Preempt, Disrupt, Defeat Adversaries in Cyberspace
The United States has suffered yet another major cyber attack. On October 21, 2016, major corporations and the U.S. government’s servers fell under a malicious and widespread attack from hackers that are believed to have been associated with Russia. Several social media sites, the New York Times, and Spotify all suffered outages because of a Denial of Service attack (DOS).
This is the most typical kind of cyber attack that nations engage in. Essentially, they overwhelm a server and force it to shut down. The U.S. is under constant cyber attack. The fact that the Russians may have done this is not surprising, either. They have constantly led the way in attacking America’s networks. The thing about cyber war, also, is that there is a blurring of lines between what constitutes civilian targets and strictly military ones. Yet, the margin for error is far smaller than at any other time.
There is no current effective strategy for countering nation-state attacks on the networks of other states–especially those of private sector entities, such as Twitter or Facebook. Governments do not know how to respond. Companies cannot respond. Revanchist and rogue states get away with electronic murder. And, murder is exactly what they could do. Our entire society depends on space and cyberspace.
The U.S. suffers numerous cyber attacks per day. Some are relatively harmless. Others could risk catastrophic, system failure. Rival states in particular possess the capability to totally neuter our computer systems, thereby throwing the country back into the Dark Ages, without ever having fired an actual shot. That is why normal standards of deterrence are wholly insufficient.
Waiting to respond to cyber attacks from the usual suspects–or any suspect threatening U.S. national security–is not going to cut it. Not if we expect to protect our advanced systems from disruption (and risk scores of people’s lives being deleteriously impacted). No, what is needed is a widespread, preemptive cyber warfare strategy. This will instill fear in our adversaries. Such a strategy would also reassure both private sector entities, who are dependent on stability in the global commons, as well as our panicky allies (who fear that America could be debilitated in any future conflict without a shot being exchanged).
Such a strategy will not only instill the fear of God into our opponents, but would force rival states to accept the terms and conditions of a reliable framework governing the use of cyberspace peacefully. They would do this because it would be evident that their ability to threaten American systems would be outmatched by the robust offensive cyber warfare doctrine of the U.S. military.
Deterrence & Defense Are Not Enough
I have a very good friend who works in cybersecurity for a private firm in Maryland. He made the comment recently that, really, cyberspace is akin to the Wild West. There are competing factions, very little rules governing the use of the space, and all parties are seeking to use the “terrain” to gain leverage over those they deem to be their adversaries.
He was lamenting the fact that the lawmakers, political leaders, and security officials have yet to seriously formulate policies for managing the conduct of groups and individuals in the cyber domain. This lack of holistic rules of the road for cyberspace is where certain bad actors are having their most success: they exploit the ungoverned space to their advantage in much the same way that terrorist groups, such as al Qaeda or the Islamic State, use ungoverned spaces in the world as bases of operations.
But, America has always done well in a relatively lawless environment. This is especially true of domains, such as cyberspace, where America has inherent advantages. Oh sure, Russia, China, Iran, and North Korea have mad skills. But, the U.S. invented the Internet. We have the best high tech programs. We are the home of Silicon Valley.
The talent pool in this country is rich and our capabilities are far greater than any other country. Of course, these other rival states are catching up in both talent and capabilities. This is why the U.S. must craft a policy that is so overwhelming and so unpredictable that other states are hesitant to try any funny business.
Former Army Lieutenant Colonel Ralph Peters articulated his belief that America has generally prospered in times of dynamic change. He predicated this notion off of the concept that the United States itself is dynamic force. During the last several major seismic changes in the international system, the U.S. has disproportionately benefited from the sudden changes. This was due to the fact that the U.S. was not overly tied down by international regulations. America was not burdened by the static thinking that traditional status quo powers are normally forced to view the world in.
Lieutenant Colonel Peters is correct. The U.S. is a rowdy, vibrant, open society deeply committed to the competition that not only capitalism, but also representative democracy, imbues. As such, we should not be so concerned that there are little rules governing the conduct of states in cyberspace. Indeed, such lack of rules allows for America to make significant headway in defending itself.
During the Cold War, deterrence became the preferred mode of thinking for dealing with the nuclear genie that was loosed from its bottle in the Second World War. Concepts like Mutual Assured Destruction (MAD) and detente necessarily swam in the same current as deterrence. These were defensive measures. But defensive measures only get one so far, particularly in terms of cyber warfare doctrine.
Crafting strong, believable defenses are essential for preventing data loss or system failure. But they are not strong enough for preventing the attack in the first place. Quite the contrary, such wait-and-see policies encourage more radical, aggressive actors to push the limit of what America will tolerate at a given time. Individually, these threats may simply be nuisances. However, over time, taken together, these threats could seriously degrade America’s ability to survive (and prosper) in the information economy of today.
That is why I posit a fully offensive cyberwarfare doctrine. Let our enemies know that if you attack our networks we will hit you back twice as hard, in the least expected way possible. What’s more, if you are an actor that routinely attempts to do harm to the U.S. networks (whether it be official government networks or U.S.-based companies), the United States will actively undermine your cyber capabilities.
What would this look like? Well, for instance, China has a history of hacking into America’s networks.
