After land, sea, air and space, warfare has entered the fifth domain: cyberspace.
—MATT MURPHY, THE ECONOMIST, JULY 1, 2010
Patrick Shanahan is the man who manages the giant corporation that is the Pentagon. In that building and in U.S. military units around the world, the former Boeing executive, known in the airplane company as “Mr. Fix-it,” was in 2018 known as DEPSECDEF, the Deputy Secretary of Defense, until he became Acting Secretary late in 2018. In May 2018, he announced the Trump administration’s intentions toward the fifth domain: “The Department of Defense will ensure our military is ready to fight and win against any adversary, dominating the cyber domain.”
Dominate the domain, that is how the Pentagon thinks about cyberspace. Four months after Shanahan offered that simple guidance, the Defense Department elaborated in the 2018 DoD Cyber Strategy:
The Department must take action in cyberspace during day-to-day competition to preserve U.S. military advantages and to defend U.S. interests. Our focus will be on the States that can pose strategic threats to U.S. prosperity and security, particularly China and Russia. . . . We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.
That statement followed the release a few days earlier of the White House’s National Cyber Strategy (the first since that rather good one issued in 2003), and National Security Presidential Memorandum (NSPM) 13, a classified directive that devolved decision making on cyber operations to the Pentagon. (President Obama had reined in cyber operations in the wake of Stuxnet by issuing PPD 20, which reportedly required the President to approve significant cyber-offensive actions.)
Critics of the new Pentagon plan to dominate the domain predicted that it made conflict in cyberspace more likely by suggesting that the U.S. military would be taking action on a daily basis to disrupt cyber activity without an armed conflict serving as justification for doing so. Pentagon officials countered that the strategy simply recognized the reality that there is already a daily competition in cyberspace with Russia, China, and others, even in the absence of a declared war. By engaging more vigorously against Russian and Chinese cyber units, the Pentagon believes it can eventually create stability in cyberspace.
Can an organization designed for war contribute to the lowering of tensions and a reduction in the likelihood of conflict? That is the question this chapter addresses. More specifically, we ask: How can the U.S. military contribute to limiting or preventing cyber war? How can the military reduce the possibility of crisis instability and rapid escalation of fighting? Some of what it needs to do may seem counterintuitive. It needs to get better at cyber war, both defensive and offensive.
The nuclear forces of the United States and the Soviet Union (later Russia) helped to prevent those two countries from engaging in direct military conflict for more than seven decades. The mere existence of those nuclear weapons did not prevent the third world war. It was the way in which those weapons were combined with diplomacy, strategy, and arms control.
Despite leaders calling for the elimination of nuclear weapons for decades, the arms continue to exist in the thousands. So too, however, does a form of global peace. It is a peace filled with tensions, competitions, and low-level conflict that may not seem like a desirable condition. Yet compared to the world wars of the twentieth century, the way in which arms control, strategy, and diplomacy were combined to prevent global conflict was a success. Now that long absence of global war among superpowers is threatened by the emergence of a new kind of weapon in a new domain, cyberspace.
Mishandled, cyber weapons could trigger a larger conflict of the kind we have successfully struggled to avoid. Indeed, the current level of U.S. cyber-defensive and cyber-offensive capabilities combined with those of potential opponents is creating a situation of high risk, of instability. America’s weak cyber defenses may invite a potential adversary to engage in cyberattacks, and America’s response to that may spin tensions out of control into a wider war.
Thus far, military strategists and diplomats have failed to develop the combination of weapons, policies, and arms-control measures to deal with the threat to global stability created by cyber weapons. In this and the next chapter, we suggest the ways they might do so. This chapter addresses what the military should do to contribute to cyber stability, or cyber peace.
Pentagon officials had traditionally talked in terms of four domains, or spheres of potential combat: ground, sea, air, and outer space. Over a decade ago, with the advent of U.S. Cyber Command, defense officials added a fifth domain of potential combat to their list: cyberspace. U.S. Cyber Command is a joint organization, meaning it is composed of Army, Navy, Air Force, and Marine components. Their mission, in the language of the Pentagon, is to achieve dominance in that domain.
Dominance in cyberspace is not, according to the Pentagon, something that occurs only in a war. If U.S. cyber capabilities, both offensive and defensive, are obviously adequate and, indeed, superior to any threat, dominance can occur in peacetime. That, at least, is the theory and the goal the U.S. military has set out for itself. So far, the U.S. has not achieved dominance in the fifth domain. Indeed, it is far from it, and that, arguably, increases instability. Instability can lead to war.
How, specifically, can the U.S. military lower tensions, avoid crisis instability, and deter or prevent a major cyber war? In the most basic terms, we think the U.S. military should be capable of defending itself so well in cyberspace that it could perform its conventional (or, in the extreme case, nuclear) military operations without significant degradation from cyberattacks, and thereby deter enemy activity. It should combine that defensive cyber capability with the ability to achieve rapid dominance over an enemy, in part by using cyber weapons in the early stages of conflict to limit and bring a quick end to fighting.
