America's Biggest Threat to National Security? The Internet
Two months into his presidency Barack Obama significantly expanded America's first sustained cyber warfare program, code-named Olympic Games. The expansion of the program was one element of President Obama's "light-footprint strategy" that David Sanger, the chief Washington correspondent for the New York Times, points to in his account of the president's efforts to control the rapidly developing 21st century arms race. However, as Michael Joseph Gross writes in a recent piece for Vanity Fair, "America's bid to prevent nuclear proliferation may have unleashed a greater threat."
A report released earlier this year by a Defense Science Board task force clarifies that the U.S. is woefully unprepared for this new domain of warfare. Indeed, since the Stuxnet virus was inadvertently uploaded to the world web, the number of reported cyber attacks against U.S. networks has multiplied. Given these reports and the multiple warnings by officials such as Richard A. Clarke, counter-terrorism chief in both the Bill Clinton and George W. Bush administration, that cyber weapons can cripple critical infrastructure facilities, why have the Clinton, Bush, and then Obama administrations failed to deal successfully with the problem posed by America's private-sector vulnerability to cyber technology?
For one, Clarke writes in his book Cyber War, there are very few people calling for an overhaul of the cyber security sector. After the Cold War, the United States and the Soviet Union were able to agree to several major nuclear disarmament treaties because there was a widespread fear of mutual total destruction. Cyber attacks are another matter. Unlike nuclear bombs there has been little visible destruction caused by cyber attacks on U.S. systems, and thefts of intellectual property and computer malfunctions seem to fly below the radar of government, media, and public attention.
However, many of these attacks may have done more than simply swipe information from U.S. computers. Authorities investigating cyber intrusions into U.S. networks have discovered software tools left behind "that could be used to destroy infrastructure components." Such virtual explosives include "logic bombs," which, when activated, erase all the software on a computer, and "trapdoors," which allow hackers to access networks faster and easier in the future.
Second, American networks are vulnerable by design. With such a far-flung supply chain, flaws can be introduced into hardware or software accidentally or otherwise during production. Moreover, according to Clarke, when the Defense Department began to use commercial off-the-shelf (COTS) software instead of custom-made in-house software it "brought to the Pentagon all of the same bugs and vulnerabilities that exists on your own computer." Indeed, in the past decade several studies have been released that identify a correlation between the expansion in use of COTS products and an increase in program failures.
Third, past and current administrations have had difficulty in successfully securing U.S. cyber connections because few nations use computer networks as extensively as the U.S. to control information flow, the distribution of public goods, banking, and military systems. Indeed, as Mike McConnell writes, the United States is "the most wired nation on Earth." In contrast, states such as Afghanistan and North Korea and non-state actors have so few systems supported by cyber connections that a major cyber war attack against said state would cause minimal, if any, damage.
Due to the highly wired nature of the nation, the U.S. needs to invest in and maintain active defenses in cyberspace, a concept that seeks to identify and even neutralize threats before they hit a primary network. For Example, if the nation's critical infrastructure came under attack from malicious code associated with a foreign network, the first effort would be to activate network defenses and "pull up the drawbridge and prevent the attack, that is to say, block or defend." However, although China may have the ability "to disconnect all Chinese networks from the rest of the global Internet," as Clarke says, the United States government is unable to retreat into cyber isolation. Approximately "90% of the nation's critical infrastructure is owned by the private sector." The private owners and operators of said infrastructure are so politically powerful that they are able to routinely prevent or reduce government regulation of their operations. This often impedes government attempts to secure private-sector cyber connection, as witnessed in August of 2012 when the Liberman-Collins cyber defense compromise died on the Senate Floor.
Cyber warfare does not fit neatly within the framework of traditional laws of armed conflict. In anticipation of hostilities, nations are already preparing the battlefield, effectively blurring the line between peacetime and war. This ongoing nature of cyber war adds a dangerous new element of instability, one that needs to be openly addressed among the international players before the small preemptive acts taking place spiral out of control and lead to a wider war.