On Friday, Aug. 18, President Trump announced
that the Defense Department’s U. S. Cyber Command would be elevated to the
status of a “unified combatant command,” joining the nine other
commands such as the U. S. Central Command (CENTCOM) that oversees all military
operations in the Middle East, and the U. S. Strategic Command in charge of
nuclear weapons. The heads of these
commands are just below the Secretary of Defense in the chain of command, and
each unified combatant command cuts across the traditional armed-services
divisions of army, navy, and air force.
According to a report at the website Politico,
the promotion of the Cyber Command has been in the works for years, but carrying
out this promotion is in line with the President’s campaign promises to bolster
the Cyber Command. Currently that
Command is headed by Admiral Mike Rogers, who also heads the National Security
Administration (NSA). The Senate
must confirm a new Cyber Command leader before the reorganization is fully
implemented, but no particular problems are expected on that score.
After taking an initial leadership position, the
U. S. has appeared lately to be lagging in the recognition that cyberwarfare is
no longer some science-fiction pipe dream. The nature of cyberwarfare makes it difficult to state with
certainty exactly who is responsible for what. But most experts agree that, for example, Russia has been
plaguing the Ukraine with cyberattacks of many kinds for the last few years,
ranging from invading servers used by news media to causing widespread power
blackouts in large cities such as Kiev in the middle of the winter.
Probably the first cyberattack that became widely
known and has definite attribution was called Stuxnet. Developed by the U. S. NSA, possibly
with cooperation from Israel, it was a clever attack on Iran’s uranium
centrifuges in 2010 that caused numbers of them to self-destruct. Stuxnet was the last major focused
cyberattack we know of that the U. S. has committed, but by the nature of the
business, there may be others we don’t know about yet.
In conventional warfare, the enemy is in a
clearly defined geographical area, and even wears uniforms and puts insignia on
their equipment so you can tell who are the good guys and who are the bad
guys. Alas, such formality is long
gone in many battlefields, and in the anonymous world of cyberspace it is next
to impossible to identify the source of an attack in terms of a physical
location and which people are doing the bad stuff. In this regard cyberwarfare borrows from the world of
espionage the mysteries and guesswork that makes spy novels so interesting, and
makes actual espionage work so frustrating.
But just because the enemy can’t always be
clearly identified, that doesn’t mean we can ignore what they can do. There is an old saying that generals
always prepare to fight the last war, meaning that military thinkers are slow
to deal with combat innovations.
The elevation of the Cyber Command to a level equal to the Strategic
Command says that, organizationally at least, we are taking the threat of
cyberattacks and the damage they could cause at least as seriously as we are
taking the threat of nuclear attacks, which are far less likely but have a
higher potential for damage.
Or maybe not. At any given time, there is probably a maximum amount of
damage that a determined cyberattacker could do with the capabilities they have
and the nature of the target. One
advantage that the U. S. has compared to smaller and more tightly organized countries
is that we have a lot of diversity in our technical infrastructure. For example, in the recent flap about
Russia’s attempt to sway U. S. elections, no one has found any convincing
evidence that Russian hackers were able to manipulate electronic vote
counting. Even if they had wanted
to, the hackers face the difficulty that votes are counted in literally
thousands of different jurisdictions using a wide variety of systems. Anybody wanting to mess with a voting
district that was big enough to make a difference would probably have to have a
spy physically present for some time in order to gather enough information to
give a cyberattack even a chance of success. Something of the same principle applies to our electric
grid, which is a congeries of old and new technology with a bewildering variety
of SCADA (supervisory, control, and data acquisition) systems. Again, a determined cyberattacker would
have to focus on one system that is particularly vulnerable and large enough to
make a terrorist attack worthwhile in terms of headlines.
not be complacent with regard to the possibility of a crippling cyberattack,
and the promotion of the U. S. Cyber Command to the board of Unified Combatant
Commands is a step in the right direction. As I mentioned not long ago in a blog on ransomware, one of
the U. S. government’s primary responsibilities is to defend the nation against
attacks, and this includes cyberattacks.
The spectacle of private companies, even small ones, getting held up for
ransom by hackers is morally equivalent to a cross-border raid by physical
invaders. What would normally be a
domestic police matter then becomes an international incident, and the
intervention of the U. S. military would be appropriate in both cases.
But a lot is yet to be defined about the
responsibilities of the military on the defense side. Historically, the computer industry has held consumers
responsible for cybersecurity to the extent of installing patches and upgrades
promptly and following good cybersecurity “hygiene.” But as attacks become more
sophisticated, there may have to be closer cooperation among private technology
developers, their customers, and the military, which up to now has not had much
input into the business except as a good customer.
If history is any precedent, not much will change
in a major way until a foreign cyberattack succeeds with a truly crippling blow
that costs many billions of dollars, affects millions of people, or results in
multiple deaths and injuries. Then
we will get serious about how the military can fight the next war—a
cyberwar—and not the last one.