While that all sounds good as a goal, it has proven difficult to achieve. The Pentagon’s 2018 strategy has five stated objectives (see endnote on this page). We would slightly reformulate them into five distinct missions: 1) defending the military’s own networks; 2) protecting the corporations that make our weapons and that form the defense industrial base (DIB); 3) ensuring the integrity of U.S. weapons once they are deployed; 4) guarding the private-sector infrastructure that the military needs to do its job; and 5) being ready to go on the offensive to degrade potential enemies’ militaries in part through cyber operations.
How is the U.S. military doing at those five missions today? We have found in our teaching and in our consulting that often the best way to drive home a message is to have people envision and “live” a near-future situation that tests them and their systems. This technique is similar to a new boss asking his organization, “How well would we really do today if this happened?” The “this” for our purposes is a political-military crisis leading to a regional war. The best way to think about how the DoD and Cyber Command are doing at cybersecurity is to ask how they would do if excrement hit that ceiling fan right now.
Borrowing a phrase from the military, we call these imagined scenario developments tabletop exercises (TTXs). We have run these learning simulations for graduate students, corporate CEOs, and for U.S. national security Cabinet members. Let’s answer the question about how well the U.S. military is doing on its five primary cyber missions by envisioning a near-term political-military crisis.
Perhaps the most likely international crisis that might erupt this year or next is a conflict between Iran and Israel. What follows is a scenario of how such a crisis could evolve and our assessment of how the U.S. military’s current cyber capabilities might perform.
TEL AVIV, 10 NOVEMBER 2019
The air-raid sirens sounded at 0200. Israelis awoke and ran to bomb shelters throughout the country. The hundreds of rockets and missiles that hit the country were launched from hidden sites in both Lebanon and Syria. The strikes hit air bases, Ben Gurion Airport, the Defense Ministry complex in Tel Aviv, electric power stations, and the ports of Haifa and Ashdod. Although Israel’s antimissile defenses intercepted scores of incoming warheads, because of the high number of simultaneous attacks, many rockets and missiles got through to their targets. The damage was significant.
The attack launched by Iran and its allied militias in Lebanon and Syria were themselves retaliation for a large-scale Israeli airstrike on pro-Iranian forces in Syria three days earlier. A second wave of rockets and missiles hit Israel at 0400. The Israeli Air Force reported to the Defense Minister that it was having difficulty launching fighters to hunt down the mobile missile launchers. Damage levels at some air bases were critical, with squadrons of F-16s incapacitated. Drones launched from Lebanon and Syria had dived into Israeli missile defense radars, blinding some of the Arrow, Iron Dome, and Patriot antimissile batteries.
As dawn rose over Jerusalem, the Israeli Prime Minister called the U.S. President. Reluctantly, he asked for immediate U.S. assistance. Specifically, he asked for an airlift of critical weapons and key components to replace some of the inventory that had been destroyed. He also requested that U.S. Navy antimissile destroyers be deployed off Israel’s coast to augment the nation’s overwhelmed defenses, and U.S. F-35 fighter-bombers be deployed for joint strikes on the mobile rocket and missile launchers. The President agreed immediately and directed the Pentagon to assist. He also ordered a cyberattack on the missile launchers and their command-and-control system, including mobile missile launchers in Iran that had not yet been used to attack Israel.
Within an hour of the Prime Minister’s call, two U.S. Navy Aegis destroyers near Spain swung about and moved at flank speed east through the Mediterranean. At Defense Logistics Agency (DLA) supply depots throughout the eastern seaboard of the United States, train cars were filled with pallets and prepared to move cargo to U.S. air bases. C-17 aircraft were being readied for a massive airlift reminiscent of the U.S. operation to support Israel in the 1973 Arab-Israeli War. The long protective arm of the United States was once again getting ready to reach out to shield a beleaguered Israel that had surprisingly found itself overwhelmed.
WASHINGTON, 12 NOVEMBER 2019
The President was furious. His wrath was like an energy wave flowing down the video-conference line from the White House Situation Room to the Pentagon’s National Military Command Center. Rockets and missiles continued to pound Israel. The Chairman of the Joint Chiefs of Staff had just told the President over the video link that the two Aegis destroyers were still disabled, their propulsion systems off-line and damaged. Tugs were en route to tow them to port in Italy. Norfolk Southern Railroad derailments in Virginia and South Carolina were still preventing trains with critical cargoes from reaching air bases. Power blackouts in the mid-Atlantic states had plunged McGuire Air Force Base in New Jersey and Dover Air Force Base in Delaware into darkness. Back-up generators at the bases did not work. The DLA reported that its attempts at mounting backup databases had failed, following the wiper attack on its inventory supply system.