We may decide to mount a robust, highly aggressive operation to shut down critical networks in Guangzhou, where their Ministry of State Security is housed. Better yet, we may conduct a serious infiltration operation aimed at uncovering titillating details about key members of China’s Politburo. Such information could prove highly toxic and politically debilitating for the Chinese leadership. Maybe we would target key State Owned Enterprises, such as Sinopec.
You get the idea.
The point is that we would have free reign to run roughshod over the Chinese (or any other revanchist state) in the cyberspace domain. While this may not totally prevent attacks against American networks, I can assure you that it will induce hesitance on the part of actors looking to cause trouble for America in cyberspace.
What’s more, our preemptive offensive doctrine in cyberspace would cause great consternation and instill a degree of restraint against most aggressive actors in that domain. For, even if, say, the Iranians launched a cyberattack that opened the flood gates of a dam in upstate New York. The U.S. might just decide to retaliate massively in cyber, not only against Iranian target sets, but also against Chinese, Russian, and North Korean targets just for good measure. Or we might target the State Owned Enterprises that are responsible for much of these states’ economic growth.
This, of course, will not stop all attacks against American cyber assets. Such a reality is why the U.S. needs to work much more closely with its partners (in both the private sector and in friendly foreign governments). Yet, it might just ratchet up the costs of attack to such a degree that cyber attackers will stay their hand (until something really big is at stake).
It also explains why we need to beef up our cyber defenses, in the event that an attacker is not deterred by our incredible offensive cyber capabilities. The goal here is conflict mitigation, with the hope of one day negating as much conflict as possible in cyberspace.
But, with conflict mitigation through a robust, preemptive, offensive warfare doctrine, the world will be on notice: do not mess with America’s critical infrastructure.
I realize that what I am proposing is a highly controversial policy. It is essentially akin to the Bush Doctrine for cyberspace. Indeed, when President George W. Bush contemplated a cyber attack against Iran during his second term, he wavered from it, for fear of what the downsides would be.
Speaking of attacking Iran, when the Obama Administration deftly employed the Stuxnet worm (along with the Germans and Israelis) to debilitate the industrial switching systems for Iran’s nuclear reactors, no one could have fathomed how Stuxnet would have mutated. You see, while Stuxnet performed exactly as expected and bought the United States critical time by sabotaging a key component of Iran’s nascent, pernicious nuclear warfare program, it did not deactivate.
The virus remained in cyberspace–which links all people and states together. There is no viable resistance to Stuxnet either. And, the critical issue with Stuxnet is the fact that the same industrial switching systems that it targeted in Iran’s nuclear facilities are used by most Western states for key civilian infrastructure functions. Thus, what was a highly effective weapon against Iranian nuclear facilities could turn into a Frankenstein’s Monster for most advanced states. We could end up being hoist by our own electronic petard.
I fully acknowledge that the blowback potential is high. Indeed, there is no way to anticipate where an aggressive cyber warfare doctrine will end. At the same time, however, there is a very predictable place where the current cyber warfare policy ends: the debilitation of the United States and its allies at a critical juncture.
A radical reappraisal of America’s cyber warfare doctrine toward a more robust, offensive stance would likely deter many actors from engaging in the kinds of reckless behavior in cyberspace that they are currently undertaking. In fact, the unpredictable nature of an offensive cyber warfare policy could be factored into our strategic planning.
The logic in the capitals of rival states would go something like this, “If the Americans know not where their cyber warfare doctrine will end, how can we?” Thus, unpredictability and an apparent willingness to massively respond or, better yet, preempt threats would likely cause most states to rethink their aggressive policies (at least in cyberspace).
So, essentially, a little blowback could be good (at least from the strategic planning phase).
Cybersecurity Through Insecurity
My plan is to essentially increase cybersecurity by increasing the level of insecurity in the cyber domain. The United States has the capabilities and talent to dominate this domain far more effectively than any other state. By constantly being on the offensive, by constantly causing havoc within the networks of our adversaries–and refusing to let up on them–we can induce our adversaries into taking the preferred course of accommodation.
What does accommodation entail? In this case, it entails getting states like China and Russia to seriously sit down with the U.S. and its allies and work up an acceptable framework governing the use of cyberspace. Such an agreement has been attempted, but neither the Chinese nor Russians want anything to do with it. Even when the Chinese took part in basic talks on the matter, there was an implied understanding that China was going to act as they saw fit in cyberspace.
Right now, America’s inextricable dependence on Information technology is an Achille’s Heel that must be turned into a Harpe. Our goal must be to create a working framework that all states legitimately accept and conduct themselves accordingly. For, if they do not, if these states resort to aggression in the cyber domain, America’s overwhelming cyber capabilities will be brought to bear in powerful and unpredictable ways.
Until we have a modicum of stability in cyberspace then, the Wild West is the best analogy to cyberspace. America was home to the Wild West. We dominated it. Taming America’s western frontier made us we are today. Let’s show the world that we will not simply leave ourselves open to catastrophic attack; to an electronic 9/11. Those who seek to do America harm in cyberspace will suffer the brunt of our fury in that domain until they agree to sit down and hammer out an acceptable framework for the use of cyberspace. Since they cannot compete against us in cyber, they will acquiesce. Deterrence does not work in this case and we can do better.
America must embrace an offensive, preemptive cyber warfare doctrine.
Reblogged this on Cyber Strategies for a World at War.