What is it that worries U.S. spymasters most these days? My bet is that it is America’s cyber security, or lack of it perhaps.
The anxiety is more than justified given the increasing sophistication and frequency of cyber attacks on U.S. government bodies, organizations and companies.
But attempts to build a digital Fortress America will prove futile unless the United States reaches out to other major powers in creating the rulebook on the use of cyber force and coordinates its response to cyber terrorism.
“We face new and unpredictable cyber threats” that pose an “increasing risk to U.S. critical infrastructure,” Director of National Intelligence (DNI) James Clapper warns in “Worldwide Threat Assessment of the U.S. Intelligence Community,” which he recently presented to the Senate Intelligence Committee.
And while “advanced cyber actors — such as Russia and China — are unlikely to launch a devastating attack against the United States … less advanced but highly motivated actors could access some poorly protected U.S. networks that control core functions” to stage attacks that might have unforeseen, cascading consequences, according to the report.
Cyber attacks top the hierarchy of global threats outlined in the DNI assessment for a good reason. (By way of comparison, Russia’s nuclear arsenal, once deemed America’s foremost threat, is not mentioned until the end of the report.)
America’s successes in dismantling Al-Qaeda and the implosion of the Soviet empire have significantly lowered the likelihood of either direct military action or large-scale terrorist attacks on U.S. soil.
But that’s in the offline world. Digitally, America is under attack.
The number of online attacks on U.S. infrastructure increased by 17 times between 2009 and 2011, according to National Security Agency director Gen. Keith Alexander, who is incidentally also head of U.S. Cyber Command.
Web-based crime incurs annual costs of $114 billion to U.S. companies, Alexander said last year.
Countries identified by Washington as sources of the frequent attacks against the United States are no less vulnerable to such threats.
The government and research organizations in Russia were prime targets of sophisticated espionage efforts carried out throughout the former Soviet Union and beyond over a five-year period until they were discovered by Kaspersky Lab. The Moscow-based company disclosed its finding of the data-mining operation, which it dubbed “Operation Red October,” in January 2013.
The Chinese Defense Ministry disclosed in February that a monthly average of 144,000 cyberattacks was staged against its own website and the China Military Online site in 2012.
The ministry claimed that almost two-thirds of these attacks originated from IP addresses in the United States.
Meanwhile, U.S. intelligence points to China as the starting place for the most aggressive and numerous attempts at breaching U.S. cyber security. Elements based in Russia, Iran and other countries are identified as less active cyber intruders.
Going by information in the open domain, they’re not even in the same league as the creators of the Stuxnet worm and Flame malware that disrupted and spied on Iran’s nuclear program respectively.
It’s no wonder major powers are beefing up their cyber capabilities.
The U.S. government is said to be planning to more than quadruple the size of Alexander’s Cyber Command, which is already 900 people strong. The reinforcements will include 13 teams of specialists that would be tasked with conducting offensive operations, according to America’s cyber commander-in-chief.
Others are following suit.
Russian Defense Minister Sergei Shoigu earlier this year ordered the General Staff to draft a proposal for the establishment of a Cyber Command within six months.
But do these reinforcements herald the beginning of a cyber arms race? Hopefully, they do not.
It was not until the U.S. and Russia had realized the futility of the atomic arms race that they got serious about nuclear weapons control. The hope is that world leaders will start working on an international framework to regulate the use of force and counterforce in cyber space _ preferably under the auspices of the United Nations _ before the virtual arms race becomes a reality.
An even more pressing priority will be thinking of effective responses to cyber threats posed by non-state actors to key national assets, such as critical infrastructure and weapons of mass destruction (WMD). When doing so, it is important to steer clear of anything that would allow authoritarian regimes to refer to international law when justifying restrictions on cyber liberties.
A number of top U.S. officials have confessed to feelings of horror at the prospect of terrorists acquiring weapons of mass destruction. (George Tenet, Robert Gates, Michele Flournoy have admitted that this threat kept them awake at night during their tenures as DNI, Secretary of Defense and Undersecretary of Defense respectively).
Cyber terrorism and WMD terrorism coming together would present the ultimate nightmare, especially given how difficult it is to deter either of these threats.
As my respected colleague Joseph Nye has warned when making a case for international cooperation against cyber terrorists and criminals: “The bad news is that cyber technology gives much more power to non-state actors than does nuclear technology, and the threats such actors pose are likely to increase.”
The prospect of cyber terrorists seizing control of nuclear weapons may seem unfathomable to many. But it appeared credible enough to U.S. senators who asked Alexander’s boss and chief of U.S. Strategic Command, Robert Kehler, to find out whether other nuclear powers are able to defend their nuclear weapons from cyber attacks.
In his March 12 testimony before the Senate, Kehler assured legislators that “we do evaluate” the potential for a cyber-related attack on U.S. nuclear command and control systems.
But are the digital defenses of America’s nuclear weapons fully bullet-proof? A January report on cyber threats published by the Pentagon's Defense Science Board states that “most of the systems” of the U.S. nuclear deterrent “have not been assessed (end-to-end) against (sophisticated) cyber attack to understand possible weak spots.”
In one incident in 2010, the U.S. Air Force lost contact with 50 intercontinental ballistic missiles. That event prompted generals to pause and think whether what had happened as result of an accident could be repeated by cyber terrorists.
All responsible nations should act to harden their cyber defenses and to cooperate in ensuring that weapons of mass destruction cannot become offensive tools wielded against them by digital terrorists.
There is simply no alternative to the collective approach in today’s world, which New York Times columnist Thomas Friedman has described as “hyperconnected” at least 13 times in the past two years.
Simon Saradzhyan is a researcher at Harvard Kennedy School's Belfer Center. His research interests include international security, arms control,
counter-terrorism as well as political affairs in post-Soviet states and their relations with major outside powers. Prior to joining the Belfer Center in 2008 Saradzhyan had worked as deputy editor of the Moscow Times and a consultant for the United Nations and World Bank. Saradzhyan holds a graduate degree from the Harvard University.
The views expressed in this column are the author’s alone.
View From the Global Tank: Russia Needs to Develop Eastern Provinces as China Rises
View From the Global Tank: A Chinese Silver Bullet for North Korea’s Nuclear Program?
View From the Global Tank: Russia Can Shoulder Obama’s Challenges - After a BMD Deal
