The Perfect Weapon
Page 34
AFTERWORD
SEN. DAN SULLIVAN (R-ALASKA): What do you think our adversaries think right now? If you do a cyberattack on America, what’s going to happen to them?
LT. GEN. PAUL NAKASONE (COMMANDER OF US ARMY CYBER COMMAND): So basically, I would say right now they do not think that much will happen to them.
SULLIVAN: They don’t fear us.
NAKASONE: They don’t fear us.
SULLIVAN: So is that good?
NAKASONE: It is not good, Senator.
—Lt. Gen. Paul Nakasone’s confirmation hearing, as commander of US Cyber Command, March 1, 2018
Until the cyber age came along, America’s two oceans symbolized our enduring national myth of invulnerability. The threat of nuclear attack preoccupied us during the Cold War, but generally the United States has assured it could take out dictators, conduct drone strikes on terrorists, and blow up missile bases in faraway lands with relatively little fear of retaliation. There were exceptions, of course, moments of national terror: the British burned Washington in the War of 1812, the Japanese attacked Pearl Harbor, and al Qaeda brought down the Twin Towers and struck the Pentagon. But we knew the only attack that could threaten the existence of the country would come at the tip of a Soviet or Chinese intercontinental missile, or in the form of terrorists with access to nuclear weapons. And after some terrifying close calls, notably the Cuban Missile Crisis in 1962, we found an uneasy balance of power with our primary adversaries—mutually assured destruction—to deter the worst. It worked, or has so far, because the cost of failure is so high.
In the cyber age, we have not found that balance, and probably never will. Cyberweapons are entirely different from nuclear arms, and their effects have so far remained relatively modest. But to assume that will continue to be true is to assume we understand the destructive power of the technology we have unleashed and that we can manage it. History suggests that is a risky bet.
I keep on my desk a wonderful volume, Airships in Peace and War, first published in London in 1908 by military historian R. P. Hearne, which tried to imagine how a strange new invention of that time—airplanes—would change the course of history for Europe’s great powers. One chapter is entitled “Could England Be Raided?” The question was answered in 1916, when the Germans first delivered scattered air attacks across the country. Within a year the first battles for control of the skies were under way. In 1940, the Blitz devastated London.
In the cyber world, we have not yet seen the equivalent of the Blitz. The early damage has been limited—centrifuges in Iran, a steel plant in Germany, a casino in Las Vegas, a crippled petrochemical plant in Saudi Arabia, missiles gone mysteriously awry in North Korea. Yet every week seems to bring hints of things to come, as city services became paralyzed by ransomware in Atlanta and patients were turned away after a cyberattack struck the health-care system in Britain.
The sheer acceleration in the number of attacks, and their rapidly changing goals, is one of several warning signs that we all are living through a revolution, playing out at digital speed.
* * *
—
In the early days of this revolution, reaching for a cyberweapon seemed almost risk-free. Now that calculus is changing.
No one could blame an American president for using a remote-control weapon to crash Iran’s nuclear centrifuges or disable North Korea’s missiles. Given the choice between risking the lives of American soldiers or intelligence officers and reaching deep inside a country without setting foot in its territory, the decision seemed self-evident. The same logic that made drones so appealing to George W. Bush and Barack Obama—great stealth and low risk—made cyberweapons irresistible too. And in both Iran and North Korea, cyberweapons provided a way to slow dangerous military programs without triggering a war.
The harder question over the next decade will be whether reaching for such weapons with increasing frequency will continue to be a wise choice. By going into the North’s missile systems, the United States set a precedent, just as we did with Olympic Games, that other nations will surely follow. While we talk publicly about setting norms for what should be off-limits for offensive cyber activity—hospitals, emergency responders, and now election systems—we are seen around the world as hypocrites. Every time the United States reaches into another nation’s critical infrastructure, we make our own fair game for retaliation.
Yet we clearly are not prepared for the day when each American action in cyberspace triggers an escalating response. Because for now, as the stories told in the preceding pages make clear, deterrence is not working in the cyber realm. True, there has not been a devastating attack on the power grid, a “cyber Pearl Harbor” that might tempt an American president to make good on the threat contained in the 2018 Nuclear Posture Review, which is that some kinds of non-nuclear attacks—chiefly, cyberattacks—may force the president to reach for the ultimate weapon.
The very fact that we need to make the threat underscores the failures of the past few years. When Adm. Michael Rogers took over the National Security Agency, he told me in his office in 2014 that his tenure would be measured by his success at convincing America’s adversaries that there was a cost—a high cost—to attacking the nation’s networks. “Right now, if you look at most nation-states—groups and individuals and the activity they are engaging in in cyber, very broadly, most of them seem to have come to the conclusion that there is little risk of having to pay a price for this in real terms,” he said at Stanford later that year.
