30 June 2019

US is woefully unprepared for cyber-warfare

John M. Donnelly, Gopal Ratnam

John Donnelly and Gopal Ratnam are reporters with CQ-Roll Call. Reprinted by permission from CQ Roll Call.

Last fall, when the Navy was examining gaping holes in its cybersecurity, its outside consultant leading the project ordered his team to learn the ancient Chinese strategy game Go.

In that board game, two players place black and white discs one by one onto a grid. The players then slowly try to encircle each other until the victor completely envelops the loser's pieces.

The point, says Michael Bayer, the veteran Pentagon adviser who ran the Navy's review, was to show that China and other foes are encircling and exploiting America's weak flanks rather than directly challenging its conventional military strengths.


Chess versus Go

Meanwhile, he says, American policymakers tend to think in checkers or chess terms, directly attacking an opponent. The Chinese play both games, but westerners generally do not know Go.

"If you play checkers or chess you want to grab the data on weapons systems," Bayer said. "If you play Go, you want to grab the Office of Personnel Management background files on everybody," referring to a 2014 hack orchestrated by Beijing.

National Security Agency General Paul Nakasone is also commander of United States Cyber Command.

In the long game of information warfare, old strategies lose meaning. The battle is not in one region or another or over a particular time frame; it is everywhere and forever. The traditional distinctions between civilian and military lose meaning because defeat in one jeopardizes the other. The United States is, quite simply, playing the wrong game.

"I believe we are in a declared cyberwar," Bayer said. "It is aimed at the whole of society and the state. I believe we are losing that war."

China, Russia, North Korea, Iran and even terrorist groups have for years been waging — and, experts say, winning — conflicts in the so-called gray zone just below the threshold that would trigger a U.S. military response. A 2016 Pentagon report defined it as "not yet war but not quite peace."

Gray zone

In the gray zone, two modes of fighting dominate. The first, information operations, constitutes everything from broadcasting propaganda to using social media for spreading information or misinformation. The second tool is cyber.

In these two realms, the U.S. military and civil society are virtually unprotected and will be for years, Pentagon experts have reported in the last two years.

Kenneth Rapuano, the Pentagon's assistant secretary for homeland defense and global security, says the U.S. military is responding to the challenge in cyberspace.

But by most accounts, while America's cyber warriors have stepped up their attacks in the last year, including in Russia, the ability to defend U.S. networks has not kept pace. Without a strong defense, offensive attacks can be invitations for disaster instead of deterrents.

And numerous experts say America's ability to fight offensively or defensively in cyberspace is inadequate, with the required focus, leadership and strategic thinking all woefully wanting.

"While we have made progress, it would be fair to say we have a long way to go," said Sen. Mike Rounds (R-S.D.), who chairs the Senate Armed Services Subcommittee on Cybersecurity.

Torpid response

The military's torpid response has been caused by bureaucratic inertia, the political dominance of traditional weapons and military organizations, the distraction of the post-9/11 wars, and a failure to comprehend the cumulative damage that was occurring and how rapidly modes of warfare were changing.

"We need to have the bombers and planes and missiles to make sure we can defend the country in a conventional conflict, but we also need to face the reality, and gray zone conflict is happening now and will continue to go forward," said Rep. Jim Langevin (D-R.I.), who chairs the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities.

The United States needs the kind of spur to action that came after Japan attacked Pearl Harbor in 1941; after Russia launched Sputnik, the world's first artificial satellite, in 1957; or when al-Qaida attacked New York and Washington in 2001, several top analysts say.

But America's adversaries, mindful of this history, have stayed in the gray zone. Bayer compares this to a parasite that constantly saps its host — but not so much as to trigger a full-scale white-blood-cell counterattack.

Thomas Modly, the Navy undersecretary, thinks the Navy review got the cybersecurity problem right.

"Our vulnerabilities may make it so debilitating for us that we may not be able to get off the pier in San Diego if we had a major conflict," Modly said. "This is not just a Navy problem. This is a national problem."

Numerous experts — including Rep. Mike Gallagher (R-Wis.), co-chairman of the Cyberspace Solarium Commission, a bipartisan panel created in May to study competition in the infosphere — call for a nationwide public awareness campaign.

"Ultimately our success or failure in cyber will come down not to algorithms or technology but to human beings," says Gallagher, who noted that he was not speaking for the commission. "Everyone who has a cellphone in their pocket is in some ways on the front lines of a geopolitical competition."

US reticence

America's reluctance to use force, especially against nuclear-armed foes, and the country's reticence to violate human rights, despite some exceptions, restrain it from reacting too strongly — and U.S. adversaries know it.

