Cyber threats and how the United States should prepare

A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, hackers staged a cyber assault with a self-spreading malware that has infected tens of thousands of computers in nearly 100 countries. REUTERS/Kacper Pempel/Illustration - RTX35OS0

Cybersecurity is now at the forefront of policy discussions and planning for future conflicts. In many ways, the cyber threat has leveled the playing field, and that presents unique concerns to the United States and its allies. The Final Report of the Defense Science Board (DSB) Task Force on Cyber Deterrence, released in February, concluded that cyber capabilities of other nations exceed U.S. ability to defend systems, and argued that this will continue to be the case for at least another five to 10 years. With this in mind, a cyber strategy that can credibly deter potential foes is increasingly necessary, as are ways to keep critical systems defended. In both cases, progress has been slow and irregular.

On June 6, the Center for 21st Century Security and Intelligence at Brookings hosted an event focused cybersecurity and cyber deterrence. I interviewed James Miller, former undersecretary of defense for policy, now with Johns Hopkins University Applied Physics Laboratory. Expert panelists Sam Jones of Palantir, William Leigher of Raytheon, and Anil Ramcharan of Deloitte also offered remarks.

The 2017 study that Miller co-chaired on cyber deterrence offers a good encapsulation of the range of the challenges that the computer and cyber revolutions pose to the United States. The study—which formed the foundation for the broader discussion—underscored several dangers to the U.S. military and society more generally.

Panelists were first asked about the biggest problem in the cyber realm in the Department of Defense. Leigher suggested the United States needs to better address the human side of the cyber security problem, including the frequent security breaches that take place today. Jones proposed that the Department of Defense needs either to eliminate compliance reports or to use technology to automate compliance reports to give people time to patch security vulnerabilities and fix the network. Ramcharan argued that the broader civilian infrastructure and its vulnerabilities require attention, not just the infrastructure devoted to DoD systems.

Miller highlighted a particular strategic problem that characterizes current cyber vulnerabilities: “death by a thousand hacks,” including the Iranian attacks on Wall Street, North Korea’s hack on Sony Pictures, Chinese cyber thefts of intellectual and personal property, and the Russian hack of the recent U.S. election. These could consistently distract the United States and compromise the economy and communication systems. Miller also pointed to the need for a long-term deterrence campaign aimed at each of the actors attacking the United States, along with the use of offensive cyber instruments and other tools of foreign policy.

Miller further raised that the U.S. military is already “an internet of things.” Miller explained the multidimensional nature of vulnerabilities today: There could be problems in the computer chips embedded in weapon system platforms; there could also be major vulnerabilities in critical infrastructure on which the U.S. military depends for transportation and sustained logistical support. Disruptions to command and control capabilities that, in time of war, could leave military forces disconnected from each other—or falsely directed to shoot in erroneous directions or otherwise carry out inadvertent and harmful activities—could also result from various forms of sophisticated hacking. Miller concluded that the combination of attacks on civilian infrastructure—in vital domains such as electricity, water and sewage, transportation, and financial activities, many of which are also crucial to military operations—along with its military vulnerabilities, the United States could experience a situation where a major actor (e.g. Russia or China) could have the capacity to both harm the economy and attempt to blunt U.S. military responses to an aggression.

Miller and DSB coauthors believe vulnerabilities are still worsening today and that they will likely continue to get worse until we take the problem much more seriously. In their eyes, a sustained effort in cyber protection is urgently needed.

A number of other key points were made.  Again, Ramcharan emphasized the importance of protecting civilian infrastructure. He explained that the tactics and techniques being applied to cyber warfare today are widely accessible and often fairly easy to employ.  Today, low-cost, low-entry, and often low skill-set methods are used to attack.

Leigher explained present-day vulnerabilities by observing that earlier generations of military systems engineers were not too concerned about cyber security.  He expressed alarm that even a limited, discrete cyberattack on a key part of a major platform like a ship could incapacitate the entire thing, causing mission failure. For example, an attack that disabled the ship’s propulsion could lead to catastrophic results.

Jones explained that by writing better code, using various kinds of red teams, and scrutinizing carefully from the very beginning, reliability and resilience could be dramatically improved.

In conclusion, going forward, Miller suggested that the United States needs to do three things:

  1. Prioritize and invest in resilience for nuclear strike systems and for long-range conventional platforms.
  2. Work hard on the critical infrastructure and maintain a threshold so that terrorist groups and lesser powers (e.g. North Korea and Iran) do not have the capability of holding the nation at risk through cyberattacks.
  3. Develop a playbook of sorts, in advance, to guide response to significant cyberattack.

Emily Terry, an intern with the Brookings Africa Security Initiative, contributed to this post.