The Pentagon is set to unveil its new strategy for dealing with cyber attacks. Because the cyber world now touches every aspect of our lives, the debate on what our cyber strategy should be has become one of the most important debates of its kind in our history.
We must develop a cyber strategy that leverages all the elements of national power. I’m afraid that the new cyber strategy will not go far enough. A few institutional fixes could remedy this shortfall and help us achieve our strategic goals.
Our bureaucratic structures must be reformed so that our responses to cyber attacks can be lightning fast and lethally effective. To that end, we must ensure that our cyber intelligence analysts and cyber warriors are trained to the highest standards and that only the most skilled and imaginative among them are promoted. We must ensure the Department of Homeland Security’s cyber security efforts are joined with those of the Department of Defense, so that responses to attacks emanating from both domestic and foreign sources can be dealt with expeditiously.
We must reform our legal framework for dealing with cyber crimes and cyber attacks. We must realize that computers can be both instruments of crime as well as weapons of war. Finally, from a warfighting perspective, we must recognize that cyber is its own unique domain. Just like land, sea, air and space are domains of warfare, we must extend the same recognition to the cyber world. Only when we accord domain status to the cyber world and recognize its unique properties will we be able to begin crafting a strategy that protects our interests in that world and safeguards our access to it. Without these fixes, no cyber strategy will adequately protect us.
The new strategy will seek to provide the US with a menu of response options for such attacks. Which response option is selected would depend on the severity of the attack. Just because the initial attack occurred in cyber space, the new strategy would not confine our response to the cyber realm. If we proved that an attack on our cyber infrastructure emanated from a particular country we could, for example, decide to bomb a key installation there. In essence, the new strategy is akin to the Kennedy Administration’s doctrine of “Flexible Response”, which governed our interactions with the Soviet Union during part of the Cold War. While it is a necessary tenet of any good strategy to give policymakers flexibility, the question remains whether or not the new strategy is sufficiently forward-thinking for it to be of any practical use in the world we find ourselves in.
Everything from the flow of goods and services, to banking, to the provision of healthcare, to the distribution of power, up to and including our national security, is enabled by unfettered access to the cyber realm. If that access were ever denied, life as we now know it would cease. The new strategy must seek to protect us from such a calamity and provide us the means to overcome any denial or disruption to the cyber realm. The effectiveness of the new strategy should be measured against real-world events.
Take the case of Estonia. Once this nation re-asserted its independence from Russia, the country rapidly developed a modern capitalist economy that became heavily dependent on a cyber-based backbone. Practically all banking transactions and government services were conducted via the Web. Tensions with ethnic Russians still living in Estonia remained high and reached a boiling point once the Estonians decided to move a statue honoring Soviet soldiers from the center of Tallinn to a Russian cemetery. In retaliation, Russian hackers (almost certainly with Russian government support) attacked the nation’s cyber infrastructure, bringing the banking and governmental functions Estonian society depended on to a standstill. Will the new cyber strategy protect us from similar attacks? And, if the attack is successful in spite of our best efforts, would we be able to marshal a meaningful response?
Unfortunately, these are not simply theoretical discussions. As Defense Secretary Leon Panetta has stated, the US cyber infrastructure is under attack “thousands of times” a day. Secretary Panetta has warned of a “cyber Pearl Harbor” if we do not act now to protect and defend the critical elements of our national infrastructure. A more apt historical comparison would be the fall of Singapore in World War II. Although the British had built a $500 million naval base just a few years earlier, the Japanese Imperial Army surprised the city’s defenders by entering via the “back door” of the Malaysian Peninsula.
Today we have to thoroughly understand what our “back door” cyber vulnerabilities really are. We have to craft tough, impregnable defenses that can protect multiple vulnerabilities at once. Once those defenses are breached, we have to be nimble enough to create new ones in a continual effort to stay ahead of those who would do us harm. In Singapore, the British were defeated because they were deftly outmaneuvered by an innovative enemy. Their unimaginative, bureaucratically hide-bound military leaders could not even conceive of the audacious strategy employed by the Japanese. That is precisely the danger that confronts us today in the cyber realm.
Cedric Leighton, a career Air Force intelligence officer, retired last year as a colonel. He is president of Cedric Leighton Associates, a Washington, D.C. strategic risk consultancy.