Our So-Called Foreign Policy: U.S. Cyber Strategy Still Seems Full of Holes

Tags

arms control, asymmetrical war, China, cyber-war, deterrence, Iran, James Clapper, Joseph S. Nye, multilateralism, North Korea, nuclear weapons, Obama, Our So-Called Foreign Policy, Politico, Project Syndicate, Russia, treaties

Terrorism has understandably grabbed all the recent national security headlines lately, but two big articles this week have also valuably reminded us that major cyber threats still loom. Unfortunately, these pieces also (unwittingly) remind of all the reasons to worry that Washington still doesn’t have its arms around two of the biggest challenges facing the nation on the cyber front. The first is the asymmetry issue, which is a fancy way of saying that many of America’s current and likely cyber adversaries have much less to lose than the United States in a computer-war exchange. The second is the unlikelihood that the kinds of legalistic foreign policy approaches favored by much of the American establishment can meet this challenge.

Actually, the asymmetry issue has several cyber-related dimensions. One, widely noted (and especially by Chinese strategists), is that today’s civilian computer networks, whose development has long emphasized openness and information sharing, are vulnerable to attacks even from relatively low-tech countries. So for that reason alone, cyber-war can be a great geopolitical equalizer.

The second, however, is less widely noted. As I’ve written, the decision to launch a cyber attack against an adversary with significant cyber-war capabilities of its own rests on much more than a calculation of whether any assets the attacker values (its own cyber forces, its other military forces, its economy or broader society) can survive a retaliatory strike in meaningful form. This decision also hinges on more than how “meaningful” is defined for one or both parties to the conflict. It depends as well on a more fundamental, more political assessment regarding how much pain the two countries and societies can withstand.

Paradoxically, and especially relevant to Americans, the more advanced a country is, the less able it arguably is to deal satisfactorily with the disruptions stemming from a major cyber strike. And because the converse makes sense, too, it may not be decisive that the United States could inflict more damage in absolute terms in a cyber exchange on foes such as North Korea or Iran or Russia or even China than vice versa. The kinds of hardships stemming from the disabling of modern infrastructure could be much more tolerable for the peoples of these less developed, less prosperous countries than for Americans because much greater percentages of them rely so much less on these systems. Moreover, life without them is a much more recent memory – as are knowledge of and experience with coping.

That’s where, for all the information it contains (and keeping in mind that national cyber capabilities are closely guarded secrets), this detailed new Politico article on U.S. forces in this realm falls short. Even if America’s technological edge is as strong as portrayed, some of its adversaries might not be impressed enough to be deterred. One big possible policy implication: Asymmetry means that shoring up the nation’s cyber defenses, difficult as that is, is at least as important for ensuring cyber-security as creating matchless offenses. And as RealityChek readers know, U.S. intelligence chief James Clapper and other senior officials have said – for attribution – that these offenses actually aren’t so matchless. Another big implication – at least against China, trade and broader economic sanctions may be the most effective cyber counter-moves, since China’s dictators will struggle so to remain in power without the growing prosperity created largely by exporting to the United States.

One conclusion that shouldn’t be drawn from this cyber predicament is that a realistic way out is an international treaty or code of conduct banning or limiting cyber war. In this respect, it’s encouraging that Joseph S. Nye’s new essay for Project Syndicate is hardly a ringing endorsement of such legalisms and their effectiveness. But he does suggest that these measures can strengthen deterrence, and notes approvingly that

“major states have agreed that cyber war will be limited by the law of armed conflict, which requires discrimination between military and civilian targets and proportionality in terms of consequences. Last July, the United Nations Group of Government Experts recommended excluding civilian targets from cyberattacks, and that norm was endorsed at last month’s G-20 summit.”

Nye isn’t an Obama administration official, but he has been at the center of Democratic Party foreign policy circles for decades, and his pioneering emphasis on “soft power,” multilateralism, and other supposed substitutes for military might fits right in with Mr. Obama’s belief that world affairs is coming to be dominated by a fundamentally new, more cooperative set of dynamics and relationships. 

So it’s important to note that these ideas are simply efforts to define America’s biggest international problems – and international tensions in general – out of existence. Think about it: If the United States faced cyber-armed adversaries who were willing to abide fully by the conflict-limiting agreements they signed, these agreements wouldn’t be needed in the first place. For those countries would never take such commitments seriously unless they decided that their stake in maintaining whatever degree of (shaky) global peace and order prevails significantly outweighs whatever goals they could hope to achieve through major use of cyber-weapons – or any other weapons.

That is, if the world’s Chinas, Russias, and Irans were truly devoted to competing for influence peacefully and according to a set of rules, the rules would simply codify that reality. Their existence on a piece of paper cannot create it. And the asymmetry problem makes assuming their reasonableness (at least as Americans judge it) or perceived support for the global status quo even less reasonable.

Moreover, anyone believing that the history of nuclear arms control debunks that pessimism doesn’t understand that the various Cold War agreements signed by the United States and Soviet Union had nothing important to due with preventing armageddon. Instead, in this case, the conditions for a successful “balance of terror” – of mutual deterrence – were obviously in place. Fears of final physical destruction trumped all other considerations and produced restraint.

Sadly, there’s no evidence that any of the presidential candidates this year have better ideas. But as I wrote above, what the public doesn’t know about America’s cyber-war programs and strategies greatly (and properly) exceeds what it knows. So perhaps there’s some hope that truly realistic approaches are being developed, and that the next president will start learning about them once he or she is elected.

Following Up: Emerging Possibilities on Hacking Retaliation and a Cyber Balance of Terror

Tags

Adam Schiff, asymmetrical war, balance of terror, China, Chris Wallace, Cold War, Congress, cyber-security, cyber-war, deterrence, Following Up, Fox News Sunday, hacking, infrastructure, Martin Dempsey, nuclear weapons, Obama, Office of Personnel Management, Peter King, Russia, terrorism

Here’s a suggestion for Fox News Sunday anchor Chris Wallace – start watching some recent episodes of your own show before conducting interviews. You might be able to move the public debate on vital issues forward, rather than trodding over well-worn ground.

Wallace led off this morning’s show with a look at this past week’s news that the federal government’s personnel agency has been hacked twice in the last year, and that China is widely suspected as the attack’s source. And that’s entirely understandable. The examination of whether the Obama administration is dealing adequately with cyber threats, moreover, is vitally important. What was completely weird was how Wallace – not to mention his two Congressional guests, who both have key national security posts on the intelligence committee – handled the issue of retaliation.

It began with Representative Adam Schiff of California, ranking Democrat on the House Intelligence Committee, stating that “one of the big things that we really have to do in addition to our defense is figure out when we’re going to go on offense and how we’re going to provide a deterrent to future attacks.”

Wallace then asked Republican Congressman Peter King of New York, a member of the House Homeland Security Committee, “Do we need to retaliate against the people that we believe are conducting cyber warfare against us?” King answered, “I believe we do. I don’t think we should announce what we’re doing. I think the president and his administration have the capacity to respond once they find out, you know, sort of malware signature, who they believe this is. Then, I think, yes, there has to be a price to pay for this.”

Sounds perfectly reasonable, right? Except that only this January, no less than the nation’s top uniformed military officer told Wallace that the United States currently lacks superiority in cyber-war capabilities. According to Chairman of the Joint Chiefs of Staff Martin Dempsey, “In every domain…we generally enjoy a significant military advantage. We have peer competitors in cyber….We don’t have an advantage. It’s a level playing field, and that makes this Chairman very uncomfortable.”

Now Dempsey might have been mistaken (though that’s unlikely) or engaged in a head fake against America’s adversaries (though I can’t imagine the rationale for this one). But why didn’t Wallace remember that this is the most plausible reason for the nation’s failure to strike – fear that attackers can cause still further damage? Moreover, hadn’t Schiff or King been aware of Dempsey’s statement? If they were, do they have their own reasons for considering Dempsey mistaken?

In any event, the more I think about the issue, the more I wonder if the United States would retaliate even with clear-cut superiority. Think of it this way. Relatively few Americans nowadays – particularly in the big cities, which would be most vulnerable to a truly debilitating cyber attack – have any recent experience with the kind of privation and disruption that such a hack could create. Even most prosperous Russians and Chinese do – and then some. So even though these two countries are increasingly networked and enjoying the advantages thereof, it seems clear that they’re much better positioned to cope with cyber-generated confusion than Americans.

Another important point recently was brought to my attention. For all the damage done by foreign hackers to date, they haven’t yet (apparently) launched the kinds of attacks that could bring such massive disruptions – e.g., by bringing down the banking system, or the communications and energy infrastructure. It’s possible that these systems are adequately protected. But it’s also possible that China’s hackers in particular understand that their country would be victimized as well, since it’s so heavily dependent on exporting to the United States for continued growth and economic progress.

So although it’s certain that cyber attacks will continue, it’s also distinctly possible that many will stay relatively restrained. This could mean that America has more scope to retaliate than seems currently to be the case, but also that it has less need – and that we’ll need to (keep) getting used to greater levels of cyber risk if we want to keep reaping the benefits we perceive from more networked lives. In other words, we may be seeing the emergence of a cyber balance of terror similar to the nuclear balance of terror that helped avert great-power conflict during the Cold War. 

But there would still remain the risk of attacks from sources that don’t feel any stake in America’s continued viability, and could have even more broadly destructive aims. Dealing with these hackers – who could belong to major terrorist groups – will be complicated by the asymmetry problem: Relatively modest capabilities seem able to inflict tremendous damage on America’s economy and society.  Moreover, the perpetrators could be exceedingly difficult to track down and hack in return, and these enemies would have relatively little to lose in terms of physical assets and large-scale social systems. These observations lead me to the conclusion that the key to defeating these hackers lies not in the cyber realm but in the domain of broader counter-terrorism policies.