A few U.S. Air Force F-35s had landed in Israel, but on their first combat sorties from Ramat David Air Force Base, all four U.S. aircraft had sustained radar system failures and returned to base, landing amid a hail of incoming missiles. In Huntsville, Alabama, the Raytheon Corporation was assessing the damage from an explosion and fire that had engulfed its Patriot missile production line. It was unable to ship spare parts. On the offensive side, U.S. Cyber Command reported that it believed it could penetrate and disrupt the missile force in Iran in a week to ten days. It had never studied how to penetrate the Iranian-controlled launchers in Syria and Lebanon. That would take longer.
It had been fifty-five critical hours since the President had ordered the Pentagon to help Israel and almost no assistance had arrived. Turning red in the face and sputtering at the large flat-screen showing the Pentagon leadership, the President demanded to know why.
From another screen on the wall of the Situation Room teleconference facility, the Director of National Intelligence spoke up, filling the silence coming from the Defense Department. “Sir, we assess that Iran has launched cyberattacks to degrade our operations in support of Israel.” Sitting next to the President in the Situation Room, the National Security Adviser mumbled, “No shit, Sherlock.”
“Well,” the President said, turning on his adviser, “what do you suggest we do now?”
“It’s very clear, Mr. President. Iran has stymied our assistance to Israel with cyberattacks. We must now escalate. Commence conventional attacks on Iran. B-2 bombers and the aircraft carriers must strike them tonight.”
Without a moment’s thought, the President turned to the Secretary of Defense. “Do it. Begin bombing Iran.”
Incredible fiction? We think not. We believe that were there a “kinetic,” or conventional, war today in which U.S. forces were opposed by Iran, Russia, China, or even to some extent North Korea, the Defense Department would be hampered in the execution of its operations and largely unable to conduct significant offensive cyber operations against enemy military targets.
In this scenario, the United States faced off against Iran and lost, at least in the first round. In the real world, Iran does have significant offensive cyber capabilities. The barrier to entry to having a meaningful cyber-war offensive force is low. Countries that could never defeat the United States in a purely conventional military battle can pose significant asymmetric risks to us in cyberspace. To see why we make that claim, let’s look at each of the five cyber missions we think the Pentagon should undertake and see what a mid-tier power like Iran could do to us.
In our scenario, the DoD failed in its first cyber mission, to protect its own network. Hackers penetrated the Defense Logistics Agency’s unclassified network and erased all software, including the contents of a backup file, using a wiper hack that turns computers into useless pieces of metal by eliminating all of the data on them. In the real world, Iran did penetrate the U.S. Navy’s unclassified computer network in 2013 and was able to remain there for years even after its presence was discovered, despite intense efforts to eject the Iranian presence. Iran has also successfully used wiper hacks, including an attack against the world’s largest oil company, Saudi Aramco.
Cybersecurity experts have been warning companies that hackers are placing ransomware in database backups, so that when network operators attempt to activate their business continuity systems, they will find that the backup is inoperable too. Those same techniques could be used for a wiper program, which would activate on the backup database once that system was used, destroying all files, operating systems, and applications on a network.
It is not just the DoD’s unclassified networks that are at risk. Russia was able in 2008 to gain access to the Pentagon’s secret-level SIPRNet system. North Korea succeeded in 2016 in stealing from a classified network the U.S.–South Korean combined operations plan to attack the North and kill its leadership.
American military officials operate today on the assumption that their unclassified and secret-level systems have been compromised and may not be available to them or be reliable in a crisis. They hope that the top-secret-level Joint Worldwide Intelligence Communications System (JWICS) network is secure, but know that it is a high-priority target of many nations’ hackers.
As we noted in chapter 2, even the National Security Agency, which is part of the Defense Department, has been unable to protect its own network. Its top-secret files have been stolen by and from employees of NSA contractors such as Booz Allen Hamilton. If the NSA, the home of U.S. government cybersecurity expertise, has its information systems compromised, it is highly likely that the same or worse is happening elsewhere in the DoD.
In our scenario, the DoD was also unable to perform its cyber mission of protecting its own weapons systems. The engines of the two disabled U.S. Navy antimissile destroyers became casualties as a result of a cyberattack on the ships’ propulsion system controls.
The reality may actually be worse than our scenario. In October 2018, the Government Accountability Office issued a scathing report on the cybersecurity of U.S. weapons systems, claiming that an enemy could easily hack into and disable (or take control of) many of the country’s newest weapons. Although a distinguished Defense Science Board review panel had sounded a loud alarm about this precise problem in 2013, five years later the GAO concluded that the “DoD is in the early stage of trying to understand how to apply cyber-security to weapon systems.” Note that the conclusion was not that the DoD was in the early stage of fixing the problem, but in the early stage of “trying to understand how to . . .”
