At different historical periods, weapons emerged that changed how armies fought. Four millennia ago on the flat plains of Mesopotamia, the Assyrians employed the chariot—predecessor of the tank—to dominate all opposing tribes.1 In the twelfth century A.D., Genghis Khan’s horsemen swept out of Mongolia, employing highly mobile firepower—superb riders equipped with short bows—to terrify the more civilized peoples living along the western edges of Europe. World War II brought the ultimate destructive weapon—nuclear bombs—along with massive air power. Just as the Assyrians and Mongols applied their weapons to the slaughter of both warriors and innocent civilians, so too did Germany, Italy, the Soviet Union, England, and America employ aerial bombing.
The Internet is the early 21st-Century weapon that history will record as transformational. Why? Because if cyber warfare is unleashed in full fury, as was aerial bombing in World War II, it will shatter the foundation of global prosperity. Over the past two decades, Russia, China, Europe, America, Canada, etc. have become inextricably dependent upon the Internet for banking, electric power, and commerce. The continuance of daily economic interactions depends upon digital connectivity.
Secretary of Defense Jim Mattis recently testified, “For decades the United States enjoyed uncontested or dominant superiority in every operating domain or realm.… Today every operating domain is contested.” Nowhere is that contest more manifestly evident than in the cyber domain. Almost three years ago, the Director of the National Security Agency, Admiral William Rogers, said publicly, “You (an individual hacker or a country) can just do literally almost anything you want, and there isn’t a price to pay for it.” So what has happened since then? In early 2015, North Korea hacked into the e-mail accounts of the Sony Corporation in California. Several months later, China hacked into the accounts of the Office of Personnel Management and stole the personnel records and security-clearance files of 22 million Americans. Not to be outdone, in 2016 Russia insouciantly inserted itself into the American presidential electoral campaign. And a few weeks ago, Equifax, a credit reporting agency, belatedly admitted that sensitive personal and financial information of about 143 million American consumers had been hacked and stolen.
Any criminal activity continues to escalate until punishment is applied. Neither China nor Russia has received any punishment or retaliation for past cyber aggressions. Years of doing nothing have set a terrible precedent.
General Keith Alexander is the former Commander of United States Cyber Command. Last March, he appeared before the Senate Armed Services Committee and testified, “the needed partnership between public and private sector is clearly lacking. The private sector controls most of the real estate in cyberspace…cyber legislation enacted by Congress lacks key features to truly encourage robust sharing, including placing overbearing requirements on the private sector, overly limiting liability protections, and restricting how information might effectively be shared with the government… U.S. Cyber Command lacks clear authorities and rules of engagement.”
In essence, General Alexander was saying that the U.S. government has no publicly declared doctrine, no effective private-public cyber partnership, and no punishment mechanisms for deterring cyber theft or offensive attacks by other nation states. Our nuclear deterrence strategy was based upon educating the Soviets that there was no credible use of nuclear weapons at any point along a ladder of escalation. Conversely, cyberattacks are increasing. It is only a few steps up the escalation ladder from massive burglary to overt cyber warfare against our economic infrastructure. Our lack of a deterrence strategy is a threat to our nation that requires our attention.
1 B.A. Friedman, On Tactics: A Theory of Victory in Battle (Naval Institute Press, 2017), p. 197.