The United States is frighteningly unprepared for modern-day cyber warfare. While we focus on hot button security risks such as ISIS and domestic terrorism, we let the overwhelming threat of cyberwarfare remain a lesser priority. That’s a mistake. While cyber threats may pose less of an immediately visible impact, they are a severe long-term threat.
As the new presidential administration prepares to take office and explores ways to bolster our nation’s defenses, cybersecurity should be a top priority. If the U.S. doesn’t soon make a serious effort to increase our capabilities on the cyber-battlefield — both offensive and defensive — we may be too late.
A new Cold War, with fewer deterrents
One reason cyberwar is so dangerous is that the nuclear deterrent of Mutually Assured Destruction (MAD) is not nearly as effective in the digital world. Attacks take time to trace, and often cannot be traced with 100 percent certainty. Would we retaliate against a suspected perpetrator if we had doubts about their guilt?
Also, the U.S. would have to come up with a protocol for how to handle attacks perpetrated by non-state actors, often falling under the category of “hacktivists.” If a rogue individual wants to wreak havoc through a mass disruption of U.S. systems, what is an ethical and effective retaliation against them?
These questions illustrate how the old MAD concept is murkier when applied to the cybersecurity realm.
Additionally, not all nations are as dependent on online connectedness as the United States. While much of our economy, transportation system, and sensitive personal information can be attacked virtually, the benefits of MAD may actually outweigh the costs for a country that is not as connected as we are. While we could threaten to retaliate against a country like North Korea or Iran, for example, they obviously do not have as much at stake. For this reason, many countries would not be deterred by the possibility of a counterattack, figuring that the U.S. has a lot more to lose.
The opening shots in this war were fired back in 2008
Concerns about state-sponsored attacks are more than just hypothetical; they have been occurring for many years. While interference in the 2016 elections garnered more publicity than many past attacks, state actors have been hacking political campaigns since the 2008 election, when successful hacking efforts against both the Obama and McCain campaigns were eventually traced back to China, apparently with an intent to spy on internal documents detailing the candidates’ private foreign policy stances.
In 2016, though, the attacks got a lot more personal. Over the summer, hackers believed to be associated with the Russian government broke into the Democratic National Committee with what seems to be a clear intent to gain information that could influence public opinion. Additionally, the FBI disclosed that Russian hackers appeared to infiltrate voter registration systems in Arizona and Illinois. Although it appears they did not make any alterations to those systems, the infiltration alone is a severe and troubling violation of the internal U.S. election process.
The fact that foreign governments have the ability to meddle in our elections should be threatening enough to kick us into gear. Our democracy is sacred and should be immune to outside influence from foreign actors. The size, scale, and magnitude of attacks during this election cycle speaks volumes about our underpreparedness.
We should have predicted cybersecurity threats from foreign actors and domestic “hacktivists,” but we did not have the tools to stop them. The United States has clearly grossly underestimated and underinvested in the cybersecurity threat.
Time for action — the price of doing nothing is too high
Perhaps the one bright spot in the recent past is that Americans are starting to understand the dangers of weak cybersecurity infrastructure. In a 2016 Gallup poll, 73 percent of respondents said they believe “cyberterrorism,” the use of computers to cause disruption or fear in society, is a critical threat to U.S. interests. This is even more telling considering that in 2015, cyberterrorism didn’t even make the list of the top eight threats.
The U.S. government is starting to act as well, if the proposed 2017 federal budget is any indication. Strengthening cybersecurity and securing the digital economy are key initiatives highlighted in the national security section of the budget, with $19 billion earmarked for implementing President Obama’s Cybersecurity National Action Plan. That figure represents a 35 percent increase over the 2016 budget.
While that uptick is certainly a positive sign, it actually looks quite dismal when viewed in the context of our total defense budget. With a $582 billion budget for the Department of Defense, $19 billion seems puny — almost like a rounding error. After all, a lot of the damage that used to be done via physical attacks — taking out infrastructure, cutting off transportation, shutting down the power grid, etc. — can now be done virtually.
We have to throw more than money at this problem
Although our defense budget should reflect our new reality, money alone will not solve our problems. Catching up to our competitors will require close collaboration between the public and private sectors. That collaboration should involve more than just the occasional testimony at a congressional hearing.
With the close cooperation and involvement of private sector leaders, the U.S. government should be at the helm of establishing cybersecurity standards and policies for protection. The private sector must then take an active role in coming up with creative tools to help implement those standards.
One of the most obvious and least costly actions the U.S. government can take is the “name and shame” approach, where the perpetrator is named and the attack is viewed in the same light as a physical attack would be viewed. The government has shown some reluctance to do so in the past but is moving in this direction. While it did not immediately accuse Russia of being behind the Democratic National Committee attacks, the Department of Homeland Security did eventually come out and make a formal accusation.
We also need a strong commitment to updating outdated systems across government agencies that don’t have strong enough defense mechanisms against cyberattacks. As we move toward a more automated world, the growing potential costs make proactive investment in cybersecurity seem like a relative bargain.
The potential costs of hackers penetrating our security systems is enormous. After the notorious hack of the U.S. government’s Office of Personnel Management website, the federal government expects to pay $329 million through 2018 for data breach recovery services, and that doesn’t include other potential lifelong costs that are currently being negotiated.
Bracing for the new digital front
Whether or not the U.S. government steps up its investment in cybersecurity as the next frontier for war, I have no doubt China and Russia will. For a country that leads the world in defense spending, the fact that we don’t also lead the world on this new frontier could be a costly mistake.