When his successor, General Nakasone, conceded in his confirmation hearing four years later that “they don’t fear us,” he was admitting that after spending billions of dollars on new defenses and new offensive weapons, the United States has still failed to create a deterrent against cyberattacks.
Perhaps that is understandable. In the Cold War, nuclear deterrence did not emerge instantly. It took years of collaboration between technologists, strategists, generals, and politicians. It involved a very public debate, which the United States seems unwilling to conduct in the cyber realm—for fear of revealing our capabilities, or having to surrender some of them.
In the nuclear era, deterrence worked well between the United States and the Soviet Union not only because each knew the other possessed world-destroying power, but also because each had confidence in the integrity of its own weapons system. Each was certain that if the president ordered a launch, the launch would happen.
But over the past few years we have seen time and again that cyberweapons can undermine that confidence. The Iranians lost all assurance they could control their centrifuges. The North Koreans suspected someone was messing with their launch systems. And inside the Pentagon there is growing fear that one day in the not-too-distant future an American commander could order a launch and missiles would not fire.
We experienced a less deadly version of that loss of confidence in 2016, when we feared that Russian hackers were seeking to break into our election systems, looking for ways to alter voter-registration data. Even if they failed, the mere attempt was enough to undercut public confidence in the outcome of the vote. Imagine a similarly skilled group breaking into America’s nuclear early-warning systems, triggering a fake warning that the United States was under attack. It could prompt a president to launch our own weapons before the chimerical incoming missiles could strike.
This may sound like the stuff of a bad thriller, but almost exactly that scenario—without the cyber manipulation—nearly triggered disaster in 1979, when a watch officer awoke William Perry, then an undersecretary of defense, to report that an early-warning system was showing two hundred incoming ICBMs. The military quickly determined it to be a false alarm: someone had placed a training tape, simulating an incoming attack, into the real warning system. However, Perry later warned, if an enemy attempted the same thing with a sophisticated bit of malware, perhaps placed by an insider, “we might
not be so lucky next time.”
The implications of having our own command-and-control system compromised underscore why sabotaging similar systems in other nations is dangerous business. If American leaders—or Russian leaders—feared their missiles might not lift off when someone hit the button, or that they were programmed to go off-course, it could easily undermine the system of deterrence that has helped reduce the likelihood of nuclear war for the past several decades. It could also encourage countries to build more missiles—as an insurance policy—and perhaps to launch them earlier.
“It’s not hard to imagine how we greatly increase the risk of stumbling into a conflict because of an accident, or inadvertence, or just deliberate deception,” James Miller, a former undersecretary of defense for policy, and one of the country’s most experienced nuclear strategists, told me after he and Richard Fontaine finished a study of just that problem. “It’s conceivable that other states, and even non-state actors, could undertake cyberattacks that lead to an inadvertent escalation with Russia,” Miller concluded. That a president could make snap decisions on which millions of lives depend, based on information that had been subtly manipulated, is sheer madness.
General Nakasone’s warning that countries do not fear us—one he uttered just weeks before becoming the new director of the NSA and commander of United States Cyber Command—focused on the question of whether the United States can retaliate after its networks are struck. But there are other ways to deter attacks—chiefly by convincing your adversaries that your defenses are strong, and they will not succeed. In the lingo of strategists, this is called “deterrence by denial.” If an attack would be futile, why bother in the first place?
Deterrence by denial requires an exquisite defense. And while American intelligence officials will not concede the point, internal government assessments say it will be a decade—at least—before the United States can reasonably defend our most critical infrastructure from a devastating cyberattack launched by Russia or China, the two most skilled adversaries in the field. There are simply too many vital networks, growing too quickly, to mount a convincing defense. Offense is still wildly outpacing defense. As Bruce Schneier, a cyber expert whose work is a must-read on the topic, put it so well: “We are getting better. But we are getting worse faster.”
Schneier’s point is that even as we build far greater defenses, our vulnerabilities are expanding dramatically. With huge investments, the top tier of the financial industry and the electric utilities have done the best job of safeguarding their networks—meaning that a North Korean hacker aiming at those industries would likely have more luck targeting smaller banks and rural power companies. But as we put autonomous cars on the road, connect Alexas to our lights and our thermostats, put ill-protected Internet-connected video cameras on our houses, and conduct our financial lives over our cell phones, our vulnerabilities expand exponentially.
During the Cold War, we learned how to live, uneasily, with the knowledge that the Soviet Union and China had nuclear weapons pointed at us. There were no perfect defenses. In a world of constant cyber conflict we will have to adjust similarly.
