In the past year, the United States has learned about unprecedented digital data breaches ranging from the confidential files of Sony Pictures, to the security clearance records of the Office of Personnel Management, to the private AOL account of CIA Director John Brennan. There is far more going on here than a loss of web-based information, legal liability, and deficient software. These attacks are part of an emerging pattern of cyber activity that should serve as a major national security wake-up call for U.S. officials.
A first reason for concern is the breadth and systemic nature of the problem. Indeed, of all the entropic forces eroding world order, from Russia’s annexation of Crimea to China’s salami slicing in the South China Sea, the most misunderstood yet troubling are in cyberspace. Here in the virtual networks of the digital age, rule makers are falling behind rule breakers.
A second point is that the problem only appears likely to get worse. More than 3 billion people can access the Internet, and the United Nations is working to close the digital divide by bringing another 1.5 billion people online by decade’s end, at which time an estimated 25 billion devices will be interconnected.
Cyber is the Achilles’ heel of order in national security and society, the critical vulnerability in an otherwise resilient system. Consider that a hacker in Malaysia apparently sought to transfer personal information about U.S. troops to the so-called Islamic State. Bad actors will find continued benefit in subverting and circumventing the rules: because there is money in it, because there is national security gain in it and because they can.
Rather than a divide, there are myriad connections between critical military systems and civilian networks. In the cyber domain, the private sector represents the indispensable power on which governments must draw. It is responsible for most hacking and vulnerability.
A third reason for alarm is that, while risk can be better managed, the fundamental problem cannot be resolved. While well-intentioned officials aim to close one digital divide, malevolent actors are opening another: the gulf between those trying to establish norms and those working on exploiting security vulnerabilities.
To start addressing the digital divide, we need to revamp daily vigilance but also reduce what the government seeks to protect. The conventional wisdom is that chronic problems can be mitigated through a variety of logical steps. But daily evidence indicates that this incremental approach is failing. Many ways to protect the Internet are just not implemented, a widespread failure to manage down risk in the public and private sectors. Most basic is demanding better daily habits and setting priorities to protect sensitive information or critical infrastructure.
Resources are limited and cyber vulnerability is vast and growing, and some sectors, such as financial networks, energy and telecommunications, are vital for basic societal stability. In a networked world, the United States needs to work closely with allies and partners to protect common critical infrastructure.
Another step is to seek effective agreement to reduce unnecessary major cyber national security challenges. As China moves to create a single cyberwarfare command, President Barack Obama seeks to commit China to refrain from cyber attacks on America’s critical infrastructure. This is easier said than done. Such an accord, as with no-first-use of nuclear weapons pledges, would lack enforcement and could incentivize escalation, because of first-mover advantage or because a third party alters data to catalyze a war.
These concerns also relate to U.S. wariness of Britain opening up critical sectors such as telecommunications to China. You don’t need anti-satellite weapons in space to blind nuclear early-warning systems if you can hack into the computers of critical ground stations. A year ago, the National Oceanic and Atmospheric Administration was forced to shut down satellite connections because of a hacker in China. The United States lost more than just weather and meteorological data.
Yet even China, with its huge stake in the international economy, is pushing the idea of cooperation rather than cooperation itself. This was visible at the Xi-Obama summit, when Xi said he strongly opposes the cyber theft of information for commercial purposes, while denying that China had ever engaged in such activity. Not surprisingly, CrowdStrike now reports China’s hacking has been unstinting even after the summit.
It remains harder to impose costs on virtual than physical threats. Cyber deterrence and offense must operate in the essentially private domain of the Internet. Putin realized this when he sought to take the Russian Net offline last year and found that he could not fully sever the many links to the global web.
A third line of effort that these recent breaches should spur on concerns beefing up cyber deterrence and cyber response. Most “attacks” do not intend to create kinetic effects. But how can the United States deter real cyber attacks, including the Sony hack that destroyed valuable economic data? One way is to reduce dependence on technology and train personnel to operate in situations where technology fails (such as the U.S. Navy rediscovering the ancient art of celestial navigation).
The U.S., like other states, also needs to organize for decisive action. An attack on Wall Street would leave Washington wrangling over who was in charge. Current organizational “bubble charts” finesse the question of authority and capability among the Defense Department, Homeland Security, the FBI and the National Security Agency.
Public and private stakeholders are more interested in gaming relative advantage than reducing common vulnerability.
None of these steps can prevent every cyber attack. But they might start to slow the growth of an ever-expanding digital divide between forces of order and those that could pose a devastating threat to industry and governments alike.
Dr. Patrick M. Cronin is senior advisor and senior director of the Asia-Pacific security program at the Center for a New American Security in Washington, D.C.; Dr. Audrey Kurth Cronin is distinguished professor and director of the international security program at George Mason University.