In the scenario, U.S. Navy ships were hacked. In the real world, too, U.S. Navy ships are completely networked. The General Electric gas turbine systems on Aegis destroyers are well known and similar to engines used in civilian systems. Could a nation-state get into a ship’s system and give disabling orders to a key system? The Navy thinks so. It reported that its new USS Freedom-class combatants are vulnerable to hacking.
In 2018, classified data about highly sensitive Navy programs was stolen from a contractor who worked for the Naval Undersea Warfare Center in Rhode Island. Separately, a Navy technician was discovered to be a criminal hacker. There is widespread belief in the Pentagon that the repeated collisions of U.S. Navy destroyers in the Pacific in 2017 were a result of cyberattacks, although the DoD officially denies it. The Navy still uses the outdated and insecure Windows XP operating system throughout the force.
In our scenario, protection of the DIB was also a problem. A key corporate facility, a Raytheon plant that makes parts for antimissile systems, caught fire and blew up, preventing shipment of components to Israel. We have no reason to believe that this specific facility or company is any less secure, or any more secure, than other parts of the DIB, but we do know that defense contractors have regularly been hacked by foreign adversaries.
Among the weapons systems compromised are the Extended Area Protection and Survivability System (EAPS), a system designed to counter rocket, artillery, and mortar fire in flight, and the Patriot, THAAD, and Aegis antimissile systems. Also hacked were databases containing data on the F-35 fighter-bomber. And these are just the systems listed in one report by the Defense Science Board, a group of outside advisers to the Pentagon.
When foreign adversaries are able to hack into computer networks at private-sector corporations making things for the Defense Department, the risk is threefold. They can steal the weapon designs, potentially allowing them to reproduce similar weapons. That is what most of the hacking of the DIB companies has been used for to date. They could, however, once inside a corporate network, covertly place code in the operating systems of the weapons, allowing them to take control of the weapons if and when they encounter them in combat. Finally, hackers could do things to the controls of a factory, product line, or support systems to sabotage facility operations.
The fourth cyber mission some people think the DoD ought to be doing is to protect other corporations, not those making weapons, but those supplying the DoD itself with essential services such as electricity or rail transportation. We said “some people” in the last sentence because the exact role the Pentagon should have in defending critical infrastructure companies is a bit controversial. In our scenario, there were electric power blackouts in New Jersey and Delaware, forcing the key airlift bases at Dover and McGuire onto frequently unreliable backup generators. Trains in our fictional scenario bringing spare parts and weapons to air bases and maritime ports were derailed, preventing much of the needed resupply to Israel.
In the real world today, the DoD would fail to protect those power grids and rail-control systems because it has no legal authority to do so and, thus, no program at work to secure the off-base civilian systems on which the bases depend. The responsibility to assist corporations providing “critical infrastructure” such as electric power and rail is that of DHS. While DHS does share information with some critical infrastructure companies, it does not act to monitor or to defend their information networks. Russia, meanwhile, has reportedly been able to penetrate U.S. power grid control systems, as we discussed in chapter 10.
Iran, the potential enemy in our scenario, has already successfully attacked the U.S. financial sector infrastructure in 2011 and 2012, using a simple but powerful DDoS attack, a type of flood technique, to overwhelm the publicly facing networks of the largest U.S. banks.
The division of labor between the DoD and DHS frustrates some in the Defense Department who believe that DHS and the corporations involved will never be able to do enough to secure the critical infrastructure upon which the Pentagon, and the country as a whole, depend. One of the many problems with making the DoD responsible for defending critical infrastructure, however, is deciding where to draw the line. DHS defines seventeen industries as part of “critical infrastructure,” including even the retail sector (e.g., Walmart, Costco, Home Depot).
Not only does the DoD not have the authority to defend such networks, it is not entirely clear that many of the corporations involved want the military poking around their networks. One of the critical infrastructure corporations most often targeted is the megabank JPMorgan Chase. When some of its cybersecurity personnel began discussing the possibility of a pilot program involving the DoD protecting its network, our sources informed us that CEO Jamie Dimon and other top bank officials quickly shut down the idea.
Finally, we posited that the fifth mission of the U.S. military in cyberspace should be to have the ability to attack enemy military systems using cyber techniques. Most observers take for granted that Cyber Command can at least do that well. The truth has been otherwise. Bureaucratic and legal impediments have prevented America’s cyber warriors from being a real offensive threat for almost all of Cyber Command’s first decade of existence.
In our scenario, the President, upon request of the Israeli Prime Minister, ordered cyberattacks on the command-and-control systems supporting the Iranian missile launchers, the similar systems of the Iranian-backed Hezbollah militia, and on the missiles themselves. Cyber Command responded that it might be able to have some initial capability to do that in two weeks’ time. Of course, by then Iran and its militia allies could have emptied their missile inventories onto Israel. Were we unfair to Cyber Command’s offensive capabilities in this simulation? We think not.