Yet if we are more vulnerable than ever, why is the Pentagon talking about the need to conduct a far more aggressive cyber strategy? In testimony to Congress in early 2018, the leaders of the NSA and Cyber Command pressed the case that if the United States is to prevail in the new era of cyber conflict, our forces need to be unshackled. Even if we see attacks massing, they said, the current rules of engagement keep us from attacking the attackers. It is time, they argued, to start “hacking the hackers.”
The approach Cyber Command described and detailed in its strategy documents is one of nearly daily raids behind enemy lines, looking for threats before they reach America’s own computer networks. “The United States must increase resiliency, defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors to generate continuous tactical, operational, and strategic advantage,” one of those documents said—all military-speak for taking the war to the enemy.
It was an instinct born of more than a decade of counterterrorism operations, where the United States learned that the best way to take on al Qaeda or ISIS was by destroying them at their bases and in their living rooms. But in cyber it amounts to an admission that our defenses at home are wildly insufficient and that the only way to win is to respond to every perceived threat. As with many of Trump’s new strategies, taken to its logical extreme this approach carries enormous risks of miscalculation and escalation. To pull it off, the United States would have to scrap the requirement that the president authorize every destructive cyberattack. Cyber operations would begin to look more like evening raids conducted by Special Operations Forces. The problem is that when other countries adopt the same strategy, as inevitably they will, the chances rise dramatically that cyberattacks will accelerate and could trigger a shooting war, or worse.
* * *
—
So what is to be done?
The first step is to recognize the folly of going on offense unless we have a good defense. We would be lucky to seal up three-quarters of the glaring vulnerabilities in American networks today. But the best way to deter attack—and counterattack—is deterrence by denial. That requires a major national effort, far beyond the civil defense projects of the 1950s when the United States built a highway system that could evacuate civilians and dug shelters in large cities. A parallel effort to secure America’s cyber infrastructure has often been discussed, but it has never happened. It is complicated by the fact that the main targets of attack are in private hands. Given the complexity of the Internet, the government can’t regulate how banks, telecom firms, gas pipeline companies, and Google and Facebook design their cybersecurity. Every one of those systems is radically different.
For that reason, even after a decade of debate it’s still not clear who in the federal government, if anyone, is responsible for defending the country—and the economy—from the most sophisticated cyberattacks. Homeland Security is supposed to “coordinate,” but just as we expect the Pentagon to defend the United States against incoming missile attacks, there’s a presumption that it will defend American companies and individuals against sophisticated, state-sponsored hacks (but not against scammers, teenage hackers, and trolls living in Saint Petersburg). It’s time to get real. The government isn’t going to play a role in protecting American institutions except when it comes to the most critical of infrastructures: the electric grid, the voting system, the water and wastewater systems, the financial system, and nuclear weapons. Once we’ve understood this fact, we need a Manhattan Project to lock down our most critical systems. That will take presidential leadership.
Even then, civil defense will not be close to enough. One of the lessons of the past few years is that the dynamic of cyberattacks is completely different from what we grew accustomed to during the superpower standoffs of the twentieth century. We have to adjust our strategy to reflect that we will be far more vulnerable than almost any other major nation for years to come. As Michael Sulmeyer, a former Pentagon official now running a Harvard cyber initiative, has observed, “When it comes to cyberspace…the United States has more to lose than its adversaries because it has gone further in embracing innovation and connectivity without security. But although the societies and infrastructure of Washington’s adversaries are less connected and vulnerable, their methods of hacking can still be disrupted….
“If the United States hopes to win,” he continued, “it should spend less time trying to persuade its competitors that it is not worth hacking and more time preempting them and degrading their ability to do so. It is time to target capabilities not calculations.”
What does that mean in the real world? Obviously, the United States is not going to respond to every cyberattack; we would be in constant low-level war. Not every cyberattack needs a cyber response.
Criminal attacks should be handled as other crimes are handled—with vigorous prosecution. The United States is getting better and better at that: the indictments of Iranian and Chinese hackers—even if they are still at large—and the extradition of a major Russian cyber criminal in 2018 show there are ways of responding short of treating every hack as if it is an attack.
And as in everything else in global affairs, red lines matter. So when trolls from the Internet Research Agency began bombarding the United States with fake news from fake accounts—with the intent of meddling in an American election—they needed to be delisted from Facebook. (That happened, but not until well after the election.) If the agency remained undeterred, its servers needed to be melted down, courtesy of our cyberweapons. The servers would be replaced, of course, perhaps quickly. But the message would be sent, and the Russians would know that the United States was able and willing to respond.
And while the intelligence agencies would insist on secrecy, that would defeat the point: for our response to deter attackers, it needs to be very public—as public as an American airstrike on a chemical-weapons plant in Syria, or an Israeli strike on a nuclear reactor. Every time we respond quietly—or not at all—to an attack because we are worried about revealing the quality of our detection systems or the capability of our weapons, we only encourage escalation and further cyber strikes from our adversaries.