Following a recent speech, Chairman of the Joint Chiefs of Staff General Martin Dempsey dismissed concerns about the U.S. militarization of cyberspace. “We have a Navy, but we are not being accused of militarizing the ocean,” he said. As the world reflects on and responds to the actions of former National Security Agency contractor Edward Snowden, and as the investigation of possible leaks by former Joint Chiefs vice chairman General James Cartwright unfolds, it is difficult to avoid wondering if General Dempsey’s answer is the best the administration can muster. An increasing number of adversaries and even allies are coming to believe that the United States is militarizing cyberspace—and that impression of hubris and irresponsibility is beginning to have a real-world impact.
So what needs to be done? New thinking is required, in at least three ways: First, the administration needs to acknowledge that this is a problem. Second, a more holistic approach is required when making national-security decisions that affect the internet. Third, the government needs to learn to respond to these types of leaks in a way that does not make the situation worse.
Acknowledging the Problem
The Snowden leaks have brought Stuxnet, the U.S.-Israeli program allegedly used to attack Iranian computer systems, back into public debate—and reminded us that the real damage of the Snowden revelations will be international. President Obama looks set to weather the domestic storm, and after a round of outrage—some real, some feigned—the diplomatic fallout from the various spying allegations will eventually subside. Susan Rice, the new national-security adviser, might have been a little optimistic when she said, “I don’t think the diplomatic consequences, at least in the foreseeable future, are that significant.” She will have some difficult conversations with European leaders, annoyed at the reigniting of previous domestic controversies about the privacy implications of U.S. counterterrorism policy. But other priorities, including the economy, will ensure that U.S.-European relations remain firm. So it is difficult to imagine she will lose much sleep over Chinese complaints on the subject of cyber espionage.
Yet the perception that the United States has become a danger to the global internet is a cause for concern. In their understandable anger at the considerable damage Snowden has done (in the near term at the very least) to the operations of NSA and their allies, U.S. security officials should not lose sight of this fact. Snowden’s claims build on the Stuxnet revelations. In doing so, they reinforce an impression of overbearing U.S. cyberpower (military and commercial) being used irresponsibly. That is strikingly at odds with the U.S. self-image as a standard bearer of internet freedom and “borderless” exchange, but it is a view that resonates around the world.
At the most basic level, that sense of double standards legitimizes bad behavior directed back at the United States. Many in the U.S. private sector believe that the distributed denial of service attacks that they are suffering from Iranian-backed groups are a response to Stuxnet. So you can imagine how little sympathy such attacks elicit in parts of the world where there are already high levels of anti-U.S. sentiment. More practically, Stuxnet demonstrated the ways in which critical infrastructure can be attacked and removed any taboo that existed that might have prevented it. Not surprisingly, many researchers fear that it is only a matter of time before this country suffers a taste of its own medicine.
But a more subtle and damaging effect relates to how the internet operates. The United States and its allies are currently engaged in a low-profile but highly consequential tussle for the future of the internet. Although out of day-to-day public view, this matters, as the internet now underpins the global economy. While it is self-evident to us that minimizing government involvement is precisely what ensures the success of the internet, it is equally clear to authoritarian states like Russia and China that the internet (including the content it carries) must to be controlled. This latter view is exemplified by the desire of Russia, China and others to see the International Telecommunications Union, an adopted member of the United Nations family, expand its role into setting international rules for the internet.
Despite alarmist concerns to the contrary, there is no practical way in which the United Nations (or any other organization) could “take over” the internet. But if the United States starts to be seen as a danger to others, new barriers will emerge and everyone will lose.
It is probably now unrealistic to expect the most authoritarian states to buy into the current manifestation of the so-called “multistakeholder” governance model. That is especially true for weaker states who believe they have reason to fear Washington or its allies (think the Middle East), but the fact that emerging powers like India and Brazil still flirt with a more statist approach to internet governance is a worrying portent of trouble ahead. Such positions cannot be blamed solely on Stuxnet and Snowden’s disclosures, but they certainly don’t help. Likewise, involvement of U.S. brands Google, Facebook, Microsoft and others in spying operations only plays to the paranoia of those who see such firms—Washington’s true cyber power—as extensions of the American state.
Balancing Cyber Reward and Internet Risk
Policymakers must not only ask whether a national-security cyber operation is legal, but also whether it is wise. And that probably means involving new stakeholders. Decisions that make perfect sense in the context of national security or counterterrorism may look less sensible when judged in the context of the possibility of repercussions for global trade or, say, the ability to establish norms on the cyber theft of intellectual property.
This does not mean that we should abandon the use of cyberpower to support national-security goals. To do so would be to cede unnecessarily a U.S. advantage to the nation’s adversaries. But it may raise the bar.
Done right, cyber capabilities have the undoubted potential to save lives. For example, when considering the thinking behind Stuxnet, it is hard to object to a plan in which no one was killed and which may have played a part in slowing down Iranian progress toward a nuclear capability (averting the possibility of U.S. or Israeli attacks and a messy war in the Middle East). But there are downsides, too, and the right people need to be in the room so that the balance of risk and reward is properly understood. The president does not need to act on all the advice he is given, but his decisions should be fully informed.
Getting the Messaging Right
This is not straightforward: unlike the U.S. Navy in General Dempsey’s example, the purpose and organization of DOD’s cyber power is deliberately shrouded in secrecy. There are good reasons for this confidentiality: it is easier to attack than defend in cyberspace, and there is an advantage in having advance knowledge of your adversaries’ systems. This makes it hard to explain openly what the U.S. military and intelligence community do in cyberspace. At the same time, however, the public and media are becoming increasingly aware of the importance of the global internet in their daily lives. One consequence of a requirement for high levels of operational security and keen public interest is a ready environment for leaks.
In other words, these will not be the last “cyber” leaks. And if recent events prove anything, it is that leakers come in all shapes and sizes. The challenge going forward will be to find an appropriate response. Not commenting may be the least bad response to the Stuxnet claims, but anything that makes the Iranians look like the innocent victims of U.S. bullying is hardly without drawbacks. Meanwhile, focusing on the legality of internet surveillance as long as it is directed at “non-U.S. persons” does nothing to enhance the country’s reputation abroad. The global context has changed, and somehow the messaging has to catch up.
None of this is meant to condone the practice of leaking. Secrets are essential to good government, especially national security. But the government must be careful to apply an accurate assessment of the risk of disclosure to its national-security decision making and, should the need arise, be prepared to justify its actions internationally and domestically.
Sometimes it is useful to create doubt in the minds of adversaries about your true capabilities, but the secrecy surrounding cyber weapons can also create instability and competition. Perception quickly becomes the reality that matters internationally. Managing this new environment will require levels of self-awareness and cross-agency work that will be novel and challenging. But nothing less will do if the United States wants to avoid being out-maneuvered in the geopolitics of the internet age.
Ian Wallace is a visiting fellow in the Center on 21st Century Security and Intelligence at Brookings. Wallace previously served as a senior official at the British Ministry of Defence, where he helped develop the UK government’s cyber strategy as well as Britain’s cyber relationship with the United States.