Ten years ago, we argued in the book Cyber War that the U.S. military seemed to be too fixated on developing offensive cyber capabilities and insufficiently focused on defense. As is often the case in Washington, the pendulum then swung to the opposite extreme. For most of the second decade of the century, Cyber Command did what we had advised (no doubt it was coincidence and not because they were actually aware of and agreed with what we had written). They focused on defense, but they did so to an excessive degree, forgoing much of what was needed to be in a position to launch a major offensive operation if called upon to do so by the President. Although U.S. intelligence agencies were conducting covert operations in cyberspace, the U.S. military was, to our admitted surprise, insufficiently offensive in its cyber war preparations. Although preparations can themselves be destabilizing, it is also true that if a potential enemy knows that you have little offensive capability, then deterrence is diminished.
Getting inside a potential adversary’s military command-and-control systems, or its weapons systems, is not something that can be achieved within days of a President ordering it to happen. It can take months or even years to mount covert programs to penetrate such systems. Once access has been achieved, it is then a difficult operation to maintain an undetected presence capable of being activated remotely upon command. Even an adversary’s simple software update can completely destroy a backdoor that took years to develop.
Despite the fact that the terrorist group ISIS was the major adversary with which the U.S. military was engaged in combat in the Obama administration, few if any cyberattacks had been mounted against them. Toward the end of the administration, Secretary of Defense Ash Carter directed Cyber Command to mount Operation Glowing Symphony to “drop virtual bombs” on ISIS. Later, Secretary Carter testified to Congress that he was “largely disappointed” in that operation’s ability to degrade the terrorist group.
Secretary Carter was not the only one in the Obama administration to have been disappointed by cyberattacks. Obama himself was, as were many of his top advisers. They were disappointed with the first major U.S. cyber-war attack, the now infamous Stuxnet program. Officially known as Operation Olympic Games in the intelligence community, the operation seemed at first to have been a marvel of both covert action and cyber intrusion. (The attack is now the subject of many books and even a movie, Zero Days, directed by Alex Gibney.) Upon further examination, however, it had failed on several important criteria.
The attack was supposed to remain covert. The Stuxnet attack software was discovered by the Iranians. How it worked was supposed to remain secret. European and American cyber experts decompiled it and publicly discussed its design. The attack was supposed to be limited to the plant. The attack software got out of Natanz and took on a life of its own, exploring the world, and was captured and copied by cyber criminals and other nation-states throughout its journey. The covert cyber assault was supposed to do significant damage to the enrichment program. Although it did cause eight hundred centrifuges to be repaired or replaced, Iran then built twenty thousand centrifuges. Finally, the fact that the United States was the first (or among the first) nation to destroy infrastructure with a cyberattack was never supposed to be known.
As we’ve seen, after the Stuxnet experience, some would say “fiasco,” Obama issued orders that prevented any further major covert operations without his personal approval. It had a somewhat chilling effect. In a White House dominated by lawyers, an interagency debate arose about which U.S. government agencies could do what in the realm of offensive cyberattacks. Pentagon, CIA, and Justice Department lawyers engaged in what some policy makers saw as Talmudic sophistry. Stripping away the mystery and jargon, let’s try to understand the debate.
The military’s Cyber Command had not done the Stuxnet attack. The CIA and the NSA did. They did so under the authority of Title 50 of the U.S. Code, the set of laws that govern the U.S. intelligence community. Under those laws, U.S. intelligence agencies can covertly collect information abroad. They can also take actions to damage or destroy things abroad, even in peacetime, when the President issues a specific “finding” that it is in the national security interest of the United States to do so. The issuance of a finding is a highly secret, ritualistic, arcane, and usually time-consuming process involving thousands of hours of government lawyers’ time, including time spent in consultation with a select bipartisan group of Members of Congress. Even once a finding is issued, every time a significant action is about to be undertaken pursuant to the authorization, the process is repeated to issue a Memorandum of Notification (MoN) about that new action.
Despite their off-putting experience with the outcome of Stuxnet, the Obama administration apparently did not give up on the idea of using cyber weapons against Iran. As the so-called P5+1 talks with Iran about nuclear weapons dragged on, the Obama administration reportedly authorized a contingency plan, code-named Nitro Zeus, to destroy or damage key parts of Iran’s infrastructure if the talks failed. That cyberattack allegedly would have been an accompaniment to a conventional attack and would have been, at least in part, implemented under military authority. In general, however, Cyber Command was not authorized to go after enemy weapons systems.
Cyber Command and the military in general are covered by a different section of law than that which was used to authorize Stuxnet. The military is authorized by Title 10 of the U.S. Code. Lawyers in the Obama administration argued that the military could not violate international boundaries by penetrating other nations’ computer networks in peacetime for the purpose of causing damage or destruction without a specific order from the President (or the Secretary of Defense). Military intelligence units could collect information about other nations’ systems, but that would be under the intelligence authorities, and could not be conducted with the intent to destroy things. Some in the military wanted to “prepare the battlefield” by lacing the weapons systems of possible future enemies with “logic bombs” that could be triggered to destroy the enemy network or weapon in a conflict. They were not given that authority until 2018.
