The 1991 unclassified U.S. National Research Council report “Computers at Risk: Safe Computing in the Information Age” stated the problem clearly:
We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable – to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack.
Three decades later, the sole superpower has become accustomed to being on the receiving end of deliberate cyber-attacks. Ransomware hit major cities from Baltimore to Atlanta, local governments, hospitals, and schools especially hard. Even third-tier powers directly attack the American homeland.
On Christmas 2014, Sony Pictures Entertainment (SPE), the California-based entertainment company employing over 9,000 people, was scheduled to release the movie The Interview. The action-comedy plot revolves around the Central Intelligence Agency (CIA) recruiting a couple of incompetent American entertainers to assassinate Supreme Leader Kim Jong-un in Pyongyang. The Democratic People’s Republic of Korea (DPRK) deemed the decapitation plot intolerable, terrorism, and an act of war and predictably threatened merciless retaliation. But this time, the backward and isolated state found a way to project power into the United States.
Cyber attackers then stole terabytes of data, wiped and rendered inoperable thousands of SPE computers in the United States, United Kingdom, and elsewhere. SPE did not comply with the hackers’ demands, and went ahead with its plans to release The Interview. Then, cyber attackers published SPE’s internal emails, payroll lists, and business plans along with four unreleased films. Western media predictably feasted on the gossip doxed from SPE’s emails. The perpetrators threatened to publish confidential data and personally threatened 3,800 American SPE employees. As SPE had yet to decide on the movie’s fate, on December 16, North Korean cyber attackers threatened physical attacks on U.S. cinemas screening the movie; AMC Theatres and most major cinema owners promptly declined to screen the film. Now, Sony decided not to release the film, effectively giving in to North Korea. Despite President Barack Obama intervening, the retrograde DPRK publicly deterred the United States.
Iran, like North Korea, is overtly hostile to the United States while lacking economic or military power projection capability into the United States. Iran, like North Korea, demonstrated effective use of cyber power. For example, a U.S. Department of Justice (DoJ) indictment made public on March 23, 2018, describes how several Iranians organized the Mabna Institute in Tehran to target more than 100,000 professors in 320 universities, including 144 in the United States and 176 across twenty-one other countries. The small team had achieved global reach using known tactics, techniques, and procedures (TTPs), such as spear-phishing and password spraying, without performing any meaningful R&D. Iranians then used the thousands of credentials (including 3,768 accounts at U.S. universities) stolen to gain $3 billion worth of Western intellectual property. The perpetrators assisted the Iranian national effort on behalf of the Islamic Revolutionary Guard Corps (IRGC) and profited by selling the stolen data and credentials. Further, Iran and North Korea have leveraged ransomware to hit the American homeland.
What do these attacks and the more recent ransomware spree have in common? A foreign adversary contemplating a destructive attack on America’s heartland faces state-grade defenders on land, sea and air. A foreign adversary launching a direct cyber-attack on a non-military homeland target will encounter none.
Why did this lack of state-grade defense become the norm? Lack of capabilities can’t be the reason. After all, the United States boasts second-to-none intelligence and military forces, global operational experience, ample awareness, and large budgets. Moreover, Americans own cyberspace by virtue of an excellent innovation system and elaborate industrial base. The current logic (correctly) asserts that a military approach does not fit for defending civilian targets from cyber threats. However, the defense and military establishment may abuse it to evade the burden of change. A recent Congressional Research Service’s report “Defense Primer: Cyberspace Operations” succinctly describes the Federal cybersecurity organization. The primary defender, the Department of Defense (DoD), will only assist the nation in a cyber emergency. In plain English, only after things get really rough will fighters take over and lead America to victory. The DoD shall not be bothered with the dull day-to-day security of movie studios or hospitals. The fault of the logic is that even if the DoD succeeds, it will be too late.
The pervasive insecurity is the result of peacetime strategic defense maladaptation. Thus, debates on national cyber power must refocus on a non-technical issue: how to spur and steer effective change in defense missions, strategies, doctrines, forces, and organizations. This challenge is hardly new.
Contrary to witticisms, serious research ascertains that states and militaries do prepare for future wars. Maladaptation rarely manifests itself in denying that reality is changing. Militaries are large bureaucracies, and, as Harvard professor Stephen Peter Rosen wrote,“almost everything we know in theory about large bureaucracies suggests not only that they are hard to change, but that they are designed not to change.” Peacetime strategic defense adaptation typically fails because defense organizations are unwilling to, not forced to, or unable to truly change their ways.
For over six decades, social scientists have established military adaptation scholarship. While an overview exceeds the scope of this piece, I offer just a sample of studies that dealt with the persistent problems that now mar cybersecurity.
Azar Gat studied the theories of mechanized war in the air and on land, demonstrating that technology on its own does not drive innovation or its course. Frederic A. Bergerson’s groundbreaking political science study explained the U.S. Army aviation’s revival from 1942 to 1970: few activist reformers who opposed policy yet worked to change it from inside the military organization generated crucial defense adaptation. Finally, Rosen identified that military innovation stems from new promotion pathways for younger officers.
Theoretical stagnation is the root cause that hinders American cyber insecurity. None of the defense branches accepts a novel, challenging mission: to defend the homeland from foreign cyber-attacks. Moreover, radical cyber defense innovation will not emerge by itself. Instead, scholars and policymakers must leverage the defense innovation scholarship to drive adequate security.
Lior Tabansky, Ph.D., is Head of Research Development at the Blavatnik Interdisciplinary Cyber Research Center, at Tel Aviv University (TAU).