U.S. Cyber Command (CYBERCOM) was elevated to full combatant-command status in May—joining other regional and functional combatant commands such as European Command and Special Operations Command. If the scale and number of cyberattacks against the U.S. is any indication, the move to stand up and empower a command focused on defending America’s swath of cyberspace is long overdue.
Large-scale cyberattacks targeting U.S. citizens, institutions, interests and infrastructure are happening so frequently that it’s nearly impossible to keep track of the onslaught. But here’s a list of some of the worst attacks.
Russia’s interference in the 2016 presidential election was enabled by hacks into the Democratic National Committee’s computer network. As DNI Dan Coats explains, Russia is using cyber-weapons to carry out “hack-and-leak influence operations, distributed denial-of-service attacks, and false flag operations” aimed at “degrading our democratic values and weakening our alliances.”
According to a study conducted for the U.S.-China Economic and Security Review Commission, China’s use of “computer network exploitation activities to support espionage has opened rich veins of previously inaccessible information that can be mined both in support of national-security concerns and, more significantly, for national economic development.” In 2013, information-security firm Mandiant reported that a cyber-force within the People’s Liberation Army (PLA) known as “Unit 61398” is conducting “extensive” computer network operations. “We witnessed them stealing hundreds of terabytes of data from 141 companies,” Mandiant revealed.
Specifically, Beijing has used cyberattacks to infiltrate subcontracting firms and systems related to the development of the F-35 and C-17 Globemaster. Beijing exploited cyberspace to steal “user credentials” for more than 150 NASA employees and gain “full functional control over networks at the Jet Propulsion Laboratory,” according to an investigation conducted by the U.S.-China Economic and Security Review Commission. Unit 61398 launched “spearphishing” attacks—a tactic using email that appears to be from a trusted source to gain access to a target’s computer—against Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated, U.S. Steel and SolarWorld.
Gen. Keith Alexander, former head of CYBERCOM and NSA, calls China’s cyber-siege of the United States “the largest transfer of wealth in history.”
Equally worrisome, it was revealed in 2015 that China penetrated the Office of Personnel Management and compromised the personal, financial and employment data of 21.5 million Americans. U.S. officials describe it as perhaps “the most devastating cyberattack in our nation’s history.” With Beijing holding all that personal information on current and former federal employees, the worst is yet to come.
Another concern with Chinese cyberattacks stems from the close relationship between the central government and China’s many state-owned enterprises. For example, some U.S. officials suspect telecommunications giant Huawei of placing a “bug, beacon or backdoor” into critical systems that could allow for “a catastrophic and devastating domino effect…throughout our networks,” as one congressman told Foreign Policy magazine.
Alexander worries about the “transition from disruptive to destructive attacks.” For some of America’s allies, that transition has already arrived.
A 2017 cyberattack against Saudi Arabia “hijacked digital controllers” at a petrochemical plant in an effort to trigger an explosion that would have destroyed the facility. It was an act of war—most likely committed by Iran.
In 2015, Ukraine experienced what’s been called “the first blackout caused by a cyberattack,” when eight Ukrainian utilities were hit by a malware attack emanating from Russia. The attack left 80,000 people without power—in the dead of winter. Related attacks crippled the network at Kiev’s main airport. Russia also has employed cyberattacks to augment kinetic military operations against Georgia and Ukraine.
In 2013, North Korea’s “DarkSeoul” attacks wiped the master boot records of 32,000 computers at South Korea’s largest banks and broadcasting companies. “The true intention of the DarkSeoul adversaries,” according to McAfee, was to “disrupt South Korea’s military and government activities.”
In 2012, Iran’s Shamoon computer virus destroyed 30,000 computers linked to the Saudi oil industry.
In 2007, Russian cyberattacks cut off Estonia from the world—hacking the websites of the president, prime minister, parliament and foreign ministry; crippling Estonia’s communications infrastructure; and disabling the mobile-phone network, the 911 equivalent and the country’s largest bank. After “Web War I,” Ene Ergma, head of the Estonian parliament, wearily explained, “Cyberwar doesn’t make you bleed. But it can destroy everything.”
Add it all up, and it’s no wonder why Coats describes the cyber threat as “one of my greatest concerns” and concludes that “the United States is under attack…by entities that are using cyber to penetrate virtually every major action that takes place in the United States.”
That brings us back to CYBERCOM and the defense of America’s interests in cyberspace. The American military understands that cyberspace must be defended just as land, sea and sky are defended. The American people and their elected officials are only now beginning to grasp this.
