The U.S. has been conducting cyber warfare long before it became an operational domain under the NSA (a branch within the DOD). Thanks to Edward Snowdon, the details of a successful and infamous U.S. intelligence cyber campaign against Iran have become well known. But where do we stand today? Is the U.S. announcement that cyber warfare is now a formalized military strategy with budgets, manpower, and multiple initiatives a good idea? And while the U.S. may have experienced recent success in offensive cyber warfare, how well equipped are we to defend ourselves against our foes in this domain?
In April of 2104, we learned that Russian hackers reportedly obtained some of President Obama’s emails when the White House’s unclassified computer system was hacked. Reports now indicate that the cyber breach was significantly more intrusive than originally thought. White House officials claimed no classified networks were compromised.
The New York Times reported that Obama’s emails were obtained by Russian hackers – presumably linked to the Russian government. The intrusion was of such a serious nature that officials met almost every day for several weeks afterwards to discuss the ramifications and necessary future precautions.
The Russian breach made headlines, but China currently appears to be even more aggressive (and/or successful)—escalating cyber attacks that have resulted in the illegal acquisition of massive amounts of sensitive U.S. government personnel information (via hacking the Office of Personnel Management computer network) and military data. Analysts say China’s effort to capture the personal information of 4 million current and former federal employees (including hundreds of thousands with security clearances as well as intelligence operators) constitutes the largest security breach in U.S. history.
The Obama administration estimates that Chinese hackers are responsible for more than 30,000 cyber-attacks in recent years as part of an enormous military-industrial spy program. More than 500 of those attacks resulted in significant access to Defense Department computer systems. China has obtained details of the F-35 Joint Strike Fighter’s tightly guarded stealth radar and engine propulsion designs, as well as, access to the U.S. Transportation Command’s Single Mobility System, which is used to coordinate troop and equipment deployments during military operations.
While the Pentagon may have proven it’s capacity to develop cyber attacks and exploit cyber vulnerabilities against our foes, they appear far less capable of defending attacks directed at the U.S. government and the private sector. Excuse making aside, there are a few reasons for this:
In an industrialized nation like the U.S., the threats presented are simply too vast. The private sector owns and operates approximately 90% of the infrastructure that comprises the abstract world of cyberspace and thus requires the defense of these networks to be a cooperative endeavor between private companies and the U.S. government.
As a massive industrialized nation, the U.S. is far more vulnerable than one might imagine. Many U.S. companies rely heavily (or exclusively) on their Internet business to generate revenue, so the impact of cyber attacks is far greater on economically and technologically developed countries. These attacks can be mounted from any locale and are far less expensive “missions” than other clandestine operations. A few people with relatively little money can launch an attack with devastating effect, but to investigate that attack, it is much more expensive, complex, and time consuming.
The nature of the cyber-attacks—particularly from China, Russia, North Korea and Iran—are asymmetric. For example, in North Korea there are only 1,000 unique ISPs. With such control exercised over Internet traffic, North Korea is a smaller target and better equipped to fend off attacks across a small playing field. Contrast the freedom of information in those nations with Defense Secretary Ash Carter’s objective, “keeping the internet open, secure and prosperous, and assuring that the nation continues to respect and protect the freedoms of expression, association and privacy that reflect who we are as a nation.”
To discourage attacks on the U.S., our government has threatened criminal prosecution, economic sanctions, and military action (since the 2011 declaration that cyber-attacks constitute an act of war). But this new emphasis on deterrence may ring hollow with our geopolitical foes, as the Pentagon also announced (almost simultaneously) their new cyber-security strategy—that the U.S. military plans to use cyber-warfare as an option in conflicts with enemies.
Defense Secretary Carter spent several days in Silicon Valley in April (where he announced the new strategy) seeking to build stronger partnerships between the government and reputable private-sector security researchers such as FireEye, Crowdstrike, HP and others to improve his department’s ability to respond to cyber-attacks.
In the final analysis, strong and capable cyber warfare resources are a vital security mechanism across the 21st century battlefield. In the coming years, look for a consortium of stakeholders collaborating to develop and manage a broad and layered security protocol that better protects sensitive information within the government and private sector. Or, expect mass chaos as our enemies continue their cyber-attacks. Imagine a cyber-attack on the NYSE; now imagine the resulting panic. How does your 401k look then?