Authored by Keith Alexander (director of the NSA and commander of the US Cyber Command), originally posted at The National Interest,
Obama has identified cybersecurity threats as among the most serious challenges facing our nation. Secretary of Defense Chuck Hagel noted in April that cyberattacks “have grown into a defining security challenge.” And former secretary of defense Leon Panetta told an audience in 2012 that distributed denial-of-service attacks have already hit U.S. financial institutions. Describing this as “a pre-9/11 moment,” he explained that “the threat we face is already here.” The president and two defense secretaries have thus acknowledged publicly that we as a society are extraordinarily vulnerable. We rely on highly interdependent networks that are insecure, sensitive to interruption and lacking in resiliency. Our nation’s government, military, scientific, commercial and entertainment sectors all operate on the same networks as our adversaries. America is continually under siege in cyberspace, and the volume, complexity and potential impact of these assaults are steadily increasing.
Yet even as it confronts mounting threats, the United States also possesses a significant historical opportunity to deter them. America has built something unique in cyberspace—an evolving set of capabilities and activities that have not yet reached their collective potential. We have learned through two decades of trial and error that operationalizing our cyberdefenses by linking them to intelligence and information-assurance capabilities is not only the best but also the only viable response to growing threats. Our capabilities give us the power to change the narrative by making our networks more secure—and ensuring that cyberspace itself becomes a safer place for commerce, social interaction and the provision of public services. We want to take this opportunity to put these developments in historical context, and then explain why we as a nation must continue to build a cyberenterprise capable of guarding our critical infrastructure and population. We can and must do this while always protecting civil liberties, personal privacy and American values.
We now rely on social structures that barely existed 150 years ago. The order and functioning of modern societies, economies and militaries depend upon tight coordination of logistics and operations. Reliability of timing and flow has become indispensable for modern nations and their armed forces. This synchronization rests upon an infrastructure that allows communication, transport, finance, commerce, power and utilities to serve policy makers, managers, commanders and ordinary citizens in an efficient and reliable (i.e., unbroken) manner. Efficiency and dependability make realistic planning and effective operations possible across a whole society. Such intricate ties in the mesh of infrastructure systems also constitute a lucrative target for an attacker and a significant vulnerability for modern societies. Disrupt the synchronization, and the whole system of systems becomes unreliable—thus diminishing the nation’s power and influence.
This unprecedented degree of exposure to systemic dislocation was first anticipated over a century ago when British cabinet ministers and business leaders contemplated the potential for disruption to their entire economy if French armored cruisers even temporarily interrupted the empire’s overseas trade. The perceived peril to British society prompted the Royal Navy’s intelligence office to begin gathering data for the strategic assessment of risk and vulnerability. That effort convinced decision makers that Britain was vulnerable to disruption of its commerce and to sabotage of its war-fighting capabilities. At the same time, Royal Navy planners recognized opportunities to exploit Germany’s systemic vulnerability to economic disruption. This would require the coordination of a range of institutions and capabilities: financial services, international communications, shipping, energy, diplomacy, and naval and intelligence activities meshed into what historian Nicholas Lambert aptly describes as an “Armageddon” strategy.
London approved use of this collection of levers as a weapon against Germany in 1912, but when war came soon afterward British leaders quickly recoiled from the plan under economic and diplomatic pressure. Britain’s economic-warfare measures were proving to be shockingly effective. At the outset of war in 1914 a global financial panic affected world trade on a scale like that of 1929. Britain’s strategy swiftly exacerbated the crisis. Citizen and business confidence in economic institutions collapsed. Traders withdrew from markets. World trade ebbed. Commodity exchanges closed their doors. Banks recalled loans, and global liquidity dried up. In an increasingly globalized and interconnected world, moreover, many of the unintended victims of economic warfare were British.