U.S. foes further reduce their chances of suffering retaliation by using proxies or otherwise disguising what is being done and by whom. The U.S. government also disguises its actions on many occasions.

The need to cover up identity is why Russia has covertly conducted assassinations in other countries and employed so-called little green men — paramilitary forces out of Russian uniform — as they fought in neighboring Crimea.

China, for its part, has used commercial fishing boats to overwhelm other countries' coast guards, among other guises.

Nowhere is gray zone activity more intense — and the perpetrators less identifiable — than in the ether, because the barriers to entry for cyber warriors are low and the possibility of acting undetected is higher.

"How can you effectively do deterrence by punishment or deterrence by denial if you can't attribute a cyberattack and clearly connect the dots to North Korea or Russia or China?" Gallagher asks.

But attribution is a double-edge sword, says retired Army Gen. Keith Alexander, who headed the National Security Agency and the U.S. Cyber Command. If the U.S. government were to provide clear attribution in all cases, adversaries would use that knowledge to escape detection in the future, he said. "So you end up with that kind of Catch-22."

Mounting problem

Information operations and cyberattacks in the gray zone have grown in recent years — in number, sophistication and the damage they have wrought.

China's 2018 attack on a Navy contractor gave that country access not just to details of a key new anti-ship missile known as Sea Dragon but also much of what the Navy knows about China's maritime capabilities.

It was the latest in a long series of hacks by China, which has reportedly stolen data on F-35 fighter jets, Littoral Combat Ships, U.S. antimissile systems and drones operated by multiple U.S. military services.

The broader U.S. economy has lost $1.2 trillion in intellectual property pilfered in cyberspace, according to the National Bureau of Asian Research, a nonprofit group. The Navy's review team assessed that figure to be an understatement. China has done most of the damage.

Russia has also stolen and hacked in cyberspace but it has specialized in a massive information warfare campaign to influence U.S. elections by sowing dissent and planting lies in U.S. social media circles.

In the most famous instance, Russian intelligence agents broke into the Democratic National Committee computers in 2016 and disseminated stolen information. They also attempted to break into election systems in 21 states, gaining entry to at least seven of them. Kremlin-backed operatives mounted a social-media influence campaign to confuse American voters, tactics they have perfected against former Soviet satellites such as Estonia, Georgia and Ukraine.

North Korea famously hacked Sony Pictures in 2014 and stole company data, according to U.S. officials. Iran is widely believed to have been behind a 2017 cyber assault on Aramco, Saudi Arabia's national oil company, among other sophisticated hacks.

U.S. government computers are not immune to such attacks. Of 330 confirmed data breaches in 2018 in U.S. federal, state and local governments, two-thirds were believed to be espionage by foreign governments, Verizon reported in May.

Even the Islamic State, or ISIS, has used hacking and social media to great effect in proselytizing for its so-called caliphate in Iraq and Syria.

Countries that have sophisticated offensive cyber tools often are not prepared to defend themselves in cyberspace, said Alexander, now CEO of cybersecurity firm IronNet.

In the case of the United States, "I think we are making gradual moves toward that, but I think there needs to be more," he said. "I believe it's the government's responsibility under the Constitution for common defense. Period."

The U.S. government should not distinguish between critical and noncritical sectors when it comes to defending against cyberattacks, he says.

To be sure, the United States is increasingly hitting back.

On June 11, National Security Adviser John Bolton publicly stated that the U.S. has stepped up its offensive cyber assaults since last year, when President Donald Trump loosened restrictions on such campaigns. Bolton said they would keep up "in order to say to Russia, or anybody else that's engaged in cyber operations against us, 'You will pay a price.'"

Four days after Bolton's remarks, The New York Times reported that the United States, in a classified operation, had penetrated Russia's energy grid not just with reconnaissance probes but with malware that, if triggered, could disrupt Russia's electrical systems.

Yet without effective cyber defenses, more aggressive overseas operations could come back to bite the United States, experts warn.

"Defense is a necessary foundation for offense," the Defense Science Board, a Pentagon advisory panel, said in a summer 2018 report. "Effective offensive cyber capability depends on defensive assurance and resilience of key military and homeland systems."

Defenseless defense

The Navy cybersecurity review, which was made public in March, was unsparing in its criticism of the Navy, but the dramatic critique applies to the entire national security establishment. Indeed, the report is a national call to cyber arms.

Protecting information systems is not just one of the Navy's many challenges, the Navy review team said, it is the main challenge — an "existential threat."