Thus, Cyber Command and its component military units spent almost all of its time since its inception trying to fend off other nations that were trying to infiltrate our military networks and weapons. Given how many such attacks were going on and how successful they were, spending most of the time on defense was likely the right thing to do, but having little or no offensive cyber capability against enemy militaries created a weakness.
In the 2018 Department of Defense Cyber Strategy, Secretary of Defense James Mattis had ordered Cyber Command to “defend forward” by joining with the intelligence community in attempting to identify potential enemy cyber systems, penetrate them, and in some cases, stop incoming attacks. What some U.S. war-fighters wanted, however, was more. If they were ever ordered to bomb Russia or China, for example, they wanted to be able to make the “enemy” air defense radars show no incoming U.S. attack. They wanted the opponents’ air defense missiles to blow up on the launchpad when they were fired against U.S. aircraft. (Media reporting suggests that U.S. intelligence may have penetrated both Iranian and North Korean ballistic missile tests and caused several of them to blow up on the launchpad. Apparently, however, the North Koreans later developed missiles that did not include that particular feature.) The U.S. war-fighters wanted to send erroneous commands on the other nations’ military communication systems. After all, they argued, that was what Russia and China were apparently trying to do to us and, for all we know, they may be in position to do that right now. We were not, at least not as much as most observers assumed, and it was in part because of the arcane legal battles.
The fiscal year 2019 National Defense Authorization Act (NDAA), known as the John McCain Act, added language to make clear that the military, specifically Cyber Command and its regional and service components (such as Army Cyber Command), may take measures in peacetime against potential adversaries’ systems, so that they will be able to degrade their military operations quickly in the event of combat, defining such actions as “traditional military activity.”
Despite the controversy about the open-ended law that Congress passed after 9/11, the Authorization for Use of Military Force (AUMF), the McCain Act also preauthorizes the use of military force. Although little noticed publicly, the law gave the Secretary of Defense and Cyber Command specific authority to engage in cyberattacks against four nations (Russia, China, Iran, and North Korea) if any of those countries are found to be “conducting an active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace, including attempting to influence American elections and democratic political processes.” Cyber Command is also specifically authorized to share information with private-sector companies, including those in social media.
Trump then signed National Security Presidential Memorandum 13, a directive seen by many as taking off the leash that has held back the U.S. military from “preparation of the battlefield.” That authority was described in the NDAA as falling within the ambit of “traditional military activities,” but what it authorizes is anything but traditional. Following the Congressional action, the White House delegated day-to-day cyberattack decision-making authority to the Department of Defense.
Having U.S. military units penetrating potential enemy weapons in peacetime is seen by some observers as destabilizing. The argument is that such U.S. action might lead to peacetime “attacks” by both sides, or all sides, that could accidentally cause a highly destructive incident and lead to an escalatory process and open combat among the world’s great militaries. That concern has merit, and even if the White House has devolved authority to the Pentagon, there is a real need for interagency review (including White House staff) of planned DoD cyber operations to prevent miscalculation. One way of reducing the likelihood of general war may be to enhance uncertainty.
Traditionally, military strategists argue for greater certainty in political-military affairs. Certainty equals stability, they contend. That was, and is, the case with the prospect of major nuclear war. The certainty of mutual destruction creates deterrence. We have been taught that for the last fifty years. With cyber war, however, uncertainty may deter significant military action.
For uncertainty to promote deterrence in the context of cyber war, a potential enemy needs to be uncertain of two things. First, the potential enemy must be uncertain about how well its own conventional weapons will work. Second, the potential enemy must be uncertain about how well our cyber defenses will work. Creating those two kinds of uncertainty will increase U.S. security and deterrence.
If potential enemy leaders think there is a real possibility that their conventional weapons will malfunction because we have hacked them and that the U.S. military would quickly overwhelm them, they may be deterred from initiating hostilities. Similarly, potential enemy leaders must be made to disbelieve their own military and intelligence commanders’ claims that they can defeat the U.S. military and badly damage U.S. infrastructure through cyberattacks. Cyber Command could contribute greatly to creating those two kinds of uncertainty. It has not.
The blame does not belong on Cyber Command. The U.S. government as a whole has lacked a clear strategy, adequate funding, the needed laws and regulations, and, most important, the organizational structure and leadership to create the combination of defensive and offensive capabilities required to increase cyber stability and to deter cyber war.
As we discussed earlier in this chapter, key U.S. government networks have already been penetrated. The networks of companies making U.S. weapons have been compromised. Some U.S. weapons may have “kill switches” or backdoors inserted by potential enemies. The civilian infrastructure the U.S. military needs to go to war can be successfully attacked by cyber weapons right now. The U.S. military lacks the ability to degrade significantly the military operations of potential enemies.
