War in cyberspace is fully on, and the United States is losing it, according to about two dozen national security experts.
The US military is increasingly adept at mounting cyberattacks in places like Russia and Iran, but America’s computers are almost completely defenceless. Without strong protections, offensive attacks can be invitations for disaster instead of deterrents.
“I believe we are in a declared cyberwar,” said Michael Bayer, a longtime Pentagon adviser who led a recent review of Navy cybersecurity. “It is aimed at the whole of society and the state. I believe we are losing that war.”
Whether the attack is a hack of a Pentagon contractor or misinformation spread on social media, US adversaries are increasingly successful in this ethereal battleground.
US leaders are only slowly realising how much the rules have changed, and the required focus, leadership and strategic thinking remain woefully wanting, critics charge.
“While we have made progress, it would be fair to say we have a long way to go,” said South Dakota Republican Senator Mike Rounds, who chairs the Senate Armed Services Cybersecurity Subcommittee.
The military’s torpid response has been caused by bureaucratic inertia, the political dominance of traditional weapons and military organisations, the distraction of the post-9/11 wars, and a failure to comprehend the cumulative damage and how rapidly warfare is changing.
America’s adversaries have stayed in the so-called “gray zone,” below the level of attacks that would trigger a full-scale US response.
In cyberspace, Bayer compares this to a parasite that constantly saps its host — but not so much as to trigger a full-scale white-blood-cell counterattack.
Republican Mike Gallagher, who co-chairs the Cyberspace Solarium Commission, a bipartisan panel studying competition in the infosphere, is among those calling for a national awareness campaign.
“Ultimately, our success or failure in cyber will come down not to algorithms or technology but to human beings,” said the Wisconsin Republican, who noted that he was not speaking for the commission.
“Everyone who has a cellphone in their pocket is in some ways on the front lines of a geopolitical competition.”
Mounting problem
Information operations and cyberattacks in the gray zone have grown in recent years — in number, sophistication and damage.
China’s 2018 attack on a Navy contractor gave that country access not just to details of a key new anti-ship missile but also to much of what the Navy knows about China’s maritime capabilities.
China has also reportedly stolen data on F-35 fighters, littoral combat ships, anti-missile systems and drones operated by the US military.
The broader US economy has lost more than $1 trillion in intellectual property pilfered in cyberspace, experts say.
Russia has specialised in a massive information warfare campaign to influence US elections by sowing dissent and planting lies in US social media circles. North Korea, Iran and even terrorist groups have shown they, too, can do damage with a few keystrokes.
On June 11, national security adviser John Bolton publicly stated that the US has stepped up its offensive cyber-assaults since last year. The message to America’s adversaries, Bolton said, is “You will pay a price.”
Four days later, The New York Times reported that the United States, in a classified operation, had penetrated Russia’s energy grid with malware that, if triggered, could disrupt Russia’s electrical systems. The Pentagon has said the Times reporting was inaccurate but has not provided any clarification.
Later that month, Yahoo News disclosed that US Cyber Command had hit Iranian military computers after Iran shot down a US drone in the Persian Gulf.
Despite this ramped-up offence, America’s defences lag behind, according to retired Army General Keith Alexander, who headed the National Security Agency and the US Cyber Command.
“I think we are making gradual moves toward that, but I think there needs to be more,” said Alexander, now CEO of cybersecurity firm IronNet. “I believe it’s the government’s responsibility under the Constitution for common defence. Period.”
Without effective cyber-defences, more aggressive overseas operations could come back to bite the United States, experts warn.
“Defence is a necessary foundation for offence,” the Defence Science Board, a Pentagon advisory panel, said in a 2018 report. “Effective offensive cyber capability depends on defensive assurance and resilience of key military and homeland systems.”
Defenceless defence
The Navy cybersecurity review, made public in March, said those defences are severely lacking.
As the Navy prepares to win “some future kinetic battle,” the report said, it is “losing” the current one. Defence contractors “haemorrhage critical data.”
The current situation is the result of a “national miscalculation” about the extent to which the cyber war is upon us, and the vaunted US military’s systems have been “compromised to such (an) extent that their reliability is questionable.”
The US economy, too, will soon lose its status as the world’s strongest if trends do not change, the authors wrote.
The Defence Science Board, meanwhile, has delivered a similar message, recommending in 2017 that a second US military that is truly cyber-secure be created as soon as possible, because the one America has will not necessarily work.
A cyberattack on the military, the science board said, “might result in US guns, missiles, and bombs failing to fire or detonate or being directed against our own troops; or food, water, ammo, and fuel not arriving when or where needed; or the loss of position/navigation ability or other critical warfighter enablers.”
The report chillingly warned that doubts about US defence capabilities due to cyber vulnerabilities could cause a president to more quickly turn to nuclear weapons in a conflict. Kenneth Rapuano, the Pentagon assistant secretary for homeland defence and global security, said the department is trying to implement “as a matter of top priority” the Defence Science Board recommendation to ensure that at least part of the military is at the highest level of cyber preparedness, starting with nuclear weapons.
People power
The battle for cyberspace will hinge on human beings.
Hence the worries about China’s 2014 hacks into the personal information of more than 22 million federal workers, contractors, family and friends in the Office of Personnel Management’s databases. A lack of cyber hygiene by just one employee or subcontractor of the government can be the entryway for a cyber break-in with strategic consequences.
At the Pentagon, auditors have repeatedly found that major weapons have been exposed to cyberattacks because of simple snafus such as a failure to use encryption, two-factor authentication, proper passwords or, in one instance, leaving a room full of servers unlocked.
Meanwhile, the Pentagon and the government as a whole are short on cyber-savvy personnel, who are often lured away to high-paying Silicon Valley firms. As of April, America’s overall cyber workforce is short 314,000 workers, a House Armed Services subcommittee said in a report last month.
Trump and leaders in the Defence Department and Congress have begun to significantly increase their attention to the problem, but their efforts are still dwarfed by the challenge, many observers believe.
Consider how infrequently US leaders talk about cyber issues. On congressional defence committees and even at the Pentagon, cyber is essentially an afterthought compared to weapons hardware and military pay and benefits.
“You wouldn’t even know that cyber is a Top 20 problem,” Bayer said. Measured in dollars, too, cyber does not stack up. Compared with defended spending, unclassified cyber spending across the federal government in the fiscal 2020 budget request amounts to about 2%. — CQ-Roll Call, Inc./TNS
..