As the Navy prepares to win "some future kinetic battle," the report said, it is "losing" the current one. Defense contractors continue to "hemorrhage critical data." The Navy was No. 1 among 59 government departments in the amount of its information found on the so-called darknet, where criminals trade data.

The current situation is the result of a "national miscalculation" about the extent to which the cyber war is upon us, the report adds.

The threat, it says, is "long past the emergent or developing stage." The current phase should be known as "the war before the war," the report says. "This war is manifested in ways few appreciate, fewer understand, and even fewer know what to do about it."

Notably, the review team found that the vaunted U.S. military's systems for mobilizing, deploying and sustaining forces have been "compromised to such [an] extent that their reliability is questionable."

The U.S. economy, too, will soon lose its status as the world's strongest if trends do not change, the authors wrote.

The Army and Air Force did not do similarly sweeping reviews, but the Navy's results are being applied across the Defense Department. Army and Air Force spokesmen stress that they take cybersecurity seriously by regular system evaluations, recruiting more cyber personnel and using emerging technology such as machine learning.

Military within a military?

Nonetheless, to put it bluntly, the U.S. military and civil society are all but completely vulnerable to a cyberattack — by China or Russia, in particular — so much so that the Defense Science Board recommended in 2017 that a second U.S. military that is truly cyber-secure be created as soon as possible, because the one America has will not necessarily work.

A cyberattack on the military, the science board said, "might result in U.S. guns, missiles, and bombs failing to fire or detonate or being directed against our own troops; or food, water, ammo, and fuel not arriving when or where needed; or the loss of position/navigation ability or other critical warfighter enablers."

And if civilian and military attacks both occurred, the science board experts wrote, it could "severely undermine" the U.S. military's role at home and abroad.

If cyber defenses are lacking, U.S. leaders not only will lack confidence in the reliability of their offensive weapons but will also worry that any U.S. offensive response could trigger a potentially debilitating cyber counterattack — one for which they have inadequate defenses.

The report chillingly warned that doubts about U.S. defense capabilities could cause a president to more quickly turn to nuclear weapons.

"If U.S. offensive cyber responses and U.S. non-nuclear strategic strike capabilities are not resilient to cyberattack, the president could face an unnecessarily early decision of nuclear use — assuming that U.S. nuclear capabilities are sufficiently resilient," the report said.

James Gosler of Johns Hopkins Applied Physics Lab, an author of this and other cyber reports from the science board, said the conclusions still stand, though he noted progress in addressing the problem over the past two years.

"Across U.S. society, we have a way to go to get to where we have sufficient confidence — and the other guy does not have sufficient confidence — that their measures will work," Gosler says, stressing that he is not speaking for Johns Hopkins or the science board.

Rapuano, the Pentagon assistant secretary who focuses most on cyber, says U.S. adversaries have "succeeded in waking up the giant" that is the United States.

The Pentagon, he says, is trying to implement "as a matter of top priority" the Defense Science Board recommendation to ensure that at least part of the military is at the highest level of cyber readiness, starting with nuclear weapons.

Moreover, top Pentagon officials convene weekly meetings to discuss progress at implementing cyber initiatives, Rapuano says.

"What you're seeing is a consistent and continuous turning of the screws in terms of pressurizing cyberspace as one of the highest priorities of the department," he says.

But Rapuano acknowledges there is much work to be done and says the Defense Department is in the middle of a transition that cannot occur overnight.

"It's challenging to integrate a whole new domain of warfare," he says. "It's still very novel. We’re in the early days of understanding cyber doctrine and operations. Cyber and other advanced technologies are changing the character and composition of warfare."

Rounds, of Senate Armed Services, said a recent presidential order and changes in the defense authorization law have made "a world of difference" in enabling U.S. cyber warriors to take the fight to the enemy overseas instead of merely blocking punches at home.

Still, Rounds said, among the military's domains — air, land, sea, space and cyberspace — the latter is "the weak point" and the one where the United States is "most challenged."

"Our adversaries are very, very good," Rounds said.

People power

Power in cyberspace is a function not so much of hardware or software as of human beings, experts say. People can be either the ultimate weakness or the biggest strength.

If the Chinese want to find and exploit frailties in U.S. defenses, they can do it by "turning" just a handful of the millions of Americans who have contact with classified or sensitive data.

That is why China's two major 2014 hacks into the personal information of more than 22 million people — federal workers, contractors, family and friends in Office of Personnel Management databases — is worrisome.

People are also a weakness in that the lack of cyber hygiene by just one employee of the government — or even of a small subcontractor who has difficulty affording the most thorough cybersecurity — can be the entryway for a cyber break-in with strategic consequences.

