Opinion: The intellectual mistakes that crippled U.S. cyber policy
No other domain has emerged so poorly in Department of Defense planning as cyber.
The U.S. military enjoys dominance in all the other domains — land, sea, air and space. But it has fumbled badly with cyber. Today, cyberspace remains the domain where adversaries, criminal groups and terrorists operate largely freely. Indeed, if it were not for the internet, al-Qaida and the Islamic State would likely not exist today. Moving its radicalization efforts online saved al-Qaida. Cyberspace provides China and Russia the means to oppress and control citizens domestically, conduct information and influence operations inside the U.S., steal billions in intellectual property, threaten U.S. critical infrastructure, violate U.S. sovereignty daily and manipulate and extort the U.S. private sector.
A few intellectual missteps by various U.S. government agencies made integrating the domain into a strong national security strategy especially worse — misreadings or unresolvable debates that continue to hamper strong U.S. strategy in cyberspace. Here are two.
First was the almost strange reluctance of many to treat cyberspace as a military domain. The State Department wanted cyberspace to be treated like a U.S. public library — open to everyone, like a national park, where all citizens worldwide could exchange information, science and learning free from competition or control. This was naïve in the extreme. Of course, the authoritarian states viewed the internet as a threat to their control of information at home and conversely a means to steal intelligence and property abroad, as well as to emplace disruptive code on U.S. critical infrastructure and weapon systems to deny U.S. civilian and military function.
It took a decade to disabuse the State Department from such a naïve attitude and for it to admit that cyberspace is a domain where adversaries operate nefariously. The legacy of this debate still lingers in many ways, particularly in ongoing attitudes toward promoting diplomacy or norms to advance U.S. attitudes toward freedom of expression through cyberspace worldwide.
The Biden administration’s approach to cyber policy reflects a view that the U.S. must be careful and cautious in cyberspace, lest it suffer condemnation — even from allies — for a perceived, heavy-handed cyber presence. Of course, many claim the opposite is true — that the malicious cyber states (China, Russia, North Korea and Iran) overwhelmingly dominate cyberspace (other than in espionage) and the liberal democracies consistently under-perform, under-react and under-punish the malign cyber actors.
Second was the idea that the Pentagon only cares about cyberspace attacks on U.S. government facilities inside the U.S. and not criminal or state intrusions on the private sector. This blunder continues to this day. Most in the federal government have the attitude that — in cyberspace — the DOD protects the U.S. military and American critical infrastructure, but the private sector’s (cyber) defense is its own responsibility. Only secondarily is private sector cyber defense the responsibility of the government – and only the (indirect) responsibility of the Department of Homeland Security and the FBI. This, too, is strangely naïve.
If a North Korean strategic bomber penetrated U.S. airspace and surgically bombed just Sony Pictures in Culver City, Calif., for having the temerity of producing a mocking comedy of the North Korean leader, the DOD would most certainly be quite involved in confronting that bomber and defending U.S. airspace and the American-based company. Who doubts this?
But on Nov. 24, 2014, North Korea conducted a cyberspace attack on Sony Pictures, destroying millions of dollars’ worth of computers, threatening to attack moviegoers who attended the Sony movie, “The Interview,” stealing personally identifiable information of employees and their dependents, including email messages, information about executive salaries, copies of unreleased Sony films, bank and credit card accounts and stole over 100 terabytes of data. At the time, President Obama chose to describe the attack as “cyber vandalism” — not even an attack, let alone an armed attack, which it most certainly was. What North Korea did to Sony was a cyberspace attack and armed attack, as understood by international law, since it resulted in permanent destruction (of numerous computers).
It does not matter if Chinese state actors or Russian criminal groups attack a small U.S. business via cyberspace or the East Coast electrical grid; such acts are cyberspace attacks. If such attacks create physically destructive effects, such as changing the network’s information, permanent function denial or hard drive destruction, they rise to the legal definition of armed attack. A proportional response and subsequent preemptive acts of self-defense to such cyberspace attacks are legal and appropriate. No state has any right to attack anything.
Similarly, ransomware is a cyberspace attack unequivocally — an act that creates denial effects. Many inside the federal government consider ransomware attacks on U.S. critical infrastructure as a legitimate concern, responsibility, and focus of the DOD (though mostly as something that needs to be defended against, only), whereas if states, criminal groups or terrorist groups attacked U.S. private entities, these very leaders believe the Pentagon ought to disregard such attacks and refer them to DHS and the FBI as criminal activity.
Many policymakers have been prejudiced by the post-war appearance that warfare is something conducted over there. Since WWII, the U.S. has positioned forces to fight on other people’s territory — that was U.S. strategy, and a smart one. But most wars are fought on one’s own territory; civil wars are always fought on one’s territory and always involve the military. It is not strange or awkward in the least to use the U.S. military to defend Americans at home. Reluctance to do so is mere strategy myopia, most especially in the age of cyberspace where operations are conducted instantaneously, launched from one computer into U.S. territory, with little chance to interdict such operations in transit or in neutral or international space.
Viewing ransomware cyberspace attacks as not concerning to the U.S. military is fundamentally wrong and utterly prejudices attitudes, policy and strategy. The U.S. will never successfully address cyberspace attacks against the U.S. private sector if it considers it outside the Pentagon’s purview. Such passivity signals to adversaries that they can steal from or attack any U.S. target inside the country just as long as they do not attack American critical infrastructure or U.S. military forces. (And who decides what constitutes critical infrastructure?) Only certain critical infrastructure, the U.S. government is suggesting, will trigger a DOD response. Yet few — if any — American citizens probably think that the DOD has no role in protecting them from state or foreign criminal cyberspace attacks.
The FBI and DHS are involved only in cyberspace defense, mitigation of damage and criminal justice issues. They don’t do retaliation, preemption or deterrence. They have no role in shaping or defending international norms (beyond indictments), such as the widely accepted and well-established norms governing sovereignty, intellectual property theft and armed attack.
These intellectual blunders hurt U.S. cyberspace policy and hamstrung DOD shaping efforts in the early days of the cyberspace domain. Defending against and deterring the now daily violations of U.S. sovereignty, loss of intellectual property and adversary preparation of the environment (the emplacement of adversary cyberspace capabilities inside U.S. civilian infrastructure) requires a straightforward admission of what is happening and how similar — not different — cyberspace is to the other domains.
James Van de Velde, Ph.D., is a professor at the National Defense University, Dwight D. Eisenhower School for National Security and Resource Strategy, associate professor at the National Intelligence University and adjunct faculty at the School of Advanced International Studies, Johns Hopkins University. The views expressed in this article are those of the author and do not reflect the official policy or position of the National Defense University, the Department of Defense or the U.S. government.