While the British never fully implemented their 1912 vision of coordinated levers of power to defeat an enemy, the notion of employing strategic technological and economic power indirectly helped bring about a new capability in the United States. One of the most important pillars of Britain’s strategy, which was bequeathed to the United States, was a strategic signals-intelligence capability that served both national and battlefield users. By 1952, the United States had established the National Security Agency (NSA) as the capstone of a signals-intelligence enterprise. That capability became computerized over time, and the resulting “cryptologic platform” emerged as one of the bases of expertise and infrastructure for cyberspace and cyberoperations. From this emerged America’s military cyberspace architecture and capabilities. In 1981, the Pentagon gave the NSA the mission to help secure data in Department of Defense computers. In 1990, that role expanded to the government’s “national-security information systems.” The NSA also played a role in helping the government and military to understand the vulnerability of the nation’s critical infrastructure. When planning accelerated for military cyberoperations after 2001, the NSA provided expertise to the Pentagon’s new “network warfare” capabilities.
Since then, cyberspace has become vital for the functioning of our nation in the digital age. Our national digital infrastructure facilitates the movement of commodities and information, and stores them in virtual form as well. We now use cyberspace to synchronize those critical infrastructure systems that coordinated economies and militaries a century ago. Many of the same vulnerabilities that Royal Navy planners noted in 1905 apply in cyberspace and are magnified by our dependence on the information sector. The features that allow all these infrastructure sectors to link together in cyberspace, however, also make them accessible to intruders from almost anywhere at a comparative minimum of cost and risk. The cyberdimension, therefore, adds an unprecedented degree of complexity and vulnerability to the task of defending ourselves against a modern-day “Armageddon” strategy.
The century-old dream and nightmare of crippling a modern society by wrecking its infrastructure—or just by disturbing its synchronization of functions—is now a reality others are dreaming of employing against the United States. We do not know how effective such a strategy would be against the United States in practice, but glimpses of global financial panics in recent years should raise concern about even partial “success” for an adversary attempting such an attack.
Military Cyber-capabilities are now being “normalized,” following a traditional path from commercial innovations to war-fighting systems (much like that of aviation in the last century). Several nations have pondered cyberdoctrine for years at senior military schools and think tanks. Cyberattacks against Georgia in 2008 demonstrated how network warfare could be employed alongside conventional military forces to produce operational effects. Lessons learned from such operations are now being turned into tactics and planning by future adversaries. This normalization of cybereffects and their integration with conventional forces will not diminish their power—on the contrary, it will magnify it. Decision makers like former secretary Panetta have mentioned the possibility of a “cyber Pearl Harbor” to evoke our current predicament. We may have already witnessed the cyberequivalents of the sinking of a battleship at Taranto and practice runs with shallow-water torpedoes (the inspiration and preparation, respectively, for Japan’s Pearl Harbor attack).
Cyberconflict occurs on a second level as well. Three times over the previous millennium, military revolutions allowed forces to conquer huge territories and forcibly transfer riches from losers to winners (namely, in the Mongol conquests of China, Russia and Baghdad; the Spanish conquests of the Americas; and the European empires in the nineteenth century). Remote cyberexploitation now facilitates the systematic pillaging of a rival state without military conquest and the ruin of the losing power. We have seen a staggering list of intrusions into major corporations in our communications, financial, information-technology, defense and natural-resource sectors. The intellectual property exfiltrated to date can be counted in the tens to hundreds of thousands of terabytes. We are witnessing another great shift of wealth by means of cybertheft, and this blunts our technological and innovative edge. Yet we can neither prevent major attacks nor stop wholesale theft of intellectual capital because we rely on architecture built for availability, functionality and ease of use—with security bolted on as an afterthought.
The United States has not sat idle, however, in the face of diverse and persistent threats in cyberspace that no one federal department or agency alone can defeat. There is clear recognition that the nation’s cybersecurity requires a collaborative approach and that each department brings unique authorities, resources and capabilities to the table. The Department of Homeland Security is the lead federal department responsible for national protection against domestic cybersecurity incidents. The Department of Justice, through the Federal Bureau of Investigation, is the lead federal department responsible for the investigation, attribution, disruption and prosecution of cybersecurity incidents. The Department of Defense has the lead for national defense, with the responsibility for defending the nation from foreign cyberattack. This team approach helps us protect U.S. infrastructure and information, detect attacks and deter adversaries in cyberspace. Relationships also have been forged with private enterprises that carry the data (or create or study the hardware and software that manage the data). Working together, we are improving our knowledge about what is happening across the cyberdomain, enhancing shared situational awareness for the whole U.S. government while ensuring robust protection for privacy and civil liberties.