If the U.S. military cannot degrade an enemy using cyber weapons during a growing crisis that has already seen limited combat, if it cannot defend itself or our allies from disabling cyberattacks, then it will quickly escalate to a larger conventional war. We just saw that happen in our fictional scenario. That is crisis instability, the inability to control escalation. That is likely where we would be today were a crisis to occur with Russia, China, Iran, or even North Korea.
How do we fix that sad and unstable state of affairs? We suggest these seven measures:
It is a major tenet of military operations that there needs to be a single, clearly defined commander for a military operation. Everyone necessary for the success of the battle must be under the control of that one commander. For Alexander the Great, that meant both the hoplite infantry and the cavalry did what he told them in battle. For Dick’s late friend General Norm Schwarzkopf, it meant in the First Gulf War that Norm controlled the air strikes, the armor units, and the aircraft carriers. In the creation of the U.S. nuclear Navy, it meant that the design, build, and operation of the reactor-powered ships were all subject to Admiral Hyman Rickover’s direction, for decades.
Today in the Pentagon, policy, direction, and oversight on some things cyber resides in a Deputy Assistant Secretary of Defense (DASD) in the policy chain, with little or no responsibility for research, development, or procurement. As our friend Eric Rosenbach, who once had that DASD job, told us, “It’s not always obvious to a four-star general, like one running Cyber Command, that they take direction from a DASD.”
There needs to be one very senior civilian in the DoD whose only job is to have clear policy and operations authority over not only U.S. Cyber Command, but also both the Pentagon’s intranet run by the Defense Information Systems Agency (DISA) and its own internal counterintelligence force for cyberattacks, the Defense Cyber Crime Center (DC3). Such an official must have authority and cyber responsibility over existing U.S. weapon and support systems, procurement of new systems from defense industrial companies, and the contracting for critical infrastructure support from civilian providers.
The 2018 DoD strategy envisions some Pentagon role in defending the power grid and other critical infrastructure essential for DoD Mission Support. Many of the owners and operators of such networks are not pleased at the prospect of the military tramping around in their systems. Moreover, it is not clear that the Pentagon has either a plan or the legal authority to do so. Because of the interconnected nature of the power grid, gas pipelines, and telephony networks, it is hard to define or defend the parts that just support the DoD. Moreover, prior laws and executive orders have given the Department of Homeland Security the role to defend critical infrastructure.
We think that it is urgent that the debate about the DoD’s cyber role must end soon with a new law. The DoD, working with Homeland, must be able to demand and enforce high standards on its vendor supply chain, including the specific power and transportation systems it relies upon. They can do that through a combination of regulatory power and contractual language. Such authority should supersede any other federal or state regulation, and it should permit the DoD to continuously monitor the state of cybersecurity of the corporations involved.
The DoD and the intelligence community should look for incoming attacks on the power grid, and a handful of other critical infrastructure sectors. They should have procedures and authorities to block such attacks working with infrastructure companies. The concerned industries, working with Homeland and the DoD, should develop and operate continuous monitoring systems to find vulnerabilities and malicious actors within the infrastructure control planes and supply chain. Finally, industry, state-level emergency management agencies and the National Guard, DHS, and DoD should have detailed plans and capabilities to restore operations quickly in the event of a successful cyberattack on key infrastructure.
Clarity of mission also requires that the Pentagon and the intelligence community effectively deconflict their operations. They should not both be trying to infiltrate the controls of Moscow’s power grid, but, until we achieve a diplomatic understanding with Russia and others about the laws of cyber war, one of them should definitely be doing it. Someone needs to ensure that missions like that do not fall between the cracks.
We cannot wait for a real shooting war to discover that a weapon will not work because a potential adversary has been able to take control of our navigation, communications, guidance, or other systems.
In Cyber War, we painted a picture of the U.S. trotting out its expensive new weapons to go to war in the near future with some near-peer nation-state enemy only to have the enemy figuratively flip a switch to shut off the U.S. weapons and then attack the American “sitting ducks.” Five years after we painted that scary scene, the Pentagon’s Defense Science Board wrote an alarming report with the same conclusion. In 2018, the GAO concluded that little had been done to secure U.S. weapons from enemy hacking. If true, this is a crisis of extraordinary proportions, for it would mean that after spending trillions of dollars on defense, we may be defenseless.
The Secretary of Defense should have no higher priority than determining the extent of the cyber vulnerabilities of U.S. weapons systems, and fixing them and the supporting infrastructure with the greatest possible speed. That may require, at the least, an unprecedented diversion of resources within the Pentagon’s annual $700 billion budget to test for and remediate existing weapons.
