Defending America in Cyberspace

November 1, 2013 Topic: Cyber SecurityCyberwarSecurity Regions: United States

Defending America in Cyberspace

Mini Teaser: The National Security Agency's strategy for protecting the United States from cyberattacks.

by Author(s): Keith B. AlexanderEmily O. GoldmanMichael Warner

PRESIDENT BARACK Obama has identified cybersecurity threats as among the most serious challenges facing our nation. Secretary of Defense Chuck Hagel noted in April that cyberattacks “have grown into a defining security challenge.” And former secretary of defense Leon Panetta told an audience in 2012 that distributed denial-of-service attacks have already hit U.S. financial institutions. Describing this as “a pre-9/11 moment,” he explained that “the threat we face is already here.” The president and two defense secretaries have thus acknowledged publicly that we as a society are extraordinarily vulnerable. We rely on highly interdependent networks that are insecure, sensitive to interruption and lacking in resiliency. Our nation’s government, military, scientific, commercial and entertainment sectors all operate on the same networks as our adversaries. America is continually under siege in cyberspace, and the volume, complexity and potential impact of these assaults are steadily increasing.

Yet even as it confronts mounting threats, the United States also possesses a significant historical opportunity to deter them. America has built something unique in cyberspace—an evolving set of capabilities and activities that have not yet reached their collective potential. We have learned through two decades of trial and error that operationalizing our cyberdefenses by linking them to intelligence and information-assurance capabilities is not only the best but also the only viable response to growing threats. Our capabilities give us the power to change the narrative by making our networks more secure—and ensuring that cyberspace itself becomes a safer place for commerce, social interaction and the provision of public services. We want to take this opportunity to put these developments in historical context, and then explain why we as a nation must continue to build a cyberenterprise capable of guarding our critical infrastructure and population. We can and must do this while always protecting civil liberties, personal privacy and American values.

WE NOW rely on social structures that barely existed 150 years ago. The order and functioning of modern societies, economies and militaries depend upon tight coordination of logistics and operations. Reliability of timing and flow has become indispensable for modern nations and their armed forces. This synchronization rests upon an infrastructure that allows communication, transport, finance, commerce, power and utilities to serve policy makers, managers, commanders and ordinary citizens in an efficient and reliable (i.e., unbroken) manner. Efficiency and dependability make realistic planning and effective operations possible across a whole society. Such intricate ties in the mesh of infrastructure systems also constitute a lucrative target for an attacker and a significant vulnerability for modern societies. Disrupt the synchronization, and the whole system of systems becomes unreliable—thus diminishing the nation’s power and influence.

This unprecedented degree of exposure to systemic dislocation was first anticipated over a century ago when British cabinet ministers and business leaders contemplated the potential for disruption to their entire economy if French armored cruisers even temporarily interrupted the empire’s overseas trade. The perceived peril to British society prompted the Royal Navy’s intelligence office to begin gathering data for the strategic assessment of risk and vulnerability. That effort convinced decision makers that Britain was vulnerable to disruption of its commerce and to sabotage of its war-fighting capabilities. At the same time, Royal Navy planners recognized opportunities to exploit Germany’s systemic vulnerability to economic disruption. This would require the coordination of a range of institutions and capabilities: financial services, international communications, shipping, energy, diplomacy, and naval and intelligence activities meshed into what historian Nicholas Lambert aptly describes as an “Armageddon” strategy.

London approved use of this collection of levers as a weapon against Germany in 1912, but when war came soon afterward British leaders quickly recoiled from the plan under economic and diplomatic pressure. Britain’s economic-warfare measures were proving to be shockingly effective. At the outset of war in 1914 a global financial panic affected world trade on a scale like that of 1929. Britain’s strategy swiftly exacerbated the crisis. Citizen and business confidence in economic institutions collapsed. Traders withdrew from markets. World trade ebbed. Commodity exchanges closed their doors. Banks recalled loans, and global liquidity dried up. In an increasingly globalized and interconnected world, moreover, many of the unintended victims of economic warfare were British.