At the heart of our national-scale capability for defending the nation in cyberspace is the set of relationships for intelligence, analysis, and information security and assurance. The NSA makes that team work. The agency’s importance was reflected in then secretary of defense Robert Gates’s 2009 decision to designate the director of the NSA as commander of U.S. Cyber Command (USCYBERCOM) as well, and to locate the new command’s headquarters at Fort Meade, Maryland, alongside the NSA. Through these decisions, the department leveraged the similarities and overlaps between the capabilities needed for the conduct of the NSA’s core missions—signals intelligence and information assurance—and those of USCYBERCOM: to provide for the defense and secure operation of Defense Department networks and, upon order by appropriate authority, to operate in cyberspace in defense of the nation.
The NSA and USCYBERCOM operate under multiple layers of institutional oversight that reinforce our commitment to privacy and civil liberties. These include processes internal to both organizations, executive-branch oversight accountability mechanisms, congressional oversight and judicial scrutiny. Physical, managerial and technical safeguards serve to prevent, correct and report violations of procedures. There is a culture of accountability and compliance, rigorous training and competency testing, auditable NSA practices and self-reporting of incidents. The NSA and USCYBERCOM do not set these procedures but comply with very specific provisions approved by our nation’s lawmakers. Far from imperiling civil liberties and privacy, the tight links between the NSA and our growing cybercapabilities help to ensure professional, sober and accountable consideration of potential impacts from our operations.
The evolution of USCYBERCOM has reinforced the imperative for a close and unique connection with the NSA. The command’s creation in 2010 reorganized the department’s Title 10 “war fighting” segment of our cyberteam and represented a major organizational step toward developing and refining the Department of Defense’s role in strengthening the nation’s cybersecurity. Events since the formation of USCYBERCOM have taught us a great deal about the gravity of the cybersecurity threat, the development of the Department of Defense’s operational capabilities, the department’s role in a whole-of-government approach to cybersecurity, and structural, policy and doctrinal changes that are needed. Some of these changes can be implemented as part of the natural evolution of the command. Others require activity outside USCYBERCOM itself—within the Department of Defense, by the executive branch more broadly, by Congress and by the private sector.
The synergy between the NSA and USCYBERCOM is evident every day even if it is not visible. The cryptologic platform constitutes the collection of signals-intelligence and communications-security capabilities that since 1952 have served users ranging from national customers to departmental analysts to battlefield commanders. To the extent permissible by law, USCYBERCOM and the NSA have integrated operations, people and capabilities to help the nation and its allies respond to threats in cyberspace. USCYBERCOM’s defense of U.S. military networks depends on knowing what is happening in cyberspace, which in turn depends on intelligence produced by the NSA and other members of the intelligence community on adversary intentions and capabilities. USCYBERCOM’s planning and operations also rely on the NSA’s cybercapabilities. No one entity in the United States manages or coordinates all this activity on a strategic scale. It requires cooperation across government agencies and with industry.
The cyberteam works for strategic, operational and tactical ends, and it does so because we cannot afford (in terms of resources, security or missed opportunities) to maintain distinct capabilities for strategic, operational and tactical decision makers. This approach makes it possible for the United States to operate national-security information systems with some assurance of security; to understand the dimensions of the threats that we face; and to know which threats are exaggerated. It also gives us a measure of warning and situational awareness and is the basis on which those vital attributes will be improved in the future. What are the possibilities for maximizing its potential?
AT THE dawn of the “cyberage” in the 1980s, the United States was positioned to take a commanding military lead in this new domain. Much of the world’s cyberinfrastructure, capacity and computer-security expertise resided in America, and the U.S. government debated policies that might have made federal and critical infrastructure networks much more secure than contemporary external threats could have surmounted. The U.S. military and intelligence community held strong advantages in cybercapabilities that might have been mobilized in the 1990s. Although potential threats were recognized early, there was little urgency to reorganize and change established processes. By the time the United States started losing intellectual property on a massive scale in the middle of the last decade, the opportunity to capitalize on commanding advantages had been lost.
