Joel Brenner, a Washington lawyer and fellow at the Center for International Studies at the Massachusetts Institute for Technology, is a former inspector general and senior counsel of the National Security Agency.
U.S. military and security officials can blow things up with a keyboard and a mouse. They’ve done it. Some even say they were behind the Stuxnet cyberattack that destroyed thousands of centrifuges in an Iranian nuclear enrichment facility. Likewise, two years ago, an attack originating in Iran ruined 30,000 computers at the Saudi Aramco oil giant, and the Iranians are not as good at this kind of warfare as the Russians and Chinese. The message is clear: Weapons, along with espionage tools, can now be expressed in ones and zeros.
When a device is connected to an electronic network, it can be disabled or destroyed through commands issued on that network. This applies to missile launchers, railway switches, manufacturing tools and any other machine. If you can penetrate a network remotely to suck data out of it, you can penetrate it to corrupt it or shut it down. Information security, which is the protection of data, has converged with operational security, which is making sure things work.
Companies cannot adequately protect their own networks, and neither can the government. The Internet was not built for security, yet we have made it the backbone of virtually all private-sector and government operations, as well as personal communications. Pervasive connectivity has brought dramatic gains in productivity and pleasure but has created equally dramatic vulnerabilities. Huge heists of personal information are common, and cybertheft of intellectual property and infrastructure penetrations continue at a frightening pace.
Chinese penetrations of networks at the U.S. military’s Transportation Command have been widely reported, for example, and every expert I know believes our electricity grid has been penetrated by Russia and China. Our military correctly assumes these penetrations would enable future attacks and disruptions. This is why the Pentagon announced this week that it’s pushing the construction of its own power grids at bases around the country. It knows that in times of conflict and stress, faith in the grid would be misplaced.
Cyberwarfare is not a sci-fi figment of fevered brains. It is already a feature of military operations, as we saw during the Gulf War in 1991 and in Russian operations against Estonia and Georgia. So long as the United States remains overwhelmingly powerful militarily, however, the risks of attempting a strategic cyber-strike against the United States would be enormous. Not only would the consequences of such strikes be difficult to predict and contain; they would also carry the likelihood of retaliation in conventional military terms.
But conjured images of blackouts and explosions, while they illuminate real risk, actually confuse the nature of the cyber-operations now being conducted against the United States. Chinese battle doctrine has always placed a premium on winning without fighting. In cyber terms, this means making us distrust our own communications, infrastructure and command and control. By combining our uncertainty with the real or threatened use of force, the object is to lead the opponent — that’s us — to end a confrontation on dishonorable terms. The recent cyberattack on JPMorgan Chase and nine other financial institutions suggests the Russians may be learning this lesson, which is particularly relevant for weaker opponents in asymmetric conflicts. There was evidence that this attack originated in Russia. But in the wake of the attack, the New York Times reported, “no one could tell the president what he most wanted to know: What was the motive?” An unnamed senior official reportedly said: “The question kept coming back, ‘Is this plain old theft, or is [Russian President Vladimir] Putin retaliating?’”
The question implied that the U.S. intelligence community believed that the Russian services could penetrate and perhaps take down a major U.S. bank. The FBI has since sought to play down that possibility, but it cannot rule it out.
Given that uncertainty, can anyone believe the president’s freedom of action has not already been constrained by this cyber-operation? Given our unwillingness thus far to harden our communications and infrastructure, the mere prospect of disruption is enough to influence policy. Putin is in President Obama’s head. This is what the gray space between war and peace looks like.
In the name of convenience and marginal efficiency, too many private-sector owners and operators of critical infrastructure have been unwilling to invest sufficiently in protecting the systems that make our world go round. None is willing to disconnect those systems from the Internet, which would really harden them. Congress declines to act. While it would be rash to conclude that Russia or China intend to make war on the United States, intentions can turn on a dime, while capabilities take time to build. Any nation that relies on the benign intentions of a potential adversary rather than its own capabilities is psychologically and practically unable to defend itself. This is our present state of affairs with regard to much of our critical infrastructure, and woe to us if we do not change it.