By Simran R. Maker
Click Here for the Full Report
Executive Summary
The cyber domain is a synthetic one – unlike any other domain of human conflict. It is not a natural extension of human battlegrounds. It was not a byproduct of any national or international institutions. It did not stem seamlessly from any predictable field. Nevertheless, now that it has arrived, it is inextricably linked to the future of international interaction – whether friendly or adversarial; cooperative or competitive.
Cybersecurity is much more than just information security. It is about the protection of all systems – tangible and intangible – that rely on online networks to function. The more connected we are, the more vulnerable we can be. Thus, it is absolutely paramount to simultaneously focus on the two fundamental sides of cybersecurity – as with any of the other domains: defense and offense. A nation must not only be able to safeguard its own cyber channels, but it must also be capable of countering with its own attacks – where deemed to be in its best interests.
The newness of this battlefield pits it in a purgatorial state of existing and not existing at the very same time. There is no Law of Cyberspace as there is a Law of the Sea. There is no prosecuting body like the International Court of Justice or the International Criminal Court. There are no international norms to govern or oversee cyber ethics. The cyber domain is yet a jungle; a void – where some nations will try to extend their normative behavior from other domains, only to be disappointed that their adversaries have not similarly handcuffed themselves.
Clearly, the general population is fascinated with the nexus of cybersecurity and politics. And it is an important theme for the population to begin to grasp and unpack. More urgently, it is an important subject for the policy community to grapple with – not just the “techies” or the cyber gurus; all of us.
The field is not only central because of the depth and breadth of the cyber domain; it is also significant because of growing cyber capabilities around the globe. Nations that are either unable or unwilling to challenge the U.S. in theaters of conventional warfare are commanding substantial attention in cyberspace. Countries are increasingly leveraging cyberspace as a short-of-war domain. The advantages abound for irregular and asymmetric warfare. Cyber activity also provokes a lower risk of attribution or retaliation than traditional domains. Concrete evidence is more difficult to compile and verify. Some states, like the U.S., are reticent to publicly attribute attacks. A large portion of cyber attacks, in fact, thread the needle between disruption and destruction – sometimes skewing the cost-benefit calculus for retaliation. This renders cyber attacks an effective tool for disruptive tactics – for both political and economic means.
At the same time, some experts frame cyber threats in terms of cyber opportunities. Perhaps cyberspace presents a new sphere of opportunity with all the room for innovation and growth. Maximizing such potential, harnessing these prospects, and driving greater modernization could prospectively lead to a cyber sector workforce that propels America to the next level of security and prosperity alike. There certainly is a need for it.
When grappling with issues of such significance to national security, working within the right framework is essential. First and foremost, cybersecurity must be couched in the overarching foreign policy agenda. It must be understood as a foreign policy tool. The relationship between U.S. foreign policy and cybersecurity is not only bidirectional; it is interdependent. A shift in America’s foreign policy posture can have significant implications around the globe – in multiple regions, on multiple levels, in multiple dimensions. Now cybersecurity inarguably stands as one of these dimensions.
Therefore, a grave part of the problem is the misunderstanding and wrongful prioritization of threats. Yet again, this circles back to the underlying truth that cyber activity is merely a tool – an extension – of the differing foreign policy agendas of different nations. It is vital to unpack the overarching foreign policy postures of threat actors in order to gain a more lucid view of their cyber intentions. Only then can the U.S. properly forecast and anticipate what form the corresponding threats emerging from each country will assume, in order to optimally prepare and defend against each of them.
In terms of understanding cyber threats on a macro level, a few nuances must be observed. Cyber threats are all too often generalized into the black or white categories of cyber crime or cyber war. Such an oversimplification not only distorts the types of threats themselves, but it also vastly misses the nuances of intent that play a role in shaping how the threats will manifest or metamorphosize. Somewhere on the sliding scale, there are three gray areas holding enormous weight and factoring in intent: cyber espionage – which can be political or commercial in nature, always with an element of spying; cyber subversion – which often relies on the manipulation of information to have an undermining effect; and cyber sabotage – which generally involves a level of physical destruction with the goal of obstruction.
As a country, we do not have a cyber problem. We have a China problem; a North Korea problem; an Iran problem; a Russia problem. And cyber attacks will not be the only tool used to achieve our adversaries’ goals.
Defensively, we have it all wrong. We have been destruction-focused, worrying about the protections in place for our physical and critical infrastructure. The Russians are on to something with their emphatic turn towards information warfare. Even the Chinese are more active in this realm. North Korea, too, has shown signs of leaning more towards info wars, as evidenced by the 2014 Sony Pictures Hack. By misunderstanding which playground our adversaries are playing on, we have handicapped ourselves and limited our vantage point. Had we been more cognizant of this, we would have seen that the Russian hack of the U.S. elections was actually quite unsurprising. Did we learn nothing from Russia’s test drive of similar tactics with the Ukraine elections? We have been ignoring the smoke signals for too long. But we can no longer afford to do so.