Today the United States is striving to maintain the edge it holds over potential adversaries in cyberspace. This advantage is preserved in part by the large U.S. government capacity in this domain. Our lead is also maintained by our adversaries’ own difficulties in crafting new policies, doctrines and organizations to operate in the new cyberdomain; in some cases their social and political contexts are even more challenging than ours. This American advantage might not last long. We still, however, would not trade our predicament for that of any other nation on earth. Every nation has significant vulnerabilities that can be exploited in and through cyberspace; almost alone among nations, we have the ability to lessen ours dramatically.
As then deputy secretary of defense William Lynn explained in Foreign Affairs in 2010, global circumstances continue to require an agile and technologically advanced cybercapability. We have made progress but still must do more to ensure that we have: the situational awareness needed to defend our networks; the authority to respond to threats to the United States, even beyond the boundaries of military systems; legislation that facilitates information sharing with the private sector; established security standards for critical infrastructure; trained and ready cyberforces certified to common, baseline standards; doctrine along with tactics, techniques and procedures for educating our armed forces on the conduct of military operations in cyberspace; a defensible cyberarchitecture enabled by the new Joint Information Environment (JIE); and clear lines of command and control to ensure network-speed decision making and action. The Department of Defense is making progress on an array of efforts to address these challenges, all the while protecting the privacy of our citizens and the civil liberties that are at the foundation of our political system.
The Pentagon is moving to reduce significantly the number of its networks and limit the points where those networks touch the Internet. Its new joint network—the JIE—is inherently more defensible than the fifteen thousand disparate enclaves that currently exist in the Department of Defense. USCYBERCOM is involved in efforts to leverage cloud-computing technology to dramatically increase the ability to safely and securely store and access data.
We continue to improve our ability to understand the vulnerabilities of our networks, the cyberenvironment and the capabilities of adversaries. Doing so improves situational awareness of what is happening in cyberspace for the benefit of government organizations, private industry and foreign partners.
We are aware that as we increase our dependence on networks in cyberspace, we must have a codified and logical manner by which to provide structure, command and control to our forces—and to allow the coordination and synchronization of U.S. military operations with those of our military allies and our partners.
We are developing a force capable of defending the nation in cyberspace, operating and defending Department of Defense information networks, and providing direct support to Unified Combatant Command plans and operations. These forces must be able to defend our national-security networks, providing a vital sanctuary from which we can operate even while under attack. Having such an assured capability will not only defend Department of Defense and national-security functions, but also help government and civilian networks by convincing adversaries that an “Armageddon” strategy will not succeed against America.
We are working to understand how existing international and domestic laws and norms apply in the new cyberenvironment. We are also developing processes and policies to manage cyberemergencies and to defeat cyberattacks.
Our reliance on cyberspace yields significant strategic benefits but also poses grave risks to our nation. The very nature of cyberspace is one of convergence—of networks, devices and people combining and interacting in new and increasingly complex ways. Communications that previously moved in separate channels now travel in one, global network—the Internet. We must be able to operate securely in this convergent space and to protect the broader social, political and economic developments that the digital age has brought us. The things we value—personal wealth, national economic prosperity, intellectual property, our nation’s defense secrets and even our way of life—are all targets for our adversaries. More and more, those treasures reside in cyberspace, and that is the battleground where adversaries can threaten us. The potential for strategic-level theft and disruption is growing as adversaries probe our critical infrastructure networks and take our data. We do not know how economically and physically damaging coordinated cyberattacks could be if mounted on a national scale—or if a “limited” attack could get out of hand and cause cascading destruction. But the vulnerability of critical infrastructure and the power of cyberweapons together represent serious cause for concern about the resiliency of modern, networked economies and societies.
Defending the nation in cyberspace, preventing strategic surprise and maintaining technological advantage all depend on collaboration, information sharing and a world-class workforce. This requires teamwork across the military, intelligence community, the federal agencies, industry, academia and our international partners. Leadership is vitally important as well. The U.S. government has made significant strides in defining cyberdoctrine, organizing cybercapabilities and building cybercapacity. We must do much more to sustain our momentum in a domain where adversary capabilities continue to evolve as fast as or faster than ours do. Our cyberteam can be the core of whatever national capability we build, but that capability must also extend well beyond the confines and authorities of the Department of Defense and even the federal government. Building that extended cyberenterprise now is indispensable to our ability to deter and defeat enemies in cyberspace so that they do not threaten our security, prosperity and way of life.