The challenge for Congress and the president in developing doctrines to defend America’s swath of cyberspace is balancing liberty and security. Unlike the territories, airspace, waterways and shorelines of the real world—with clearly defined borders and walls, checkpoints, tanks, ships, planes, and minefields to protect and preserve those borders—the Internet was designed expressly for openness and the free flow of information. This has been beneficial for liberty. The borderless, global, connected nature of the Internet has brought unprecedented levels of information and commercial exchange, contributed enormous gains to individual prosperity, empowered individuals, bypassed governments, and promoted and expanded individual freedom. But security was not part of the calculus in development of cyberspace, and we are now dealing with the consequences.
“Without a robust level of security,” concludes a Fraser Institute report, “the benefits of the extended liberty provided by the Internet would dry up.”
It may seem counterintuitive, but liberty and security are connected. Liberty rests on a foundation of security and order. Without a substructure of order—rules of the road, norms of behavior, and institutions and entities that enforce those rules and norms—liberty devolves into anarchy and survival of the fittest or meanest or worst. And that’s where these disparate cyber-assaults could take us.
“Overemphasizing security can restrict freedom and stifle entrepreneurial potential,” the Fraser report explains. “Conversely, cyber-liberty without an appreciation of cyber-security presents rising commercial and governmental costs as well as unacceptable threats to national security.”
The choice is not only liberty or only security. Rather, it’s a balancing act between the two. As Reagan counseled decades before the first email was sent, our mission in cyberspace should be “the ultimate in individual freedom consistent with law and order.”
Although some disagree, concepts like deterrence and military-to-military signaling can be adapted to cyberspace—just as they were when man first put to sea and took to the sky. “If we apply the principles of warfare to the cyber domain, as we do to sea, air and land,” argues Gen. James Cartwright, former vice-chairman of the Joint Chiefs of Staff, “we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary to deter actions detrimental to our interests.” Toward that end, Cartwright suggests that Washington may have “to do something that’s illustrative” in cyberspace to communicate U.S. seriousness.
Two examples of “illustrative” U.S. cyber-operations are the Stuxnet virus deployed against Iran’s nuclear program and the left-of-launch cyber-campaign against North Korea’s missile program. Stuxnet became the first major cyberattack “used to effect physical destruction,” as former CIA director Michael Hayden has explained. According to Ralph Langner, an expert in industrial computer systems, Stuxnet “was as effective as a military strike,” setting Iran’s nuclear program back years. Likewise, the cyber-targeting of North Korea’s missile and rocket enterprise has apparently contributed to numerous launch failures since 2014.
That’s the good news. The bad news, critics warn, is that if cyber-smart bombs can be deployed against America’s enemies, they can be deployed against America’s highly networked military and civilian infrastructure. This ignores two important realities. First, our enemies are already working on cyber-weapons and employing them against the U.S. Second, the U.S. develops weapons to defend itself. Sometimes this is achieved by the mere existence of a weapons system. At other times, defending the nation depends on deploying those weapons.
One gets the sense that Cartwright would recommend “something that’s illustrative” tailored to Russia and China. Regardless of when Washington finally decides to fire a cyber-shot across the bow of Beijing or Moscow, policymakers need to put hostile regimes and non-state actors on notice that the U.S. will make no distinction between kinetic attacks and cyberattacks on America’s interests and infrastructure.
The template is President Trump’s warning about attacks on U.S. space assets: “Any harmful interference with or an attack upon critical components of our space architecture that directly affects this vital U.S. interest,” the president declared in 2017, “will be met with a deliberate response at a time, place, manner and domain of our choosing.” A similar statement about America’s cyberspace assets and interests would assist warfighters in their deterrence mission. (Russian military officials, it’s worth noting, argue that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”)
However, because some enemies cannot be deterred—and because the line separating the virtual world of code from the real world of blood remains blurry—resilience is key in the Cyber Age.
To defend America in the Cyber Age, policymakers should borrow a page or two from the early days of the Atomic Age. The atomic bomb changed the calculus, costs and consequences of great-power conflict. So, Washington built a military that could fight and win in an era of nukes and ICBMs; formed a web of alliances to deter war; made it clear that the U.S. would respond with “massive retaliation” in the event of war; and developed continuity-of-government plans to ensure the resiliency and survival of the republic. President Dwight Eisenhower, for instance, cited continuity of government, civil defense and national security in rallying support for the interstate highway system: “In case of an atomic attack on our key cities, the road net must permit quick evacuation of target areas, mobilization of defense forces and maintenance of every essential economic function.”
Washington should forge a cyber-defense doctrine that will protect the nation’s critical infrastructure, prepare for worst-case scenarios, deter catastrophic cyberattacks, enable government and industry to survive low-grade cyberattacks, and empower the military to respond in kind. CYBERCOM postures the U.S. to do just that.
Finally, Washington should develop new redundancies—and dust off old ones—that don’t depend on cyberspace. Key Russian government agencies, for example, are using typewriters to prevent the loss of secrets via cyber-hacking. It pays to recall that not long ago, Washington delivered essential services and defended America without the Internet.