While the British never fully implemented their 1912 vision of coordinated levers of power to defeat an enemy, the notion of employing strategic technological and economic power indirectly helped bring about a new capability in the United States. One of the most important pillars of Britain’s strategy, which was bequeathed to the United States, was a strategic signals-intelligence capability that served both national and battlefield users. By 1952, the United States had established the National Security Agency (NSA) as the capstone of a signals-intelligence enterprise. That capability became computerized over time, and the resulting “cryptologic platform” emerged as one of the bases of expertise and infrastructure for cyberspace and cyberoperations. From this emerged America’s military cyberspace architecture and capabilities. In 1981, the Pentagon gave the NSA the mission to help secure data in Department of Defense computers. In 1990, that role expanded to the government’s “national-security information systems.” The NSA also played a role in helping the government and military to understand the vulnerability of the nation’s critical infrastructure. When planning accelerated for military cyberoperations after 2001, the NSA provided expertise to the Pentagon’s new “network warfare” capabilities.

Since then, cyberspace has become vital for the functioning of our nation in the digital age. Our national digital infrastructure facilitates the movement of commodities and information, and stores them in virtual form as well. We now use cyberspace to synchronize those critical infrastructure systems that coordinated economies and militaries a century ago. Many of the same vulnerabilities that Royal Navy planners noted in 1905 apply in cyberspace and are magnified by our dependence on the information sector. The features that allow all these infrastructure sectors to link together in cyberspace, however, also make them accessible to intruders from almost anywhere at a comparative minimum of cost and risk. The cyberdimension, therefore, adds an unprecedented degree of complexity and vulnerability to the task of defending ourselves against a modern-day “Armageddon” strategy.

The century-old dream and nightmare of crippling a modern society by wrecking its infrastructure—or just by disturbing its synchronization of functions—is now a reality others are dreaming of employing against the United States. We do not know how effective such a strategy would be against the United States in practice, but glimpses of global financial panics in recent years should raise concern about even partial “success” for an adversary attempting such an attack.

MILITARY CYBERCAPABILITIES are now being “normalized,” following a traditional path from commercial innovations to war-fighting systems (much like that of aviation in the last century). Several nations have pondered cyberdoctrine for years at senior military schools and think tanks. Cyberattacks against Georgia in 2008 demonstrated how network warfare could be employed alongside conventional military forces to produce operational effects. Lessons learned from such operations are now being turned into tactics and planning by future adversaries. This normalization of cybereffects and their integration with conventional forces will not diminish their power—on the contrary, it will magnify it. Decision makers like former secretary Panetta have mentioned the possibility of a “cyber Pearl Harbor” to evoke our current predicament. We may have already witnessed the cyberequivalents of the sinking of a battleship at Taranto and practice runs with shallow-water torpedoes (the inspiration and preparation, respectively, for Japan’s Pearl Harbor attack).

Cyberconflict occurs on a second level as well. Three times over the previous millennium, military revolutions allowed forces to conquer huge territories and forcibly transfer riches from losers to winners (namely, in the Mongol conquests of China, Russia and Baghdad; the Spanish conquests of the Americas; and the European empires in the nineteenth century). Remote cyberexploitation now facilitates the systematic pillaging of a rival state without military conquest and the ruin of the losing power. We have seen a staggering list of intrusions into major corporations in our communications, financial, information-technology, defense and natural-resource sectors. The intellectual property exfiltrated to date can be counted in the tens to hundreds of thousands of terabytes. We are witnessing another great shift of wealth by means of cybertheft, and this blunts our technological and innovative edge. Yet we can neither prevent major attacks nor stop wholesale theft of intellectual capital because we rely on architecture built for availability, functionality and ease of use—with security bolted on as an afterthought.

The United States has not sat idle, however, in the face of diverse and persistent threats in cyberspace that no one federal department or agency alone can defeat. There is clear recognition that the nation’s cybersecurity requires a collaborative approach and that each department brings unique authorities, resources and capabilities to the table. The Department of Homeland Security is the lead federal department responsible for national protection against domestic cybersecurity incidents. The Department of Justice, through the Federal Bureau of Investigation, is the lead federal department responsible for the investigation, attribution, disruption and prosecution of cybersecurity incidents. The Department of Defense has the lead for national defense, with the responsibility for defending the nation from foreign cyberattack. This team approach helps us protect U.S. infrastructure and information, detect attacks and deter adversaries in cyberspace. Relationships also have been forged with private enterprises that carry the data (or create or study the hardware and software that manage the data). Working together, we are improving our knowledge about what is happening across the cyberdomain, enhancing shared situational awareness for the whole U.S. government while ensuring robust protection for privacy and civil liberties.

Image: Pullquote: Every nation has significant vulnerabilities that can be exploited in and through cyberspace; almost alone among nations, we have the ability to lessen ours dramatically.Essay Types: Essay