After the initial review-and-repair project, the Pentagon must constantly engage in large-scale testing and continuous monitoring of networks and weapons for cyber vulnerabilities, on both DoD and contractor networks. When mistakes are discovered, DoD or corporate staff should be penalized and fines levied on the contractor. The commanders of the U.S. Navy Seventh Fleet warships that were involved in the suspicious collisions with civilian vessels were punished, as were their superiors. Yet when civilian contractors’ employees compromise the NSA’s most valuable secrets, the companies involved continue to receive valuable contracts and their leadership continues to take home enormous paychecks. As Admiral Rickover knew when it came to establishing a culture of safety for Navy nuclear reactor systems, there must be severe consequences for nonperformance. So, too, in cyberspace the culture of security can be created only by establishing a fault-intolerant system.
The DoD budget is too big. It has risen consistently, even without taking into account the cost of the Long War operations against Iraq, the Taliban, al-Qaeda, and ISIS. Within the DoD budget, resources for cyber missions have grown disproportionately to other missions. Nonetheless, doing the kind of major security-assurance operation we believe is necessary on the DoD’s own networks, corporate networks, and weapons systems will require greater efforts. That means more money.
In fiscal year 2019, the Defense Department will spend more than $700 billion. Of that immense amount of money, the DoD is programming slightly less than 1 percent for offensive and defensive cyber programs. We admit that how you define what is in that category is arbitrary, and some definitions would result in the percentage being higher, but however you define it, the funding is inadequate to replace current DoD systems with a highly defensible and resilient set of capabilities anytime soon.
Information systems technology does not always reduce the cost of doing business, as some people believed in the 1990s. IT system dependence and the need to secure those systems can actually increase the cost of the systems you buy, capital expenditure (CapEx), and the financial burden of running them, operating expenses (OpEx). Because the DoD, more than most large organizations in the world, is IT dependent, it needs to spend a huge percentage of its CapEx and OpEx on IT systems and their cybersecurity. Those resources can come from only one place: elsewhere in the DoD budget, even if that means reducing the size of the conventional force structure. It will do us no good, for example, to have ten aircraft carriers if none of them are combat effective due to cyber vulnerabilities. It would be better to have six that worked even under cyberattack.
Every corporation in America knows it needs to spend money on disaster recovery and business continuity. That’s without there being an enemy nation-state actively attacking and sabotaging their systems (although for some companies that could be the problem someday). Even if the DoD leadership embraced everything we recommend in this chapter and embarked on an accelerated program to implement it, America’s military would still have cyber-vulnerable weapons and support infrastructure for years to come.
Thus, part of the immediate task before the Pentagon is to develop and deploy the ability to fight in a degraded environment. Forces need to be able to communicate without the internet (or NIPRNet, SIPRNet, or JWICS), and need to be able to coordinate when frequencies are jammed by an enemy. Weapons must work even if the Global Positioning System does not. Senior U.S. military commanders know this, but that has not yet translated into a real ability to perform the DoD’s missions in a world in which cyberattacks have brought our forces back to a preinternet era. Getting there will, as mentioned in the point above, mean more money, not for shining new objects, but for boring old tech.
One way to control when and how escalation occurs is to quickly jump a few rungs up the escalatory ladder and combine that demonstration of strength with both an offer to cease fire and a threat to do even more damage if that offer is ignored. To do that, the United States has to be able to execute devastating cyberattacks against both infrastructure and military targets, while being relatively impervious to attempts to do similar things to us. We are a very long way from having those capabilities today, but we can and should have a road map to achieve them.
One way to judge who the good military commanders are is by examining the importance they place on their “POLADs,” the diplomats and civil service experts that the State Department provides to them. When fighting breaks out, the system has failed. Peace and stability are achieved and maintained by combining strong offensive and defensive military capabilities with smart and active diplomacy. Today there is no real ongoing diplomacy with regard to cyberspace and cyber war.
In the Obama administration, a high-level advisory group recommended to the President that cyber war diplomacy be elevated by creating an Assistant Secretary of State for Cyberspace. Similar global threats such as terrorism and illegal narcotics have had Assistant Secretary–led bureaus in State for years, to give focus and ensure the issues are placed on the department’s list of top diplomatic initiatives. Obama rejected the recommendation for an Assistant Secretary for Cybersecurity Policy. Trump went one step further and eliminated the State Department office and senior adviser of cyberspace. The Trump administration then eliminated the position in the National Security Council staff that coordinated cyber-diplomatic efforts.
Reducing tensions in cyberspace, enhancing stability, and avoiding wars (accidental or intentional) requires combining strong military capabilities (offensive and defensive) with a diplomatic architecture. Diplomacy helps to define what acceptable and unacceptable activity is in peacetime, and in the event of conflict. A diplomatic architecture creates international systems for avoiding misunderstandings, dealing with misbehavior without combat, and designing stable systems and institutions. It is how to achieve that diplomatic system that we turn to in the next chapter.