How real is the potential for cyberwar? The growing attention being given to cyberspace by policymakers and the media alike reflects an inescapable reality. With government agencies and private companies under frequent attack in cyberspace, and with incidents of cyber espionage increasing in both intensity and frequency, it would be fair to say that the U.S. is already engaged in battle in cyberspace.
Still, a consensus about the nature and immediacy of the threat remains elusive. Take, for example, the recent article in the journal Foreign Policy by Thomas Rid. In it, Rid, a scholar at King’s College, London, argues that cyberwar is by no means imminent, and the cyber threat as a whole grossly overstated since no country has demonstrated a truly sophisticated cyber attack, and no evidence exists of such an event causing mass casualties.
Rid’s analysis, however, rubs up against some difficult realities. While not yet a weapon of mass destruction, cyber attack has steadily migrated into the mainstream as a potent tool of asymmetrical conflict. In Russia’s brief 2008 war with Georgia, for example, hackers commissioned by the Russian government disrupted Tbilisi’s command, control and communication architecture as part of a cyber attack carried out in combination with traditional ground force attacks. More recently, the Islamic Republic of Iran has come under repeated cyber attack as a result of its nuclear ambitions.
Such capabilities, moreover, could be leveled against the U.S. in a future conflict. Already, hackers are known to be searching for weaknesses in both civilian and military networks. In late March, the head of U.S. Cyber Command, Gen. Keith Alexander, revealed to the Senate Armed Services Committee that China was behind last year’s attack on RSA, a renowned security company. Moreover, there are signs that both China and Russia are snooping around U.S. military networks to seek out U.S. vulnerabilities — as well as for economic espionage.
And while Beijing and Moscow may have the capability but not the intent to perform a massive cyber strike, the same might not be true for Iran — a recent victim of cyber attack — or of North Korea as pressure mounts on them to halt their respective nuclear programs.
Yet, despite the growing complexity of cyber threats arrayed against the U.S., a comprehensive solution is missing.
From a positive standpoint, both the executive and legislative branches have made efforts to increase funding for cybersecurity initiatives. Congress has helped the budget of the Department of Homeland Security’s National Cyber Security Division surge from $363 million in fiscal 2011 to $443 million in 2012.
And if the Obama administration has its way, those funds will rise still further, to as much as $769 million in fiscal 2013.
Money is one thing; however, vision quite another. And a unifying vision for cyberspace is still strikingly absent. Instead, each chamber of Congress is putting forward its own competing thoughts on what such a strategy should look like, with more than a bit of acrimony and partisan politics mixed in.
In the House, this has taken the form of the Cyber Intelligence Sharing and Protection Act, which allows the government to share information about potential cyber attacks with the private sector and for companies to voluntarily reciprocate and provide information about new cyber threats to the government. Yet, despite enjoying the backing of the corporate world, it is unlikely to pass in the Senate as a result of partisan opposition and pressure from the White House.
In the Senate, meanwhile, two competing cyber bills are under consideration. The Cybersecurity Act of 2012 is controversial because it would force designated private-sector industries that are deemed part of the national critical infrastructure to maintain certain IT requirements for their networks, posing a potential financial burden.
Meanwhile, the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act of 2012 requires information from private-sector companies be shared with the National Security Agency in the Defense Department, not just the DHS.
In other words, the only thing clear at the moment is that there is a lack of a coordinated approach to handling the cyber threat.
It is imperative that Congress and the White House move decisively to ensure not only that resources are in place to counter the mounting cyber threats confronting the U.S., but that there is a clearly defined plan for oversight and response to cyber crimes and attacks.
The emphasis on providing enhanced cybersecurity to our defense-industrial base and critical infrastructure is important, but focus also should be concentrated on protecting military network infrastructure and ensuring that supply chains for critical military hardware and software are not compromised.
The time to do so is running out. For the moment, cyber weapons may not have the ability to create a devastating attack on the U.S. But if hackers are continually testing our civilian and military network vulnerabilities and we are not vigilant, then when war comes with a sophisticated cyber power we may find ourselves severely outgunned.
Richard Harrison, a research fellow and program officer at the American ForeignPolicy Council in Washington.