America is already fighting in cyberspace. Look for more, not fewer, engagements in the years ahead. But the Pentagon should worry less about a cyber Pearl Harbor and more about losing the daily slog in the cyber-trenches.
The cyber threat is a serious national security issue. Indeed, it’s a virtual jungle out there. Our online enemies are legion, but they are not created equal. Among the ranks of our cyber competitors, China and Russia stand out as superpowers.
This is not to say that even very weak states pose no danger. History is filled with examples of Davids laying low the most powerful Goliaths. Don’t believe for a moment that states like Iran or Syria can’t pull off the cyber equivalent of a stone to the temple.
Indeed, both have already loosed cyber-raiding parties. Most recently, as President Obama was threatening punitive strikes against Syria, media reports reveal that the Syrian Electronic Army successfully hacked the New York Times, Twitter and the U.S. Marine Corps website.
Nor are all threats state-sponsored. Some countries do a terrible job of policing bad actors in their cyberspace. Pakistan, for example, is emerging as a hub of cybercrime. This can magnify international tensions. For example, Pakistani hacker groups attacked Indian websites during the height of the 2011 Kashmir crisis.
Nonstate actors are serious players in cyberspace — for good and ill. So far, most of the malicious activity from private-sector hackers has been geared to accumulate wealth, not to wage war on America. Even terrorist groups use the Internet primarily to facilitate communications and financing rather than to slaughter innocents directly.
Obviously, the United States has some very big cyber guns at its disposal. Just how big remains largely classified. But revelations from the likes of Pfc. Bradley Manning and former National Security Agency contractor Edward Snowden give us some idea. An unclassified, inside summary of our cyber capabilities would sound like: “The U.S. can do things nobody else in the world can do.” The unfortunate corollary is: “And we can’t defend against everything we can do.”
Still, it’s premature to head to the bunker. There’s a “mutual assured destruction” aspect to the Internet: If it were taken down, all sides would lose.
Further, the Web is likely to endure most any cyber conflict (absent taking out the underlying physical infrastructure including the power grid and undersea cables). It has already proved far more resilient than commonly assumed. Think of 2009’s Green Revolution in Iran. Despite that nation’s limited infrastructure, spirited denial-of-service attacks from both sides, and an insatiable global demand for information, the Internet held up well. Or go back further, to Sept. 11. A National Academies study concluded that the Web proved fairly resilient despite the destruction to telecommunications in Manhattan and a tsunami-like surge in Internet traffic.
But the military must also worry about cyber conflict at the sharp end of war. Today’s military commander must have an understanding of his cyber footprint that is every bit as sophisticated as his knowledge of the terrain, the forces at his disposal and the makeup of the enemy.
Maintaining “retail” cyber is much more difficult in military operations than in civilian life. War zones seldom offer Starbucks with Wi-Fi. Nor are cyber operations just an extension of traditional electronic warfare (like jamming). A commander, for example, might be supporting a humanitarian operation where the tasks are quite different from, say, taking an enemy offline.
Moreover, the military can’t just buy secure, classified systems for every need. For starters, that’s too expensive. And, it would limit engagement with nonsecure folks in their area of operation. Plus, if a very expensive “secure” network becomes comprised, the fallout is usually far worse because the communications have been less guarded.
Of course, off-the-shelf commercial technology can’t provide a competitive advantage. The bad guys can buy iPhones too.
What all the services need on the front end is software that provides “visualization” of the enemy’s cyber footprints, analytical tools that help them identify the most critical information gathered, and people skilled at interpreting and acting on the information.
In today’s White House, the only answer to “How much is enough for defense?” is “less.” That leaves the services wondering how they can possibly build the infrastructure and amass the human capital needed to give our side a real edge on the cyber battlefields of the future.
The slower we move ahead in this arena, the faster our competitors can catch and surpass us. Our military may not face an online Pearl Harbor, but it could well have a couple of electronic Alamos.
James Jay Carafano is vice president for foreign and defense policy studies at the Heritage Foundation. He is the author of Wiki at War: Conflict in a Socially Networked World.