Auditors have repeatedly found that major weapons such as antimissile systems have been exposed to cyberattacks because of a lack of simple computer hygiene: failure to use encryption or two-factor authentication or proper passwords or, in one instance, leaving a room full of servers unlocked.

There is no way to know with 100% certainty that one's defenses are working. The best way to test them is to have cyber "red teams" of qualified experts act as the adversary and attempt to penetrate and disable U.S. networks.

But the Defense Department also lacks a sufficient number of qualified "red teams" to test weapons. So each weapon is not tested long enough, and the threats they simulate are not realistic, the Pentagon's testing office said.

In fact, having an insufficient number of "red teams," or teams lacking the right skills, may in some ways be worse than having none, because it can foster a false sense of security, the top tester said.

However, it is not just that the Pentagon's cyber red teams are too few in number and less capable than they should be. More fundamentally, the entire enterprise is too "ad hoc," said William LaPlante, a former Air Force acquisition chief who has long advised the Defense Science Board.

What is needed is an institution that can regularly hold all programs to account on a regular basis and that is independent enough to unflinchingly deliver scathing assessments when necessary, said LaPlante, now a senior vice president at Mitre Corp., a federally funded research group.

"This is going to be hard to put in place," LaPlante said. "The system doesn't like these things, because they are not the bearer of good news."

Congress is starting to notice. When the Senate debates its fiscal 2020 defense authorization bill this month, it may consider an amendment by Sen. Jerry Moran (R-Kan.) and others that would require the Pentagon to assess within six months its cyber red teams — including "permanent, high-end, dedicated" ones —and report back to Congress.

It is not just the Pentagon that is short on cyber-savvy personnel. As of April, America's overall cyber workforce is short 314,000 workers, a House Armed Services subcommittee said in a report made public this month. Efforts are underway to deal with that problem as comprehensively as possible, but the country is starting from behind, and the government is especially hard-pressed to compete with high-paying Silicon Valley firms.

Leadership, please

The main reason cyber is a people problem is that the human beings who are government leaders must step up their game, experts say. Without sustained, senior-level attention, the United States will not shore up its cyber vulnerabilities.

In the past two years, Trump and leaders in the Defense Department and Congress have begun to significantly increase their attention to the problem, even though many lawmakers contend that the administration has muddled the signal by getting rid of a White House cybersecurity coordinator's position that they say is essential to getting all federal agencies working toward the same goal.

But their efforts are still dwarfed by the challenge, many observers believe.

This inadequate attention is manifest in how infrequently U.S. leaders talk about cyber issues. On congressional defense committees, cyber is essentially an afterthought compared to weapons hardware and military pay and benefits. In the Senate Armed Services press release in May on its fiscal 2020 authorization bill, cyber was barely mentioned at the end.

Likewise, Bayer and his team found a dearth of cyber references in Navy leaders' speeches and a scarcity of cyber-related events on their calendars.

"You wouldn't even know that cyber is a Top 20 problem," he says.

Measured in dollars, cyber also does not stack up. Unclassified cyber spending across the federal government in fiscal 2020 budget request totals just over $17 billion, considerably more than it was a few short years ago, but that is only a bit more than 2% of the roughly $750 billion annual national defense budget.

Total security is unobtainable. But a higher degree of confidence in the safety of U.S. systems (military or electoral) and its offensive cyber tools can be achieved, experts say.

The way to get there is through a radical new commitment to cybersecurity driven by top political and corporate leaders.

For one thing, the government must demonstrate its resolve by holding more exercises to test cyber responses, according to lawmakers and analysts. The Government Accountability Office in 2016 urged U.S. military and civilian leaders to hold a so-called Tier One exercise with the private sector to gauge how to handle an attack on domestic infrastructure.

The exercise is set for later this year, but the House Armed Services Committee is tired of waiting. Its newly minted fiscal 2020 defense authorization bill would withhold 10% of the fiscal 2020 money for Trump's communications office until the exercise occurs.

"Unless these actions are exercised, we won't be prepared to confront bad things," said Langevin, who began to focus on cyber over a decade ago. "We don't want to do this on the fly."

Other major changes in organizations and behaviors are also needed. For its part, the Pentagon needs chief information officers who are no longer operators of networks, but purely regulators of them, and who report directly to the leaders of their organizations, which is the best practice in industry, experts say.

The Navy has sought to create such an official — an assistant secretary for information management — but has run into congressional resistance.

