The resignation of the White House’s senior aide on cybersecurity, following long delays in the appointment of a cyber director, should be a wake up call to policy makers. Though President Obama’s cybersecurity initiative to bolster offensive and defensive cyber capabilities should be commended, without a leader to direct these efforts little will get done.
Before Melissa Hathaway resigned, she was among other highly qualified nominees for the “Cyber Czar” position that questioned whether they would be given the power and priority necessary, especially with our economy in the doldrums, to make real change to the fragmented bureaucracy that has come to define our nation’s cyber efforts.
While we wait to solidify these efforts, America is fighting a war in cyberspace without the necessary direction of a leader. Our critical infrastructure (financial institutions, defenses, water, energy, health system, etc.) and the economy it supports rely on networked computers that are being probed and attacked everyday by cyber spies, hackers, criminal networks, nation states and even non-state actors.
As these groups perfect their cyber capabilities and attacks become more sophisticated, former US Cyber Czar Richard Clarke’s warning of an electronic Pearl Harbor–a crippling attack on our nation’s critical infrastructure—appears to becoming a grim reality.
The last two years the US Department of Defense, NSA, White House, New York Stock Exchange, Veteran’s Affairs, Transportation Administration, State Department, and US power grid, have all been victims of cyber attacks. US businesses lost billions of dollars last year, including priceless R&D and trade secrets—this is just the attacks that were detected and reported. During this time, major cyber attacks from Russia targeted US allies Georgia and Estonia, shutting down a number of their government and business websites.
The US needs to adopt a cyber strategy that acknowledges cyberwarfare as a revolution in military affairs. Similar to General David Petraeus’ successful counter–insurgency strategy in Iraq, this policy needs to adapt the form of US offensive and defensive cyber posture to function in the asymmetric world of cyberspace, where a few sophisticated attackers can take on nation states and destroy targets without even firing a shot.
While we wait, our adversaries have taken cover in the virtual sanctuary of cyber space. Unlike the attacks of 9/11, little can be done to trace a cyber attack back to an attacker with 100 percent certainty. Malicious software or malware can even make an attack difficult to detect. In this fog of war, anonymity means stealth, deniability and lack of options to respond. If the US cannot respond, its deterrence fails.
This problem is exasperated by America’s high level connectivity and dependence on cyberspace. Though the US has used cyber war in at least two reported cases, against Serbia and Iraq, it is reluctant to use the full force of its cyber warriors due to the potential for collateral damage to civilian infrastructure. For this reason, there has been little cost to attackers. Thus, mutually assured destruction, which was a crucial factor at deterring cold war nuclear powers, is lacking as a deterrent in cyberspace.
While attacks and attackers are becoming more sophisticated, the US continues to spend billions to advance the superiority of its air and land weaponry. Meanwhile, China continues to build its cyber capabilities. This year China celebrates its 10th year anniversary of the publication of Unrestricted Warfare, a popular policy book written by two colonels in the People’s Liberation Army on how China can defeat a technologically superior opponent with electronic warfare dominance. It appears China’s policy has been advantageous in prioritizing cyber capabilities. It now has an estimated 100,000 hackers capable of stealing R&D on weaponry and incapacitating the command and control systems needed to deploy most modern armies that leverage these platforms.
In example of this policy bearing fruit might have been the recent breach of the $300 billion US F-35 Lightning II fighter plans by a cyber intruder who infiltrated the peer to peer network of the company developing the plane. A file containing the blueprints and avionics package for Marine One, which is the US president’s helicopter, was recently found on a similar network in Iran. These vulnerabilities are being closely examined by non-state actors-like al Qaeda who has increased its efforts to adopt cyberwarfare strategies by recruiting hackers, directing followers to certain targets, and maintaining covert communications in cyberspace.
To mitigate these risks the US needs to stop stalling on its nomination of a Cyber Czar. There needs to be a comprehensive and cohesive cyber effort, led by someone with the authority to realize the president’s initiative. This should prioritize a Private Public Partnership—80 percent of US critical infrastructure is run by private sector companies—that requires cybersecurity to be part of the design and operational architecture of our nation’s most important assets.
In addition to increased cyber security standards and enforcement, there needs to be increased funding for education on best cybersecurity practices. These efforts will be challenging due to a depressed economy and private sector loathing for increased government control. Yet, it’s better to take the necessary steps now than to respond to the next major attack later. Until policy makers realize that our most important and costly war is in cyberspace, we will continue to fight a losing battle with no leader at the helm.