By John R. Bolton
Thursday, July 29, 2021
Cybersecurity is now a commonplace, much discussed
topic. Strategic adversaries (China and Russia), proliferators and state
sponsors of terrorism (Iran and North Korea), terrorist networks, and criminal
enterprises all threaten us. Pundits importune us incessantly to safeguard our
information technology, communications networks, power grids, financial and
personal data, and, last but certainly not least, national-security
information.
While we are making progress, especially in raising
national awareness, Americans nonetheless remain uneasy about our overall
cybersecurity.
With good reason. We face not an easily discernible,
relatively quantifiable threat but a multiplicity of hidden, ever-changing
threats. We are deep into what Donald Rumsfeld called “known unknowns” and
“unknown unknowns.” And, although working furiously, we remain at risk by not
fully thinking through the cybersecurity issue, both conceptually and
operationally. Several steps are necessary to begin remedying these
deficiencies.
First, we must jettison the idea that cyberspace is
somehow different from other domains of human activity. It is not. Where
mankind goes, war, treachery, theft, fraud, and all our other defects follow,
along with, we pray, our virtues. For decades, however, we have treated the
navigation of cyberspace as essentially cost- and even risk-free. It was all
upside, no downside, the Garden of Eden rediscovered. While few today are as
unaware or naïve as we were initially, traces of the Garden of Eden myth still
infect our analysis and decision-making.
Indeed, it was the prevailing attitude under Barack
Obama. His advisers feared that establishing deterrence in cyberspace through
American offensive cyber operations was too dangerous. Rather than risk
bringing “Death into the [cyber] World, and all our woe,” they worked almost
solely on enhancing defenses, hoping for the best. To effect this approach, the
National Security Council wrote decision-making rules for offensive cyber activities
that induced government-wide paralysis. There was in Obama’s cyber policy
little trace of what Alexander Hamilton called, in Federalist No.
70, “decision, activity, secrecy, and dispatch.”
The Trump administration eased Obama’s restrictions, but
only after an enormous bureaucratic struggle. Nonetheless, these process
changes allowed for effective measures before 2018’s congressional elections,
preventing substantial Russian efforts to interfere, as U.S. officials publicly
acknowledged. Even so, those who appreciate the full scope of potential
cyberspace operations, and the speed and stealth by which hostile threats
manifest themselves, agree that we need much greater capacity and flexibility.
Imposing cyber costs on our adversaries is useful not because
we wish to increase the level of hostilities in cyberspace but for precisely
the opposite reason. If we do not establish deterrence, as elsewhere in the
human experience, attacks on America and its allies will increase, not
decrease. By imposing substantially higher (i.e., greater than proportional)
costs on potential adversaries than they inflict on us, we prove that they will
ultimately suffer far more harm than they can levy. Deterrence works fully when
their attacks never take place.
It is unclear whether Biden is following the Trump- or
the Obama-administration approach. After the Colonial Pipeline ransomware
attack, for example, Biden told Putin at their Geneva summit that he would hold
Russia accountable for such attacks (for which Putin denied responsibility).
Nonetheless, within weeks, REvil, another Kremlin cyber surrogate, struck
again. Biden telephoned Putin, who once more demurred, although REvil then went
dark. Was U.S. offensive cyber activity responsible? Or did Putin scrap the
site to avoid an assertive response (thereby tacitly conceding that REvil was a
Kremlin tool)? Did REvil simply fold its tent, to reopen somewhere else on the
Web (perhaps even from within the U.S.)? The Republican National Committee was
also attacked post-summit, likely by Russia’s hacking group “Cozy Bear,” which
still seems to be prowling around.
Obviously, not all U.S. offensive cyber activity can or
should be made public, to avoid revealing our capabilities to the very
adversaries we are trying to deter. Some public disclosure, however, is
critical to reassure the U.S. public and our allies that our cyber saber is
working. A few cyber heads on pikes outside the Pentagon’s River Terrace
entrance would be a public service.
America’s second major cyberspace problem is more
profound. Partly because of the Garden of Eden myth and partly from laziness
and lack of practice, we have done precious little original conceptual thinking
about cyberspace hostilities. We urgently need the kind of rigorous analysis
that took place during the Cold War on nuclear strategy.
