One of the most disturbing aspects of our nation’s current response to cyber attacks is a creeping passivity that permeates discussions surrounding the topic. Fueled by less-than-robust, defense-oriented national and DoD cyber strategies, some of the leading voices in the US’s national security establishment seem to have given up the fight without even entering the arena. Such attitudes are not only counter-productive, they undermine our current cyber security efforts as well as the nation’s security as a whole. There is plenty the nation can do to secure its cyber infrastructure and those efforts should be championed by the national security establishment.
It is certainly true that our cyber infrastructure needs to be better protected. Numerous studies have pointed to vulnerabilities within both governmental and private sector IT networks that could be exploited by those wishing to do us harm. The sheer number and severity of recent hacking and phishing incidents is worrisome enough. Therefore, the idea that there should be uniform cyber security guidelines for both private and public elements of the critical national infrastructure has merit. There should be a public-private partnership to craft and enforce these guidelines. Current cyber security efforts by the government and the private sector are only beginning to address this problem.
While the Department of Homeland Security has the lead responsibility for domestic cyber security, the Department of Defense also has a significant role to play both in protecting the homeland and in integrating the cyber component into our offensive and defensive military capabilities. To be sure, the new DoD cyber strategy unveiled this summer discusses how the military can help protect the nation’s IT infrastructure. However, this so-called strategy has one fatal flaw. It completely omits any discussion of offensive cyber capabilities that could be brought to bear on an adversary and it (at least in its unclassified form) does not provide a strategic foundation for the military to develop a sound cyber doctrine. In short, the DoD cyber strategy is one in name only. It does not tie the ends we seek with the ways and means we hope to use to achieve those ends.
That brings me to a meeting of cyber security experts held earlier this week in Washington. Among the attendees was Richard Clarke, former counterterrorism advisor to three past presidents and a cyber security advisor to former President George W. Bush. During the conference, Mr. Clarke commented that any National Security Advisor worth his or her salt would warn the President that we could not attack other countries “because so many of them – including China, North Korea, Iran and Russia – could retaliate by launching devastating cyberattacks that could destroy power grids, banking networks or transportation systems.”
That would be like Secretary of War Henry Stimson telling FDR in the run-up to World War II that we couldn’t fight the Nazis because they had tanks and ours weren’t as good as theirs. One can only imagine how that would have gone over with the Greatest Generation.
Now, to be fair to Mr. Stimson, he would have never said such a thing. He was as much an anti-Nazi as anyone in Roosevelt’s administration. What, then, would prompt Mr. Clarke to assert that our cyber vulnerabilities are so bad that we could not risk attacking another country? More importantly, does he have a point?
Mr. Clarke certainly knows how vulnerable our national infrastructure is to cyber attacks. Our banking system, power grid, transportation system and other aspects of our infrastructure are quite vulnerableto those attacks. A failure of one or more of these infrastructure components would have significant implications for our nation’s security and our way of life. In certain cases it could even result in mass casualties among the civilian population.
For the military, the loss of its ability to communicate via satellite, to use GPS, or to gather and fuse intelligence using cyberspace would be devastating as well. The potential loss of these capabilities could change the way America wages war – and not for the better.
All of this is true, especially if nothing is done to protect our core national infrastructure. But, the fact is that much is being done both within the government and in the private sector to mitigate and, eventually, overcome these dangers.
It turns out the federal Government is actually working this issue. On the same day that Mr. Clarke made his assertions, the head of the Defense Advanced Research Projects Agency (DARPA), Regina Dugan, spoke of the need for the military to have “more and better options” to meet current and future cyber threats. Fully aware that many of the products we use in our daily lives depend on unfettered access to the cyber domain, DARPA is seeking to create the tools we need to ensure that continued unimpeded access.
Oddly, in a seeming contradiction, Mr. Clarke also spoke of punishing China and other nations who purportedly use cyber attacks “to steal high-tech American data.” The problem with that line of reasoning is that you cannot punish someone if you’re reluctant to use coercive force against them.
The implications of Mr. Clarke’s policy prescription of not being able to even threaten action against nations waging cyberwar against us would be devastating. Nations and non-state actors seeking to do us harm in cyberspace would, if we followed his advice, act with impunity against us. The nightmare scenario of our banking, transportation and other infrastructure systems not working would come to pass. A military overly reliant on GPS and other aspects of its cyber infrastructure would be rendered useless. The military, the rest of the government and the private sector need to develop ironclad responses and true “work-arounds” to actual and potential cyber attacks. We must develop a coherent national strategy to make these “work-arounds” possible and to employ them when necessary.
While we should not advertise our specific offensive cyber warfare capabilities, we should put potential adversaries on notice that there will be consequences to cyber attacks on our country. The key to our security in all dimensions of warfare (land, sea, air, space and cyber) is to ensure that such adversaries fear our potential reaction. That is why the military must develop redundant capabilities, some of them harkening back to the pre-cyber era, so as to ensure the flexibility of our responses. The more difficult it is for adversaries to predict what our reaction might be, the less willing they will be to put their own critical national infrastructure at risk.
These adversaries should know that our offensive cyber capabilities have the potential to wreak at least as much havoc on their IT infrastructure as they may plan to wreak on ours. Such a deterrent would give pause to rational state and non-state actors. but we also have to be prepared to deal with those who are undeterred, whether they are rational or irrational international actors. The development of a robust suite of offensive cyber capabilities is, therefore, a national imperative.
It may be instructive to think of cyberspace as being similar to the sea or to space. There is a “commons” to protect; an area shared by all nations that allows each of them freedom of navigation. It also facilitates travel and communication. A “commons” is often protected by a consortium of powers. We see this in the world’s reaction to the Somali pirates plying the Indian Ocean. Nations as diverse as the United States and China are working together to stop piracy in this region and to ensure freedom of navigation. That tells me that every effort should be made to establish agreed-upon international norms of behavior in cyber space. Once we achieve those, then the job of securing the cyber domain will become every nation’s responsibility.To get there, though, we need to show our resolve to protect our interests in this rapidly evolving domain.
It is absolutely imperative that we develop both offensive and defensive cyber capabilities to protect our national infrastructure. And we need to let those who attack us know we have the ability to cripple or destroy them. Waving the white flag of surrender because we fear what others may do to us in the cyber world is not an option. Acquiescing to international cyber bullies will only embolden them and it will harm our efforts to secure the cyber commons. Now is the time to craft the tools, policy and doctrine that will insure our unfettered access to cyberspace.
Cedric Leighton, a retired career Air Force intelligence officer, is now a consultant. He is president of Cedric Leighton Associates.