By Paul R. Kolbe
There is indignant howling over what is surely Russia’s role in infiltrating, again, the networks of the US government and corporations — this time through a tainted software update by the company SolarWinds. Politicians of both parties have called it a virtual act of war. “America must retaliate, and not just with sanctions,” Senator Marco Rubio said.
This recalls Shakespeare’s line in Hamlet about the lady protesting too much.
The United States is, of course, engaged in the same type of operations at an even grander scale. We are active participants in an ambient cyberconflict that rages, largely unseen and unacknowledged, across the digital globe. This is a struggle that we can’t avoid, and there is no need to play the victim. Just as we use cybertools to defend our national interests, others will use cyberweapons against us.
The National Security Agency and Central Intelligence Agency exist to break into foreign information systems and steal secrets, and they are damn good at it. They, along with the Defense Department, regularly use cybertools to purloin intelligence from servers across the world and to place foreign information systems and industrial infrastructure at risk. Ones and zeros can be more effective weapons than bombs and missiles. The exposure of Stuxnet, the Snowden leaks and the theft of CIA cybertools revealed the sophistication and extent of capabilities attributed to the United States.
The Pentagon’s cyberwar force, known as Cyber Command, overtly acknowledges, through its “defend forward” doctrine, that the government will target foreign entities and information systems to fight cyberattacks. In November 2018, Cyber Command reportedly disrupted the internet access of the computers of Russia’s Internet Research Agency, the organization responsible for the disinformation campaign during the 2016 US midterm elections. In 2019, in response to Russian cyberincursions into the US energy grid, Cyber Command reportedly placed malware tools on Russia systems that could enable the United States to turn out the lights in Moscow should a conflict between the two nations arise.
As solid as the US cyberoffense is, the defense leaves much to be desired, richly demonstrated by the litany of digital disasters, including the hacks of SolarWinds, the Office of Personnel Management, Equifax and Sony. The reality is that the US government and private companies both underinvest in cybersecurity. Effective defense is a collective effort, but agencies and companies are often clueless and defenseless when it comes to countering the intrusions of countries like Russia, China or Iran.
In recent years, there have been suggestions that the United States might explore international agreements by which nations would agree to put constraints on cyberwarfare and espionage. But this idea isn’t really taken seriously. There’s a sense that rules written by those with the biggest guns — that is Washington — can unilaterally impose global cyberorder.
The SolarWinds hack lays waste to that notion. Confidence that the United States possesses a monopoly on cyberweapons borders on hubris. Even though federal agencies do possess some of the greatest cyberespionage and warfare tools and talent on the planet, the playing field is disturbingly even.
Unlike nuclear weapons, or even sophisticated conventional arms, powerful cyberweapons are cheap to produce, proliferate with alarming speed and have no regard for borders. Unable to match the United States in military spending, Russia, China, Iran and even North Korea view cybertools as a great equalizer. Why? Because the United States is singularly vulnerable to cyberattack: America is more reliant on financial, commercial and government networks than our adversaries, and, at the same time, our systems are frighteningly open and vulnerable to attack. American networks represent targets for our adversaries that are simply too soft, juicy and valuable to resist.
So, does the United States give up and do nothing? Of course not.
First, the United States should recognize that it has entered an age of perpetual cyberconflict. Unlike conventional wars, we cannot end this fight by withdrawing troops from the battlefield. For the indefinite future, our adversaries, large and small, will test our defenses, attack our networks and steal our information. In this respect, cyberconflict is more like fighting a disease than fighting a war, a disease with intent, and for which no vaccine is likely to emerge.
Second, it’s time to build a true national cyberdefense. This would rely less on barriers and firewalls, and more on monitoring what flows within and among corporate and government networks. Instead of a Maginot line, think a territorial army defending the many layers of cyberspace. Effective national cyberdefense requires a dedicated degree of corporate engagement, intelligence sharing and trust. Neither the government nor private sector can succeed on their own. Companies and agencies, particularly those providing software services, must be held more accountable for egregious security lapses that make them easy targets and place us all at risk.
Third, the United States must relentlessly counter our adversaries’ cyberoperations by penetrating their most sensitive systems. There is a saying in counterespionage that only spies catch spies. Most agents are uncovered not by surveillance or background checks, but instead by other spies. No doubt, the CIA, N.S.A. and Cyber Command are working tirelessly to build the human and technical networks needed to uncover foreign intelligence operations. But they must ramp up.
Finally, even in the face of perpetual conflict, we should be prepared to sit down and talk with our cyberadversaries. It is hard to imagine a comprehensive agreement on cyberconduct that any country would abide by, or trust others to follow. Small steps, however, could start to build some degree of cooperation and, in time, a foundation for eventually regulating norms and behaviours. A good place to start might be on the potentially most destabilizing and destructive attacks — such as attacking nuclear command and control systems, or global financial infrastructures that could upend markets and economies. If we are not prepared to accept restrictions on our own actions, we can hardly cry foul when others play by the same rules.
In the meantime, until some order or law takes hold in the cyber-Wild West, it’s time for the United States to stop acting surprised and stop posturing. Instead, we must better defend our digital homeland, learn to block and shake off a punch and, when needed, quietly bloody a few noses. We are in for a long fight; the American people deserve to know the nature of it.