A Cyber-Survivable Military

Making U.S. forces resilient against a cyber first strike would lead to more effective deterrence.

A recent report by the Defense Science Board (DSB) proposes a comprehensive approach to improving the U.S. military’s resiliency to cyber threats. Many of its recommendations would address the cyber espionage plaguing the Department of Defense every day. But the study also considered how technologically-savvy, well-resourced states, such as China or Russia, might use cyber weapons against the United States in a war.

Within this surreal context, the DSB’s prescriptions are sensible: the United States should ensure that its nuclear forces and a portion of its conventional-strike forces would function after a sophisticated cyber attack on U.S. military networks. For example, China might disrupt the networks linking U.S. forces, weapon, and satellites, or it might corrupt the programs operating these complex systems. If effective, these attacks would make the U.S. military much less capable by undermining communication, intelligence, surveillance and reconnaissance operations, navigation and precision strikes. Of course, China and any other state capable of executing such an attack would only do so during or on the cusp of a full-scale military confrontation, probably to achieve a strategic advantage in the physical world. Whereas otherwise the risks of conventional war with the United States would be too high, the potential for high-payoff cyber attacks may give adversary leaders confidence they can prevail in a short conflict or perhaps even deter U.S. officials from intervening altogether.

Denying them the ability to incapacitate U.S. forces via cyber attacks would, theoretically at least, thwart their strategy of fighting a significantly weakened U.S. military. Forces capable of functioning after a cyber attack would thus contribute to the broader goal of deterring major powers from risking war with the United States.

With that in mind, ensuring that other states are incapable of disrupting or manipulating the U.S. nuclear arsenal (especially its command, control, and communication system, through the insertion of malicious code) is a prudent policy goal. We should not let the DSB’s more controversial argument—the threat of a nuclear retaliation may deter a catastrophic cyber attack on the United States—overshadow it. The members of the study appear to have anticipated that possibility, explaining that cyber-survivability is an essential characteristic of the U.S. nuclear posture, regardless of whether the United States would or should explicitly threaten or launch a nuclear strike after a cyber attack.

The DSB’s suggestion that the United States invest in making a portion of its conventional-strike forces cyber-resilient presents a more difficult choice. It advocates implementing expensive and time-consuming defensive measures on a handful of bombers, cruise-missile-carrying submarines, long-range conventional missiles (if they are ever deployed), and command-and-control assets. This “protected conventional” force would enjoy less connectivity to the sensors and networks that make the U.S. military more lethal than its competitors and therefore less vulnerable to cyber attacks. The DSB is not proposing that the United States deploy a separate conventional arsenal for retaliating against all cyber attacks. Nor is it suggesting that a military response would be appropriate for the type of hostile operations witnessed thus far, such as taking down websites or erasing data on hard drive, despite how some may interpret the concept. Instead, the United States would only employ this reserve force in conflicts where a series of cyber attacks has left the rest of the military inoperative.

If an attack of this magnitude is possible, the DSB recommendation makes sense. It couches this approach in the language of escalation ladders. But put more simply, in a war where an adversary has done something as drastic as launching a large-scale cyber attack against the U.S. military, the United States would need conventional-strike options to defend itself and its allies.

Yet creating a reserve force means fewer conventional weapons for more frequent conflicts against adversaries that do not possess top-rate cyber weapons. This is no small tradeoff as the military grapples with global defense commitments and fewer resources.

Whether the threat warrants this tradeoff is unclear. The DSB’s analysis raises questions about whether a disarming cyber strike, synchronized with other combat operations just as a war erupts, is feasible. An adversary would need to infiltrate and study secure U.S. military networks as well as the communication, intelligence, and weapons systems they connect and operate. Then the attacker must customize code to manipulate them, and for air-gapped targets, covertly gain physical access.

Even if adversaries succeed in planting cyber weapons throughout U.S. systems, their goal would be to affect the targets only when a war is imminent, so they would not have the luxury of attacking immediately. Weeks, months or years could pass before a conflict, during which time U.S. officials might detect and remove the virus, upgrade to more effective security software, or reconfigure their network architectures. Ensuring that deployed cyber weapons are poised for wars that will start at an unspecified time in the future would require consistent surveillance.