. An Institute for Science and International Security study cited by Newsweek concludes that Stuxnet crippled Iran’s ability to activate new centrifuges throughout 2009; at least 1,000 centrifuges “simply broke down”; and 30,000 computers supporting Iran’s nuclear program were disabled.
Stuxnet became the first major cyberattack “used to effect physical destruction,” as Michael Hayden, Bush’s CIA director explained. According to Ralph Langner, an expert in industrial computer systems, Stuxnet “was as effective as a military strike.” He has compared Stuxnet to “the arrival of an F-35 into a World War I battlefield.”
The good news for Iran’s enemies is that Stuxnet set back Iran’s nuclear program several years, perhaps delaying an Iranian bomb to 2015. The bad news, the critics warn, is that if a cyber-smart bomb like Stuxnet can be deployed against the nascent nuclear infrastructure of America’s enemies, it can surely be deployed against the highly networked military and civilian infrastructure of the United States.
While this is a real possibility, it ignores two important realities. First, the enemy is already working on cyber-weapons and will employ them against the U.S.—and already has—regardless of what America’s cyber warriors do. Second, the United States develops weapons systems for a purpose: to defend the country and serve the national interest. Sometimes this is achieved by the mere existence of a weapons system. But at other times, defending the nation depends on deploying a weapons system.
To be sure, policymakers should contemplate the broader implications of cyber-weapons like Stuxnet, but weapons systems are about dealing with here-and-now threats. Consider President Harry Truman’s decision to use atomic weapons against Japan. Although it opened the door to the unthinkable during the Cold War, it served U.S. interests in 1945.
Without a Net
Speaking of the Cold War, to defend America in the Cyber Age, policymakers should borrow a page or two from the early days of the Atomic Age.
The atomic bomb changed the calculus, costs, and consequences of great-power conflict. So, Washington built a military that could fight and win in an era of nukes and ICBMs; formed a web of alliances to deter war; made it clear that the U.S. would respond with “massive retaliation” in the event of war; and developed continuity plans to ensure the survival of the republic. President Dwight Eisenhower, for instance, cited continuity, civil defense and national security in rallying support for the interstate highway system: “In case of an atomic attack on our key cities, the road net must permit quick evacuation of target areas, mobilization of defense forces and maintenance of every essential economic function.”
In the same way, Americans must forge a cyber defense doctrine that will protect the nation’s critical infrastructure, prepare for worst-case scenarios, deter catastrophic cyber attacks, mitigate the effects of low-grade cyber attacks and enable the military to conduct operations in cyberspace.
Today, as in the Atomic Age, deterring the enemy is an important goal. As we learned during the Cold War, preparedness itself can have a deterrent effect. Cyber Storm exercises—which enfold dozens of private-sector firms and partner countries—send an important readiness message to our enemies by highlighting capabilities and testing system resiliency. Likewise, the military’s Cyber Flag exercises—named after Red Flag, which hones the skills of fighter pilots—bring together cyber-components from each military branch to engage in “realistic and intense simulated cyber-combat against live opposition.”
To assist the warfighters in their deterrence mission, it would be helpful for the policymakers to let it be known that the U.S. will view a cyber attack on critical infrastructure in the same way as a traditional military attack. It’s worth noting that Russian military officials argue that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”
Of course, deterrence doesn’t work on most non-state actors, as 9/11 taught us. And since cyberspace provides anonymity, even those nation-states that are deterred in the realm of B-2 bombers and M-1 tanks might be tempted to strike in the realm of code and data. For those times when deterrence fails, the U.S. must be able and willing to go on the offensive. Toward that end, top military planners are engaged in an effort “to dominate the digital battlefield just like they do the traditional battlefield,” according to one cybersecurity expert. “Plan X,” as it’s ominously called, is a DARPA research effort aimed at creating a map of everything in cyberspace—all the billions of computers, devices and related networks that make up this ever-growing invisible domain. “Such a map would help commanders identify targets and disable them using computer code,” as a Washington Post report explains.
As attacks are launched against America’s swath of cyberspace, U.S. intelligence will need to trace and, where applicable, establish links between nation-states and cyber attacks emanating from their territory. Even if independent actors are responsible for a cyber attack, they still operate within a country—and governments are obligated to police what happens within their borders. Allied cooperation will be important in this effort. After Web War I in Estonia, NATO formed a center to help member states “defy and successfully counter” cyberattacks. NATO conducted Operation Locked Shields this year to test the allies’ ability to do just that.
Finally, Washington must explore the feasibility of developing new redundancies—or dusting off old ones—that don’t depend on cyberspace. It pays to recall that not long ago, we delivered essential services—we even defended a nation—without the Internet.