America’s generals and spymasters have decided they can secure a better future in cyberspace through, what else, covert warfare, preemptive attacks, and clandestine intelligence. Our rivals are indeed seeking to harm U.S. interests and it is perfectly within the president’s purview to use these tools in response. Yet this is an unwise policy that will ultimately backfire.
The undoubted, immediate national security advantages will be at the expense of America’s longer-term goals in cyberspace.
The latest headlines on covert and preemptive cyberplans highlight just the latest phase of a cyber “cult of offense” dating back to the 1990s. Unclassified details are scarce, but the Atlantic Council’s study of cyber history reveals covert plans, apparently never acted upon, to drain the bank accounts of Slobodan Milosevic and Saddam Hussein. More recent press accounts detail cyber assaults on terrorist networks (including one that backfired onto U.S. servers) and Stuxnet, which destroyed Iranian centrifuges. American spy chiefs say U.S. cyber capabilities are so prolific that this is the “golden age” of espionage, apparently including the Flame and Duqu malware against Iran and Gauss, which sought financial information (perhaps also about Iran) in Lebanese computers.
Offensive cyber capabilities do belong in the U.S. military arsenal. But the continuing obsession with covert, preemptive, and clandestine offensive cyber capabilities not only reduces resources dedicated for defense but overtakes other priorities as well.
Which choice will observers believe the president has made? America insists it wants a secure and peaceful cyberspace while sabotaging Iranian facilities with Stuxnet. Our government argues Chinese industrial espionage is completely unacceptable, but that disruptive and preemptive covert attacks are not escalatory but an acceptable norm. U.S. diplomats struggle to remain credible trying to convince Russia and China that the United Nations Charter and Geneva Convention apply to cyber conflicts. Nations question the U.S. model for peaceful Internet governance with the result that proposals from China, Russia, and even Iran get more support than those from U.S. diplomats.
Imagine for a moment you coordinated cybersecurity response for a major U.S. bank. Otherwise useful U.S. infrastructure protection efforts may seem less sincere to you when you learn that the government discovers critical vulnerabilities in major U.S. products but shares nothing with you or company. Instead it weaponizes them to attack and spy on Iran. You can’t even deduct your costs countering the predictable counterattack, the widely reported Iranian denial of service attacks against the U.S. finance sector.
The cyber age has barely begun. But already cyberspace is so dangerous, and with so few norms, it has been called the new Wild West. Its future is still a jump ball, however, and there is no way of knowing how sensitive that future could be to the wrong decisions today.
The president will hear few dissenting opinions about these possibilities as debate is smothered, limited to a select few behind closed doors. Clearance levels are equated with wisdom, classification with truth, and special agents prowl to find leaks. Outside voices are rare, so few in the debate will have had the responsibility to help secure a business against cyber attacks, hoping that tomorrow would be safer and more secure than today.
President Obama has written that the “digital world is no longer a lawless frontier, nor the province of a small elite.” Yet they are just the ones driving U.S. policy, sadly, to that very end.
Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict, and competition on Twitter @Jason_Healey. This piece first appeared in U.S. News & World Report.
Photo credit: The White House