Vital U.S. industries like banking and telecommunications are more vulnerable than ever to cyberattacks; the military systems that ought to deter such incursions are themselves susceptible to hackers; and in any case, not all of the actors who will soon be capable of launching such destructive online strikes can be deterred.
That’s the scary takeaway from remarks Tuesday by former Pentagon cybersecurity policy chief James N. Miller.
“I don’t see the vulnerability of U.S. critical infrastructure peaking,” Miller told an audience at the Brookings Institution,”I see it going up and up and up.”
The vulnerabilities that potentially affect the military — not only in Pentagon systems themselves but also in civilian ones like the power grid that the troops rely on — are getting so severe that Miller and his colleagues on the Defense Science Board believe U.S. security is at risk.
“Down the road, I don’t see it as the case today, but down the road, we could find ourselves in a situation where a major actor, specifically Russia or China, could have the capacity not just to do significant harm to our economy [and population, through an attack on critical infrastructure] but could also, with some prospect of success, seek to blunt our military response, so that we would not have the capability … to respond effectively,” Miller said. His conclusion echoes that of a report on cyber-deterrence the board published earlier this year.
Miller was undersecretary of Defense for policy until October 2014, and his remarks came as the Pentagon released its annual report on Chinese military power. The report states that China’s People’s Liberation Army, or PLA, believing that its own cyberwar capabilities lag those of the U.S., has reorganized its forces, emulating U.S. Cyber Command in combining offensive and defensive capabilities under a single organization.
The Strategic Support Force, or SSF, is “a new organization established in late 2015 reportedly to guide the PLA’s space, cyber, and [electronic warfare] missions,” states the report. “The establishment of the SSF … may represent the first step in developing a cyber force that creates efficiencies by combining cyber reconnaissance, attack, and defense capabilities into one organization. PLA writings reference U.S. Cyber Command as effectively consolidating cyber functions under a single entity and streamlining leadership. They acknowledge the benefits of unifying leadership, centralizing the management of cyber resources, and combining its offensive and defensive cyber capabilities under one military organization.”
“China believes its cyber capabilities and personnel lag behind the U.S.,” states the report, adding that “China’s 2015 defense white paper identified cyberspace as one of four ‘critical security domains'” alongside the oceans, space, and nuclear.
Both cyber and space warfare present a risk of escalation, Miller said, because of the temptation for an enemy to “go early” to gain a quick advantage. A cyberattack especially, because it often can offer a fig leaf of plausible deniability if things go wrong, is “going to look very low risk,” he said.
Beyond what the Pentagon calls “near peer” competitors like Russia and China, Miller warned that other online actors — rogue nations like North Korea, regional powers like Iran and even non-state groups like ISIS or Anonymous — are developing capabilities that could soon be capable of inflicting huge damage on U.S. infrastructure.
“We can’t count on deterrence to work against some of these actors,” he said, “They might be willing to take a chance.”