Bombs in the age of bytes

Most analysts recognize that part of the reason U.S. enemies are fighting in the gray zone is because America's military has deterred those foes from fighting the United States on the sea, air or land. So maintaining a strong deterrent in traditional arms is not open to question, most experts say.

However, given that budgets will probably not grow considerably and may even come down, the military may have to cut into its spending for conventional weaponry to make room for more investment in offensive and defensive digital weapons.

It is becoming clearer that cyberattacks and disinformation campaigns are the domains where adversaries with fewer resources and smaller militaries will challenge American dominance, says Virginia Sen. Mark Warner, the ranking Democrat on the Senate Intelligence Committee.

Continuing to spend at the same level on conventional military strengths while also boosting spending on the newer domains may not be possible without pushing defense spending to $1 trillion a year, and "further cutting out domestic discretionary spending," Warner said.

The Pentagon also needs to step up investment in and use of advanced technologies such as artificial intelligence because they offer multiplier effects, analysts say.

The Pentagon's 2020 budget proposal calls for spending about $1 billion on artificial intelligence programs, which "seems insufficient when considering that AI has more potential to change the way we fight wars than any other emerging technology," Susanna Blume, a senior fellow at the Center for New American Security, wrote in a paper published last month.

Policymakers in the Pentagon and other national security agencies also should step up use of artificial intelligence, says Mara Karlin, of Johns Hopkins University's School of Advanced International Studies and a former top Pentagon official.

Such applications, for example, could help policymakers understand "who the Syrian opposition is and think through the pathways on how they are likely to act and respond," she said.

Several issues arise as officials try to improve federal oversight of cybersecurity and information warfare. For one thing, there must be more public-private information sharing about threats and responses. That will probably require more declassification, but there are limits to that.

In the private sector, cyber defenses are not cheap, and pose a burden for many smaller companies. And new government regulations requiring contractors to adhere to cybersecurity standards are so confusing that even larger companies are having trouble complying, surveys have shown.

In the Pentagon alone, the new rules are "not coordinated or deconflicted," the House Armed Services Committee's fiscal 2020 defense authorization report said.

Civilians equally at risk

Statutory limitations on the CIA and the National Security Agency have barred the United States from responding comprehensively to the broad disinformation and influence operations mounted by Russia, China and Iran.

Say, for instance, U.S. intelligence agencies are monitoring a Kremlin operative preparing a disinformation campaign. Once the Russian agent launches the operation and Americans start to see it appear on their laptops and mobile devices "then it has to be handed over" to the FBI and the Homeland Security Department, Warner said.

Another reason for slow movement in the field of information operations is Americans' understandable queasiness about engaging in propaganda, said retired Adm. James Stavridis, former commander of NATO forces and of U.S. Southern Command.

But "it's not propaganda," he said. "It's critical to meet the adversary in that universe."

U.S. adversaries see information and political warfare as key parts of their strategy, said Seth Jones, an expert with the Center for Strategic and International Studies who has advised military commanders in war zones. But the United States, he said, "is still focused heavily on the military, both conventional and nuclear, because that's where the funding is."

Domestically, the Homeland Security Department does not have enough power, some say.

C.A. Dutch Ruppersberger, formerly the top Democrat on the House Intelligence Committee, believes the NSA, which is based in his Maryland district, is doing well fighting information wars overseas.

But Ruppersberger believes the government needs to create a new agency focused exclusively on domestic cybersecurity.

"We have to keep continuing to make the issue of cybersecurity one of our highest priorities," he said, citing China's stated goal to be the world's superpower by 2049.

Victory is possible

The last two years have shown hopeful signs of progress.

The congressionally created Cyberspace Solarium Commission, which is aimed at devising strategy, doctrine and policy, may be one such positive sign. The panel is named after former President Dwight D. Eisenhower's Project Solarium, which came up with a national strategy for combating communism.

Most experts say that what is needed now is just what was needed then.

In a sense, it is a geopolitical version of the Go board game — patient, encircling, steady. The United States and its allies went after the Soviet Union's weak spots, shining a light on its propaganda and falsehoods by using all means at the nation's command, short of war.

The good news is that the United States has the resources and creativity to soon gain the confidence it now lacks in its ability to hold its own in the ether. It is possible for the United States to get the upper hand, assuming changes are made.

That is what Bayer and his Navy cybersecurity review team found in interviewing government officials, defense contractors and executives from companies such as Goldman Sachs and Amazon.

But to be successful, people need to wake up every day and worry about the nation's cyber vulnerabilities.

"You win this not just by changing structures and moving money," Bayer said. "You win this by changing culture. That's easy to say and damn hard to do."

No comments: