Following Up: U.S. Again Confirms it Lacks Cyber-War Superiority

Tags

cyber-security, cyber-war, David Sanger, deterrence, Following Up, James Clapper, Martin Dempsey, technology, The New York Times

The Big Media’s habit of burying the most important news – or its most uproarious gaffes – just keeps growing and growing. Yesterday, I posed on the Financial Times‘ hilariously sympathetic portrait of American tech executives – who clearly conned two reporters into thinking they often served as diplomatic intermediaries between Washington and Beijing, and selflessly kept U.S.-China relations on a safe course that was continually threatened by reckless politicians. Completely ignored by the paper was the companies’ overriding self-interest in preserving China profits that too often have been made at the American domestic economy’s expense – and the resulting, often furious, lobbying, that has dominated their China policy role.

Today’s example is much more serious: A New York Times account of American struggles to combat cyber-hacking by China and other rivals that glossed over the latest official U.S. acknowledgement that America lacks the technological superiority required to retaliate against cyber-aggression without fear of a devastating response.

At least give Times reporter David Sanger credit for mentioning at all a statement by U.S. intelligence chief James Clapper that the United States lacks “both the substance and the mindset of deterrence” in the cyber-war realm. This confession went unreported outside specialty publications and website, if a Google search for the quote is accurate.

Admittedly, Clapper’s statement is somewhat ambiguous. A deficiency in the “substance” of deterrence could mean that technology capable of striking back at hackers and their sponsors with impunity simply isn’t available at all, or to U.S. policymakers. But Clapper’s reference to the “mindset” could also mean that this knowhow is available but hasn’t been deployed by the appropriate government agencies, or that it’s close enough to being developed but that a lack of political will keeps slowing progress.

In any event, Clapper’s sobering description of the global cyber-war situation sounds ominously close to that offered in January by retiring U.S. Joint Chiefs of Staff Chairman Martin Dempsey – which you RealityChek readers learned about first! And as long as cyber attacks remain a threat to America’s national and economic security, that means that the U.S. government, corporate America, and vital infrastructure systems all remain dangerously vulnerable.

Our So-Called Foreign Policy: The Big Backfire Potential of Obama’s Reported New Cyber-Security Policy

Tags

China, cyber-security, cyber-war, hacking, Martin Dempsey, Obama, Our So-Called Foreign Policy, Washington Post

If Rule Number One in medicine is “Do No Harm,” then Rule Number One in foreign policy-making is surely “Do No Harm to Your Own Country.” Which is why the Washington Post‘s report this morning on the latest wrinkle in the Obama administration’s cyber-security strategy is such bad news if it’s true.

According to Post reporter Ellen Nakashima, the president is seriously considering retaliating against China’s cyber-attacks on American business in significantly stronger ways. At first glance, this kind of decision seems welcome. After all, unlike Chinese (and other) hacks of U.S. government agencies, attacks on business don’t qualify as just the newest version of the kind of national security-related spying that’s common practice by all the world’s governments, including America’s. The administration has responded so far mainly by complaining to Beijing, urging the negotiation of international cyber “rules of the road,” and by indicting a handful of Chinese military personnel for penetrating American corporate computer systems – to no apparent avail.

But the likeliest effect of this report – much less an actual U.S. decision to take the steps described – is to advertise American weakness on this front, not strength, and encourage still more, and more destructive, Chinese (and other) attacks. The reason is simple. The retaliatory moves supposedly being mulled by Mr. Obama wouldn’t target the Chinese economy as such. Instead, they would be aimed at “Chinese companies and individuals who have benefited from their government’s cybertheft.”

Targeted sanctions arguably make sense when companies and individuals are the real culprits. But does anyone seriously think that whatever and whoever Chinese actors are hacking American companies are free agents having nothing to do with the Chinese government – and in fact the top Chinese leadership? Of course not.

One former Obama cyber security official quoted (by name) in the article argued that the contemplated sanctions could effectively put out of business any large and global companies that are sanctioned. Why so? Because, as he explained “most significant financial institutions refuse to do business with individuals who have been sanctioned by the United States. ‘So any company that’s been targeted under this authority…will likely find it very difficult to participate in the international financial sector. ‘”

That reasoning sounds impressive – but only if the sanctions hit one of the state-owned business giants so prominent in the Chinese economy. Any entities even modestly smaller would seem to face few obstacles under China’s fake legal and regulatory systems in dodging retaliation by simply changing their names and resuming operations after a decent interval. The Chinese government is so secretive that Washington would face excruciating difficulties even identifying the ruse.

And since both the Chinese government and the U.S. government are undoubtedly aware of all these realities, it’s hard to avoid concluding that this new American approach amounts to (unwittingly) flashing a green light for Beijing’s hackers, not issuing a credible warning. And this interpretation looks even more convincing given the statement I’ve flagged from recently retired Chairman of the Joint Chiefs of Staff Martin Dempsey (while he was still on duty) that the United States does not enjoy cyber-war superiority in today’s world. Just to remind you – that’s the American military’s top post.

As a result, no one should blame President Obama for proceeding cautiously in the cyber warfare realm. But he can legitimately be blamed for making – and telegraphing – policy choices that can only embolden U.S. adversaries.

Our So-Called Foreign Policy: A Miss and a Possible Hit for the New Pentagon Strategy Statement

Tags

China, cyber-security, Defense Department, ISIS, Martin Dempsey, multinational corporations, National Military Strategy, national security, Our So-Called Foreign Policy, Pentagon, Putin, QDR, Quadrennial Defense Review, Russia, technology transfer

It’s always hard to know how seriously to take the national security and military strategy documents periodically issued by the White House and Defense Department. On the one hand, it’s clear that they’re the products of lots of person-hours and resources; a few years ago, in fact, I was honored by an invitation to participate in a skull session held in connection with one of the Quadrennial Defense Review reports.

On the other hand, it’s difficult to contend that these exercises result in any meaningful change. Sure, points of emphasis come and go – the new National Military Strategy (NMS) document just published by the Pentagon (the first since 2011) generated some news coverage (and complaints from Moscow) by pointing to a growing threat from Vladimir Putin’s Russia. And of course, it was the first such statement that mentioned ISIS. But the new NMS seems dominated by the usual declarations that the United States has global security interests (not its authors’ fault – setting the broader national security strategy is the job of elected and appointed political leaders, not them) and that the nation will defend and advance these wide-ranging functional and geopolitical objectives with whatever kinds of American and allied military forces and related resources are needed.

Nonetheless, two features of the NMS are arguably newsworthy:

>First, judging by the NMS, the U.S. military has no clue that the nation needs to start moving aggressively to curb the transfer of advanced militarily relevant technology abroad by American multinational businesses. The document actually leads off by noting, “Complexity and rapid change characterize today’s strategic environment, driven by globalization, the diffusion of technology, and demographic shifts” and then fretting that “When applied to military systems, this diffusion of technology is challenging competitive advantages long held by the United States such as early warning and precision strike.”

As should be clear to anyone educated enough to read a newspaper, cyber-hacking capabilities should be added to this list (and they are later in the NMS). In fact, as I’ve noted, America’s top military officer, Chairman of the Joint Chief of Staff General Martin Dempsey, has publicly admitted that the United States no longer enjoys superiority in this critical sphere. But what should be even clearer is that when U.S. high tech companies in particular set up labs and training centers in China in particular, or invest in Chinese technology companies, they not only greatly strengthen China’s military, but they just as greatly boost the odds that dangerous devices and knowhow find their way to places like North Korea and Iran. A related problem: U.S. allies, described in the NMS as comprising “a unique strength that provides the foundation for international security and stability,” have often been more reckless than Washington in permitting the spread of these technologies.

Greater efforts at technology denial per se won’t solve this problem – largely because so much of this dangerous cat has been let out of the bag. But good luck with even maintaining a usable American technological edge on the military front if the world’s most advanced creators of high tech products and services remain so largely free to feed the Chinese beast.

>Second, Dempsey’s Foreward to the NMS contains a genuinely remarkable statement that would merit much greater discussion if it received any elaboration in the document. It didn’t, but contrasts so stunningly with the literally universalistic objectives that have dominated American strategy since Pearl Harbor that I need to spotlight it anyway.

According to Dempsey (in a poorly structured sentence), “We are more likely to face prolonged campaigns than conflicts that are resolved quickly…that control of escalation is becoming more difficult and more important….” And then he adds this kicker: “…as a hedge against unpredictability with reduced resources, we may have to adjust our global posture.”

It’s standard for military leaders to warn that the nation’s security commitments are threatening to exceed the resources available to meet them, and the NMS itself pointedly observes that “We will not realize the goals of this 2015 National Military Strategy without sufficient resources. Like those that came before it, this strategy assumes a commitment to projecting global influence, supporting allies and partners, and maintaining the All-Volunteer Force.” But by adding “unpredictability” to simple budgetary uncertainty as a reason for reconsidering the nation’s worldwide objectives, it looks like Dempsey is at least thinking along substantially different lines.

Again, since this statement is a standalone, it’s hard to know how much importance it merits, and whether there will be any follow-up anywhere in the Pentagon. One thing that is certain: Dempsey’s comment about adjusting the nation’s global posture, which I’ve argued is an essential step in strengthening its security, didn’t appear in the NMS by accident.

Following Up: Emerging Possibilities on Hacking Retaliation and a Cyber Balance of Terror

Tags

Adam Schiff, asymmetrical war, balance of terror, China, Chris Wallace, Cold War, Congress, cyber-security, cyber-war, deterrence, Following Up, Fox News Sunday, hacking, infrastructure, Martin Dempsey, nuclear weapons, Obama, Office of Personnel Management, Peter King, Russia, terrorism

Here’s a suggestion for Fox News Sunday anchor Chris Wallace – start watching some recent episodes of your own show before conducting interviews. You might be able to move the public debate on vital issues forward, rather than trodding over well-worn ground.

Wallace led off this morning’s show with a look at this past week’s news that the federal government’s personnel agency has been hacked twice in the last year, and that China is widely suspected as the attack’s source. And that’s entirely understandable. The examination of whether the Obama administration is dealing adequately with cyber threats, moreover, is vitally important. What was completely weird was how Wallace – not to mention his two Congressional guests, who both have key national security posts on the intelligence committee – handled the issue of retaliation.

It began with Representative Adam Schiff of California, ranking Democrat on the House Intelligence Committee, stating that “one of the big things that we really have to do in addition to our defense is figure out when we’re going to go on offense and how we’re going to provide a deterrent to future attacks.”

Wallace then asked Republican Congressman Peter King of New York, a member of the House Homeland Security Committee, “Do we need to retaliate against the people that we believe are conducting cyber warfare against us?” King answered, “I believe we do. I don’t think we should announce what we’re doing. I think the president and his administration have the capacity to respond once they find out, you know, sort of malware signature, who they believe this is. Then, I think, yes, there has to be a price to pay for this.”

Sounds perfectly reasonable, right? Except that only this January, no less than the nation’s top uniformed military officer told Wallace that the United States currently lacks superiority in cyber-war capabilities. According to Chairman of the Joint Chiefs of Staff Martin Dempsey, “In every domain…we generally enjoy a significant military advantage. We have peer competitors in cyber….We don’t have an advantage. It’s a level playing field, and that makes this Chairman very uncomfortable.”

Now Dempsey might have been mistaken (though that’s unlikely) or engaged in a head fake against America’s adversaries (though I can’t imagine the rationale for this one). But why didn’t Wallace remember that this is the most plausible reason for the nation’s failure to strike – fear that attackers can cause still further damage? Moreover, hadn’t Schiff or King been aware of Dempsey’s statement? If they were, do they have their own reasons for considering Dempsey mistaken?

In any event, the more I think about the issue, the more I wonder if the United States would retaliate even with clear-cut superiority. Think of it this way. Relatively few Americans nowadays – particularly in the big cities, which would be most vulnerable to a truly debilitating cyber attack – have any recent experience with the kind of privation and disruption that such a hack could create. Even most prosperous Russians and Chinese do – and then some. So even though these two countries are increasingly networked and enjoying the advantages thereof, it seems clear that they’re much better positioned to cope with cyber-generated confusion than Americans.

Another important point recently was brought to my attention. For all the damage done by foreign hackers to date, they haven’t yet (apparently) launched the kinds of attacks that could bring such massive disruptions – e.g., by bringing down the banking system, or the communications and energy infrastructure. It’s possible that these systems are adequately protected. But it’s also possible that China’s hackers in particular understand that their country would be victimized as well, since it’s so heavily dependent on exporting to the United States for continued growth and economic progress.

So although it’s certain that cyber attacks will continue, it’s also distinctly possible that many will stay relatively restrained. This could mean that America has more scope to retaliate than seems currently to be the case, but also that it has less need – and that we’ll need to (keep) getting used to greater levels of cyber risk if we want to keep reaping the benefits we perceive from more networked lives. In other words, we may be seeing the emergence of a cyber balance of terror similar to the nuclear balance of terror that helped avert great-power conflict during the Cold War. 

But there would still remain the risk of attacks from sources that don’t feel any stake in America’s continued viability, and could have even more broadly destructive aims. Dealing with these hackers – who could belong to major terrorist groups – will be complicated by the asymmetry problem: Relatively modest capabilities seem able to inflict tremendous damage on America’s economy and society.  Moreover, the perpetrators could be exceedingly difficult to track down and hack in return, and these enemies would have relatively little to lose in terms of physical assets and large-scale social systems. These observations lead me to the conclusion that the key to defeating these hackers lies not in the cyber realm but in the domain of broader counter-terrorism policies.

Following Up: U.S. Confirms It Lacks Cyber-War Superiority

Tags

China, cyber-security, cyber-war, escalation dominance, Following Up, Joint Chiefs of Staff, Martin Dempsey, North Korea, nuclear weapons

Last month, I speculated that the U.S. government hasn’t responded devastatingly to hacking by China and North Korea (at least according to official charges) because it lacks escalation dominance in cyber-security. In other words, Washington is afraid to hit back hard at the hackers because it fears the hackers can hit America back harder still.

Now for the really bad news: I was right. And we know this from no less than General Martin Dempsey, Chairman of the Joint Chiefs of Staff.

Dempsey, the nation’s top uniformed military leader, told Fox News on Sunday that “In every domain…we generally enjoy a significant military advantage. We have peer competitors in cyber….We don’t have an advantage. It’s a level playing field, and that makes this Chairman very uncomfortable.”

Indeed, in a crucial sense, lack of U.S. escalation dominance in cyber-war is worse for Americans than the erosion of nuclear escalation dominance in East Asia about which I’ve also warned. The latter, after all, will mainly affect the security of American allies – because it could weaken Washington’s willingness to threaten nuclear weapons use in order to protect them. The United States’ ability to deter a nuclear attack on its own homeland still looks dependable – both because America’s own nuclear forces remain so formidable compared to any adversary’s, and because the use of nuclear weapons in a way that’s mutually non-catastrophic for attacking and retaliating country alike is so implausible, given the immense destructiveness of even one such device.

But escalation dominance in the cyber theater is vital for protecting major U.S. institutional targets, not allies. And since cyber-attacks can be calibrated much more easily, tit-for-tat exchanges are easily imagined.

As a result, cyber-security is unmistakably one area in which the United States has become steadily more vulnerable in recent years, and nothing said by Chairman Dempsey indicates that the situation will improve much any time soon. It’s clear, then, that much more work needs to be done on defenses and on offensive capabilties. But it’s equally clear that Washington needs to work much harder on strategies of denial, as loosey-goosey American corporate transfers of advanced technology all around the world have undoubtedly strengthened and in some cases created the cyber threats the nation now faces.