Imagine, for a moment, that a cyber attack causes the United States to lose control of a regional electrical grid or a nuclear power plant. It’s a nightmare scenario that would change life as we know it. Although it sounds more like a lofty movie plot, it’s also never been closer to actually happening. Just last March, the U.S. government publicly accused Russia of a years-long barrage of cyber intrusions that penetrated critical infrastructure systems in America and Europe. This attack is part of a long list of major cyber threats against the U.S. that are going largely unanswered.
The U.S. should be controlling the dynamics of the cyber battlefield. It’s not. It has instead preferred responding to attacks conservatively with some combination of “naming-and-shaming,” indictments, and sanctions. This approach is exhausted. The U.S. needs to employ far more offensive tools if it wishes to prevent something catastrophic from occuring.
Our Adversaries “Don’t Fear Us”
In sobering remarks to the Senate Armed Services Committee in March, Lt. Gen. Paul Nakasone* (then-Trump administration nominee for the N.S.A. and U.S. Cyber Command) stated that U.S. adversaries haven’t suffered many consequences. “They don’t fear us,” Nakasone told the Committee. “They do not think that much will happen to them.” His lack of confidence in our current strategy should speak for itself.
Russia’s high-profile interference in the 2016 presidential election has been met with the same response that Nakasone says isn’t working: public condemnation, sanctions and indictments. And Russia evidently has not been dissuaded from continuing to interfere in American affairs. North Korea’s attack on Sony was met with similar public condemnation that fell on deaf ears. There’s no reason to believe that continued sanctions or public attribution will do anything to slow down belligerent groups.
Responding in Kind
Although it’s tempting to avoid escalating cyberwarfare, America’s adversaries have shown total willingness to do so themselves. The result is the U.S. being quickly left with no choice but to change its strategy.
It’s no secret that the U.S. has the alleged capability to produce its own devastating cyber weapons. Just look at the success of the Stuxnet virus on Iranian nuclear centrifuges. Stuxnet is one of the few documented examples of a cyber attack that resulted it physical damage. It was a targeted virus designed to degrade mechanical infrastructure. Why hasn’t the U.S. replicated it in some form? Russia’s continued interference in American institutions and Iran’s preparation of its own infrastructure attacks on the West should all qualify for a robust cyber response from America, not endless rounds of sanctions.
Russia’s penetration of U.S. critical infrastructure is disturbing to say the least and joins the ranks of several troubling cyber threats in 2018. Dan Coats, the Director of National Intelligence sounded the alarm on Russian hacking in July. “The warning lights are blinking red,” Coats said. “...The digital infrastructure that serves this country is literally under attack.”
Public shaming, indictments, and sanctions - although traditional and proportionate - are simply not effective means of cyber attack deterrence. The U.S. needs to make it clear, either through advertisement or action, that it has the capability and willingness to inflict equal or greater damage. This will may require an uncomfortable escalation of tactics. But, given America’s vulnerabilities, failing to act will surely result in something worse.
*General Nakasone has since been confirmed as the Director of NSA and Commander of USCYBERCOM.