War in cyberspace is fully on, and the United States is losing it, according to about two dozen national security experts.
The U.S. military is increasingly adept at mounting cyberattacks in places like Russia and Iran, but America’s computers are almost completely defenseless. Without strong protections, offensive attacks can be invitations for disaster instead of deterrents.
“I believe we are in a declared cyberwar,” said Michael Bayer, a longtime Pentagon adviser who led a recent review of Navy cybersecurity. “It is aimed at the whole of society and the state. I believe we are losing that war.”
Whether the attack is a hack of a Pentagon contractor or misinformation spread on social media, U.S. adversaries are increasingly successful in this ethereal battleground. U.S. leaders are only slowly realizing how much the rules have changed, and the required focus, leadership and strategic thinking remain woefully wanting, critics charge.
“While we have made progress, it would be fair to say we have a long way to go,” said South Dakota Republican Sen. Mike Rounds, who chairs the Senate Armed Services Cybersecurity Subcommittee.
The military’s torpid response has been caused by bureaucratic inertia, the political dominance of traditional weapons and military organizations, the distraction of the post-9/11 wars, and a failure to comprehend the cumulative damage and how rapidly warfare is changing.
America’s adversaries have stayed in the so-called “gray zone,” below the level of attacks that would trigger a full-scale U.S. response.
In cyberspace, Bayer compares this to a parasite that constantly saps its host — but not so much as to trigger a full-scale white-blood-cell counterattack.
Rep. Mike Gallagher, who co-chairs the Cyberspace Solarium Commission, a bipartisan panel studying competition in the infosphere, is among those calling for a national awareness campaign.
“Ultimately, our success or failure in cyber will come down not to algorithms or technology but to human beings,” said the Wisconsin Republican, who noted that he was not speaking for the commission. “Everyone who has a cellphone in their pocket is in some ways on the front lines of a geopolitical competition.”
Flashback: Election security expert — ‘It’s really only a matter of time’
Information operations and cyberattacks in the gray zone have grown in recent years — in number, sophistication and damage.
China’s 2018 attack on a Navy contractor gave that country access not just to details of a key new anti-ship missile but also to much of what the Navy knows about China’s maritime capabilities.
China has also reportedly stolen data on F-35 fighters, littoral combat ships, anti-missile systems and drones operated by the U.S. military.
The broader U.S. economy has lost more than $1 trillion in intellectual property pilfered in cyberspace, experts say.
Russia has specialized in a massive information warfare campaign to influence U.S. elections by sowing dissent and planting lies in U.S. social media circles.
North Korea, Iran and even terrorist groups have shown they, too, can do damage with a few keystrokes.
On June 11, national security adviser John Bolton publicly stated that the U.S. has stepped up its offensive cyber-assaults since last year. The message to America’s adversaries, Bolton said, is “You will pay a price.”
Four days later, The New York Times reported that the United States, in a classified operation, had penetrated Russia’s energy grid with malware that, if triggered, could disrupt Russia’s electrical systems. The Pentagon has said the Times reporting was inaccurate but has not provided any clarification.
Later that month, Yahoo News disclosed that U.S. Cyber Command had hit Iranian military computers after Iran shot down a U.S. drone in the Persian Gulf.
Despite this ramped-up offense, America’s defenses lag behind, according to retired Army Gen. Keith Alexander, who headed the National Security Agency and the U.S. Cyber Command.
“I think we are making gradual moves toward that, but I think there needs to be more,” said Alexander, now CEO of cybersecurity firm IronNet. “I believe it’s the government’s responsibility under the Constitution for common defense. Period.”
Without effective cyber-defenses, more aggressive overseas operations could come back to bite the United States, experts warn.
“Defense is a necessary foundation for offense,” the Defense Science Board, a Pentagon advisory panel, said in a 2018 report. “Effective offensive cyber capability depends on defensive assurance and resilience of key military and homeland systems.”
The Navy cybersecurity review, made public in March, said those defenses are severely lacking.
As the Navy prepares to win “some future kinetic battle,” the report said, it is “losing” the current one. Defense contractors “hemorrhage critical data.”
The current situation is the result of a “national miscalculation” about the extent to which the cyber war is upon us, and the vaunted U.S. military’s systems have been “compromised to such [an] extent that their reliability is questionable.”
The U.S. economy, too, will soon lose its status as the world’s strongest if trends do not change, the authors wrote.
The Defense Science Board, meanwhile, has delivered a similar message, recommending in 2017 that a second U.S. military that is truly cyber-secure be created as soon as possible, because the one America has will not necessarily work.
A cyberattack on the military, the science board said, “might result in U.S. guns, missiles, and bombs failing to fire or detonate or being directed against our own troops; or food, water, ammo, and fuel not arriving when or where needed; or the loss of position/navigation ability or other critical warfighter enablers.”
The report chillingly warned that doubts about U.S. defense capabilities due to cyber vulnerabilities could cause a president to more quickly turn to nuclear weapons in a conflict.
Kenneth Rapuano, the Pentagon assistant secretary for homeland defense and global security, said the department is trying to implement “as a matter of top priority” the Defense Science Board recommendation to ensure that at least part of the military is at the highest level of cyber preparedness, starting with nuclear weapons.
The battle for cyberspace will hinge on human beings.
Hence the worries about China’s 2014 hacks into the personal information of more than 22 million federal workers, contractors, family and friends in the Office of Personnel Management’s databases.
A lack of cyber hygiene by just one employee or subcontractor of the government can be the entryway for a cyber break-in with strategic consequences.
At the Pentagon, auditors have repeatedly found that major weapons have been exposed to cyberattacks because of simple snafus such as a failure to use encryption, two-factor authentication, proper passwords or, in one instance, leaving a room full of servers unlocked.
Meanwhile, the Pentagon and the government as a whole are short on cyber-savvy personnel, who are often lured away to high-paying Silicon Valley firms. As of April, America’s overall cyber workforce is short 314,000 workers, a House Armed Services subcommittee said in a report last month.
Trump and leaders in the Defense Department and Congress have begun to significantly increase their attention to the problem, but their efforts are still dwarfed by the challenge, many observers believe.
Consider how infrequently U.S. leaders talk about cyber issues. On congressional defense committees and even at the Pentagon, cyber is essentially an afterthought compared to weapons hardware and military pay and benefits.
“You wouldn’t even know that cyber is a Top 20 problem,” Bayer said.
Measured in dollars, too, cyber does not stack up. Compared to defense spending, unclassified cyber spending across the federal government in the fiscal 2020 budget request amounts to about 2 percent.
“We need to have the bombers and planes and missiles to make sure we can defend the country in a conventional conflict, but we also need to face the reality, and gray zone conflict is happening now and will continue to go forward,” said Rhode Island Democrat Jim Langevin, who chairs the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities.
The last two years have shown hopeful signs of progress, including Congress’ creation of the Cyberspace Solarium Commission. The panel is named after former President Dwight D. Eisenhower’s Project Solarium, which came up with a national strategy for combating communism.
In the decades that followed, the United States and its allies went after the Soviet Union’s weak spots, shining a light on its propaganda and falsehoods by using all means at the nation’s command, short of war.
Most experts say that what’s needed now is just what was needed then.
“You win this not just by changing structures and moving money,” Bayer says. “You win this by changing culture. That’s easy to say and damn hard to do.”
Get breaking news alerts and more from Roll Call on your iPhone.