Although deterrence is an ancient concept, Cold War
theorizing on the potential of nuclear conflict gave rise to history’s most
comprehensive deterrence strategies. In cyberspace, therefore, we are not
starting entirely from scratch. But where are cyberspace’s Thomas Schellings
and Albert Wohlstetters? Where is today’s Herman Kahn, “thinking about the
unthinkable”? Where are the contemporary counterparts of Charles Hitch and
Roland McKean and their iconic work, The Economics of Defense in the
Nuclear Age? We can hope they are beavering away somewhere on classified
projects, but we also need public-level conceptual debate, and we need it now.
“Debate” is key; legendary nuclear-era whiz kids, after all, brought us “mutual
assured destruction,” which was indeed both “MAD” and dangerous. Nonetheless,
the conceptual basics were critical to our surviving and indeed prevailing (so
far) in nuclear matters. We need the cyber equivalent soonest.
Not all cyberattacks are equal. We can distinguish, for
starters, four broad threat levels: vandalism (throwing rocks through
cyber windows); criminal behavior (everything from stealing intellectual
property or classified information to destroying it or replacing it with
incorrect information, as well as our contemporary plague of ransomware
attacks); espionage (including both the clandestine gathering of
information and covert paramilitary activities and influence operations, which,
like propaganda or other efforts intended to wreak political havoc, can occur
in full public view, especially through social media); and, ultimately, war,
in many varieties.
This is a starting point for devising countermeasures to
help establish deterrence. Such retaliatory and other steps, of course, need
not be confined to cyberspace merely because the offensive measures against us
were cyberattacks. Cyber-strategizing must be integrated with other military
and intelligence planning to maximize our options and effectively allocate
limited resources. The key point is that we are still woefully unprepared
conceptually for a cyber world that changes on a rapid, continuous basis.
Remember, Kahn’s On Escalation had an escalation ladder for a
generalized nuclear scenario with 44 steps. We have a long way to go.
While cyberspace is not unique among zones of human
activity, and therefore not immune from inevitable conflict, cyber hostilities
will have their own peculiarities. One of the most important may be the
duration of cyberwar: perpetual and potentially ever-expanding even in times of
“peace.” This paradigm would be more like contemporary terrorist threats,
which, distressingly, Biden’s withdrawal from Afghanistan proves he does not
understand. Espionage is similarly continuous and indefinite, although cyber
conflict seems likely to be more lethal and destructive than clandestine
intelligence activities have typically been. Thus, even though Fred Iklé’s
classic work Every War Must End has an appealing title,
cyberspace threats, like terrorists, may not be so agreeable.
From the perspectives of Moscow and Beijing, this is
precisely the kind of reality that plays to their strengths and against ours.
They are patient, we are not. They do not have (yet) the capability to match us
in conventional warfare, but cyberspace can be a great leveler without having
to risk unleashing the vast destructiveness of nuclear weapons. This is exactly
what less powerful states seek to do broadly through “asymmetric warfare.” Obviously,
the United States can handle these threats, but far more than other forms of
asymmetric warfare, cybersecurity requires new thinking from our strategists
and planners.
Cyberspace is also ideally suited to “hybrid warfare,”
the marriage of direct political action with more-traditional military force,
in a perpetual contest for influence. We have seen versions of hybrid warfare
before, in the ideological, guerrilla-war struggles of the 20th century, for
example, or in Ukraine today. Cyberspace, however, adds a vast new dimension,
almost uniformly advantageous, at least initially, to the seemingly less
powerful aggressor. Russian efforts to destabilize America’s political system
are uniquely suited to cyber operations.
These and other cyberwarfare characteristics also
demonstrate why calls for cyber “arms control” measures are even more futile
and more dangerous than in other fields of weaponry. Our existing adversaries
are just as likely to breach cyber commitments as they have been in previous
arms-control agreements. Provisions for discovering or penalizing cyber
breaches would alone require impossibly complex multilateral diplomacy. Even
worse, the most dangerous cyber actors may not even exist yet. Tough to
negotiate if you don’t know who your adversaries are.
After the chaos of Donald Trump, the Biden
administration’s quietude has its refreshing aspects. But in cyberspace,
intellectually and operationally, this is no time for overconfidence. In coming
decades, America’s most important defense intellectuals will be those who
penetrate the strategic realities of cyberspace and their interrelationships
with the existing military and intelligence world. If Biden falters, this
should be a prime political issue in 2022 and 2024.
No comments:
Post a Comment