CYBER MAVEN: How Enemies Would Attack the US
By Ross Rustici - Warrior Maven Columnist and Senior Contributor -
Rustici Previously Served as a Technical Lead, Intrusion Analyst and East Asia Cyber Lead at the Department of Defense
Dependency, Vulnerability, and the Tyranny of Time
The tyranny of time and distance is something that man has been unable to escape since before the dawn of civilization. That gap has reduced over the years. First by learning to run, then through the domestication of animals, all the way to cutting-edge development of hypersonic weaponry. The ability to project military power is measured as a function of speed, distance, power, and cost. This simple fact is why the United States maintains a large alliance network with overseas bases in every region of the world, and why no other country has the ability to reasonably threaten the United States with conventional arms.
The distance across the Atlantic and Pacific oceans are too vast to project power with conventional forces without a massive economy to support a disporportinately large military budget. These buffers, combined with only two bordering countries both of which are substantially smaller and generally aligned with the United States, has led it to develop an offensive ethos that no other military can share.
The precision and effectiveness that the Revolution in Military Affairs brought U.S. troops in the 90s and early 2000s shocked the world. Suddenly a 2-million-person strong military was transformed from a cudgeled into a scalpel. The early success of information superiority for offensive operations led further breakneck development in this area until American fighter aircraft are outfitted so they can function as flying routers. This military dependence on information correlates to societies. Just in time shipping that relies on rapid transfers of goods across the country by rail or truck, the digitization of: information, the financial industry, critical infrastructure.
Convenience, speed, cost are the drivers of the digital transformation, yet security has never been a paramount concern. This is true even in the way senior leaders in the U.S. government speak about cyber threats today. The discussion is not about defense or reducing the capacity of America’s adversaries to succeed in their intrusions, but rather it is to strike back via cyber means to demonstrate superiority and deter actions by imposing costs. The creation of in domain superiority is the ethos of how America defends itself. Out aggress the aggressors.
Unfortunately, the game has changed. Distance and cost are no longer the limiting factors of power projection. Cyberwarfare moves at the speed of light. The cost to mount a successful attack is measured in the thousands of dollars instead of the hundreds of millions.
What’s worse is the over dependence on technology that shaped the American military into such an effective fighting force also leaves it uniquely indefensible. Global communication networks, the immense power projection capabilities used to deter conventional acts of aggression mean it is not possible for the United States to simply disconnect and deny the enemy the opportunity to strike across those same oceans into the homeland. Furthermore, when the leadership talks about defense, it defaults not to clever stratagems of denying the enemy access but rather counter punch harder.
To counter in domain also requires leaving access available for the enemy to maintain their attacks. This need to dominate every domain increases American vulnerability to countries that previously could not have dreamed of surviving a conflict with part of the U.S. military, let alone land meaningful counterattacks that would give lawmakers pause.
This reality has brought about a new model of thinking. At its core the United States will not be deterred by cyber capabilities from acting in its core interests. At the end of the day, the conventional strength of the U.S. military is too great to be truly constrained in this manner. However, what is has created is a policy of deferrence.
Countries with proven cyber programs that have attacked entities in the United States are treated by a different set of rules than those that don’t. Ultimately, the United States is forced to realize in every one off case that their ability to retaliate via cyber is inept because the countries restoring to this posture are not a quarter as vulnerable or dependent on the Internet as the United States is. This leaves physical or diplomatic retaliation. To date, the U.S. government has never chosen the former, which further emboldens others to follow this path.
The more policy discussions focus on in domain offensive retaliation for cyberattacks, the more countries who have interests at odds with the United States will consider the fate of those who have well-known and successful cyber programs. Cyber proliferation may be more effective at staying the expeditious nature of the U.S. military far more than a nuclear program or a traditional military. After all, Iran was bargained with, while Libya and Iraq fell.
-- Stay Tuned for more CYBER MAVEN Columns --
Ross Rustici - A Warrior Maven Columnist and Senior Contributor -
He Currently Serves as Senior Director, Intelligence Services, Cybereason. Cybereason
Ross previously served as Technical Lead - DoD, East Asia Cyber Lead - DoD, and Intrusion Analyst - DoD.