As this report stresses, we must ultimately frame the cyber debate within the larger foreign policy debate. This inherently leads us back to the most elementary question – one that lies at the very root of foreign policymaking since the beginning of time: Who are our most dangerous adversaries? As far as nation-states go, the list is fairly straightforward in the present era – though the sequence of the list may well be cause for debate. Today, no list would be complete without an examination of China as a competitor; North Korea as an instigator; Iran as a challenger; and Russia as an opponent.
The strongest practical recommendation must be a greater emphasis on credible deterrence. One major attitudinal shift has had a tangible impact: over the last few administrations, there has been a move away from tolerating the theft of intellectual property – a threat that has been labeled “the greatest transfer of wealth in history” by General Keith Alexander, the first Commander of the U.S. Cyber Command. There should similarly be less tolerance with other cyber targeting.
To combat these traditional adversaries, more needs to be done to collaborate with traditional allies that can also be cyber allies. Only in working with international partners, can cyber norms be created and carried out in a meaningful way. Cyber cooperation must continue to be a pillar in any policy conversation on cybersecurity. In this domain, however, a word of caution might be necessary. Traditional partners may be dressed differently; and expected adversaries may take different forms. Washington can expect the same players to arrive at the cyber ball, but it must not be too shortsighted – lest it miss a threat masquerading as a non-threat.
To reach a sounder understanding, a valuable lesson can be drawn from the operational tendencies of USCYBERCOM: the comingling of “adversary experts” – or area specialists – with the sea of technical experts. Area experts are an integral component in shaping response options within the military. Their presence enables a more consistent campaign of actions, particularly when it comes to deterrence. In this way, decision-makers can connect the dots between what will be possible and what will be effective. This is a paradigm that must be underscored and applied to other elements of the cybersecurity effort, especially as cyber specialists come to terms with the fact that their world is just a molecule in the foreign policy universe.
Moreover, while Cyber Command has begun to formalize and institutionalize mechanisms for capacity building, this is a focus that must continue to be prioritized across the board. Rhetoric about capacity building must be met with the appropriate investments and resources. Across the government, systems need to be upgraded, protocols need to be streamlined, and encryption needs to be standardized. Threat scenarios should be built out and prepared for, so that there is never again a simple attack that catches the government totally off guard – as with the White House and DoS attacks of 2014. As such, technical experts and policymakers need to exchange ideas on what short and long-term digital transformations look like. They need to discuss how to scale security benefits so they extend to departments that would not traditionally be expected cyber targets – like the Office of Personnel Management.
These feats should not be left solely to the military. There must also be a continuing role for the private sector. Across the last few administrations, there has been a consensus of sorts, but there might be a shift in direction under the new administration. Where President Obama was distinctly cautious not to over-militarize the issue of cybersecurity, the current administration might be altering the approach so that cyberspace falls more squarely under the purview of the military. It will be crucial to keep the private sector involved, and even to allow it to take the lead in improving cybersecurity solutions when called for.
What cannot be disputed is the key role the private sector has played thus far, and the central role it will – and must – continue to play going forward. It would be an error of judgment to siphon off the private sector from the problems of the government. American corporations are still American, with a vested interest in sustaining cybersecurity for the nation writ large. The current administration has floated the idea of compartmentalizing the private sector from the public sector in this domain, but this would actually be an oversight with unforeseeable implications. While there is unquestionably a need for certain cyber knowledge to remain classified to only the highest guardians of U.S. defense, individual companies within the private sector may have capabilities that are not always readily available to large bureaucracies within the government. They also have greater latitude for trial and error operations, affording them the leeway to arrive at the best solutions through a process of deduction – something that government actors cannot always afford to experiment with.
Nevertheless, these recommendations (and others interwoven below) will be far less effective if the overarching dialogue on cybersecurity is not framed properly. Accordingly, this is the most crucial takeaway. What has been stressed throughout this analysis is that cybersecurity must be couched within the larger foreign policy discourse. It is vital to address one when addressing the other. Cyber defenses can be improved and cyber offenses can be upgraded, but the best way to further the country’s cybersecurity is to ameliorate and better manage America’s relationships with the very adversaries that become threat actors in cyberspace. This cannot be emphasized enough: We do not have a cyber problem. We have a China problem. A North Korea problem. An Iran problem. A Russia problem.
The discussion on cyber issues can be extensive and varied, but within the context of foreign policymaking, we must reflect on how advancing technology affects the business of statecraft. Just as the evolution of media revolutionized state-to-state politics on the global stage, current developments are reorganizing the way we receive information and perceive subjects – arguably in a much swifter, less noticeable way than ever before. But the cycle of change itself is not new. With each new connective technology, the world has gotten metaphorically flatter – for the average citizen: more accessible; more comprehensible; more immediate; more relevant. In this more connected world, cybersecurity matters more than ever before. Society has greatly benefited as technology has become more advanced and everything has become more networked, but it is also more vulnerable for these very same reasons.