AMERICAN AND allied cyber policy is mired in antiquated thinking. The trouble starts with which adversarial hacking activity to counter—there is currently a focus on defending a whopping sixteen preset silos “critical infrastructure” industries, as defined in Presidential Policy Directive 21. Under several consecutive U.S. presidents, this strategy has failed to deter or halt the major threats our country faces. Some examples stand out: the Obama administration’s decision to “stand down” on planning to respond to Russian active measures in cyberspace; a decade of unchecked intellectual property theft by China; and attacks on the financial sector by Iran and North Korea. For that matter, until the Russian interference in the 2016 U.S. presidential election, voting equipment was not even considered critical infrastructure. Neither are the servers used by individual campaigns and political parties, even in light of relatively recent events.
Despite world-class capabilities, there is no reason to think we are fully prepared to pick which appropriate sectors should be defended in a cyber conflict, especially in a world where a growing array of countries can pose a significant risk to the economic health and freedoms of the ordinary American citizen.
THE SHORTCOMINGS of this approach are clear in the case of the Department of Defense’s new “Deliver Uncompromised” security initiative, which since June 2018 has sought to improve the resilience of the military supply chain by adding “security” to the longstanding core acquisitions considerations of price, delivery and performance. Considering America’s innovation ecosystem, especially in new developments applicable to eventual military use, one can see how many disruptive and incremental battlefield gains originate from original academic research outside government-controlled labs, and certainly occur long before practical production is begun at a defense contractor.
This “spin-on” from uncleared academics and the private sector has been key to U.S. military success in the twentieth century and is likely to be even more important in the future. Given how research is shifting toward private sector companies, particularly when it comes to developing and funding disruptive technologies such as artificial intelligence, it is necessary to extend state cyber protections to these companies. Otherwise, there is a risk that commercial innovations with military potential will be stolen and used against the United States.
The Chinese hacking group APT40 appears to be ahead of the curve in this regard: though having operated as a military intelligence gathering operation mostly focused on traditional maritime targets since 2013, they have been expanding their operations since at least 2017 and have managed to compromise numerous systems, including those of U.S. universities. APT40 has repeatedly targeted engineering firms, research institutions and defense contractors working on naval technology, probably to help China’s own undersea weapons research catch-up with the West. In the last few years, this has included theft of original research long before it is classified, potentially putting Beijing in position to out-innovate the U.S. military using U.S. academics’ fundamental research gains to supplement those of their own universities. While posing a national security dilemma for the United States, these academics are not in a “critical industry” and are often culturally resistant to security-related oversight that might impede their work.
APT40’s work also includes an enormous expansion into targeting U.S. and allied economic interests in Southeast Asia, the Middle East and Europe. China uses cyber forces like APT40 to support its Belt and Road Initiative (BRI), which in practice means state-sponsored computer compromises of any non-Chinese company doing business along BRI trade routes in order to position China’s own companies for greater competitiveness. While not a return to the level of blatant intellectual property theft of 2015—banned under a mostly effective agreement between Presidents Barack Obama and Xi Jinping, and which China deserves credit for adhering to—this activity represents a blend of commercial and military threats that do not fit easily into the defensive plans of the United States and its allies. These plans still conceptually treat foreign cyber operations as a kind of natural disaster or conventional crime which falls into neat buckets of risk, rather than the dynamic, whole-of-society but less-than-war effort that it really is.
Looming in the future is the potential exploitation of new 5G wireless networks not only for espionage purposes—practically a given for any telecommunications infrastructure at this point—but for compellence of less powerful nation-states and possible disruption to NATO force deployment. The high speed and low latency of 5G makes it ideal for integration into everyday devices—think smart speakers, smart microwaves, smart thermostats and even embedded computing into the very clothes you wear. It is easy to imagine how these devices could themselves be subverted for surveillance purposes, especially since many smaller computing devices will not have been designed with security in mind, or are even upgradeable in the event that a critical security bug is found.
China’s aggressive roll-out of 5G wireless infrastructure built by homegrown telecommunications giant Huawei has caused great concern within the Trump administration and U.S. military that a Chinese-built network covering at least parts of Europe, and within the networks of other U.S. allies, could be turned against the United States in a time of conflict. This could take the form of either impairing joint NATO operations by limiting communications—most of which, even for military purposes, still travel in an encrypted manner over privately owned infrastructure and could thus be disrupted if not broken and understood—among NATO members or even directly attacking government willpower by targeting citizens in smart cities: imagine if your car would not start or front door would not open because of a foreign military’s attack or a disconnection of your country’s communications. If all that it takes to make that inconvenience go away, and restore the normal functioning of your economy and daily routine, is for your legislature to concede on some foreign affairs issue or another overseas military deployment, how many citizens would call their representative to complain about the threat compared to calling to complain about the disruption to their daily life? It’s an unknown, and different societies may react differently, but for a diverse global alliance this targeting of individuals at scale, made ever more doable by the advances of 5G networks, looms as a real political and military Achilles’ heel.
Allies considering this U.S.-centric concern, meanwhile, must weigh that uncertain future possibility against the immediate certainty that using non-Chinese equipment would cost billions of additional dollars and, for many countries, open them up to what they believe is unacceptable opportunities for U.S. spying. To date, the American case, however well-founded, has been unconvincing and remains as an open wound on a critical future technology and force deployment issue.
THIS SHIFT in thinking is not just about tactical defense of military superiority or political willpower to fight. Major powers, including China and Russia, have targeted expatriate journalists, religious movements, elections in their neighbors and global foes, and public sentiment in democratic publics. They have done so with a mixture of cyberespionage-fueled information operations, disruptive attacks on physical infrastructure that affect basic needs such as electrical power, and targeted campaigns that affect guaranteed rights like the free press. From there, these countries preposition for even more serious future operations—including against countless everyday home businesses and shared international networks, such as the global financial system. These operations take domestic surveillance and computer security tools and use them to spread a nation’s sovereignty beyond physically defined borders. Often, the first priority of these countries is to influence their expatriate communities abroad, and later, anyone who might be perceived as interfering in these countries’ domestic affairs. Under current guidelines, only a tiny percentage of organizations targeted by these sorts of operations are considered “critical infrastructure.”
Because of this ability for nations to influence online behavior and exercise freedom beyond their own territory, cyber conflict is now, and will continue to be, a battle over competing visions of human dignity. Nations with wildly different values will seek to enhance their domestic security through cyber operations worldwide. We have, at a gut-level, a sense that there is a real difference between London putting up a huge network of surveillance cameras and Beijing doing the same thing—the rule of law, government transparency and control, and privacy protections that stop at one’s front door. That differentiation becomes muddied as we in the West consider exploiting large databases of other people’s commercial activity, genetic data, social media usage and other personal information in ways that are not intrinsically different from those of erstwhile foes. It is made even worse when the United States and allied cyber powers cannot defend the health records, email accounts and business competitive information of its citizens from foreign autocratic oversight.