America is under attack. In this case, rather than bombs and bullets, undeterred adversaries are using the cyber domain. Every day, they launch thousands of cyberattacks against American individuals, companies, and government agencies—persistently and incrementally chipping away at our security.
This relentless barrage may seem like an inevitable reality of 21st century life. However, given the stakes for American national security, simply shrugging and accepting the cyber status quo would be a dangerous mistake. The U.S. has established deterrence in other warfighting domains. Washington can—and must—do the same in the cyber domain.
The cyber challenge is undoubtedly immense and complex. General Paul Nakasone, Commander of U.S. Cyber Command, testified in February, that America is in “constant contact” with its adversaries in cyberspace. In 2017, federal agencies suffered more than 35,000 cybersecurity incidents, a 14 percent increase compared to 2016. In North America alone, cyberattacks cost nearly $158 billion annually or about 0.8 percent of GDP.
Indeed, cyberattacks increasingly threaten the freedom, prosperity, and security of Americans and our allies. They target our democratic systems and domestic infrastructure, as well as the means by which we defend ourselves.
Director of National Intelligence Dan Coats said China and Russia are targeting core U.S. civilian and military infrastructure. China, in particular, continues to implement a systematic campaign—with a robust cyber component—to steal American military technology that Beijing could use against our troops in a future conflict.
Over the past two years, Chinese hackers have infiltrated more than two dozen universities in the U.S., Canada, and Southeast Asia as well as U.S. Navy contractors and subcontractors. These hackers reportedly stole information related to supersonic anti-ship missiles, undersea communications technology, marine science and engineering, and other highly sensitive data and technology. In response, the Navy ordered a “comprehensive cybersecurity review” of its own systems and its industrial base, but based on public reporting, it’s unclear how or if the U.S. is holding China accountable.
Meanwhile, Russian hackers may have penetrated deep inside U.S. critical infrastructure. As CYBERCOM was standing up its Russia Small Group to address election meddling, Moscow was reportedly directing a massive operation to hack the electric grid in half of U.S. states. According to The Wall Street Journal, the hackers “likely remain inside some systems, undetected and awaiting further orders.”
North Korea and Iran are largely undeterred as well. Despite reported CYBERCOM operations to cut off internet access for North Korean hackers and a successful joint FBI-Air Force operation to disrupt a North Korean global malware network, Pyongyang continues to steal its way across cyberspace to fund its nuclear weapons program. Tehran, despite sanctions and indictments, continues to hack U.S. and allied enterprises.
The administration has taken positive steps, including delegating greater authority to the Pentagon to conduct offensive cyber operations. Last September, the administration released its Department of Defense Cyber Strategy, emphasizing that the department will “deter,” “persistently contest,” and “defend forward to disrupt or halt” adversarial cyber operations. To accomplish this mission, as of one year ago, CYBERCOM’s 133 Cyber Mission Force teams have reached full operational capacity.
More recently, President Trump appeared to confirm news reports that CYBERCOM knocked out the internet access of a Russian troll farm, the Internet Research Agency. Comments by members of Congress seem to credit U.S. military cyber operations with thwarting Russian midterm election interference.
If accurately reported, these are positive steps—but they are insufficient. Thwarting an attack is not the same thing as deterring one. As the National Defense Strategy Commission (NDSC) stated last year, “It is painfully clear that America is not competing or deterring its adversaries as effectively as it should in cyberspace.” As the NDSC concluded, “We must operate more nimbly, aggressively, and effectively in this crucial domain.”
We cannot allow our competitors and adversaries to operate against us with impunity in the cyber domain.
It is not realistic to expect that we can end all cyberattacks on the United States, but more agile, active, and offensive cyber operations can shift the cost-benefit analysis of key cyber adversaries and begin to establish the great power and rogue state cyber deterrence our national security requires.
Bradley Bowman is senior director for the Center on Military and Political Power (CMPP) with the Foundation for Defense of Democracies (FDD). Annie Fixler is deputy director of FDD’s Center on Cyber and Technology Innovation (CCTI). Follow Bradley and Annie on Twitter at @Brad_L_Bowman and @afixler. Follow FDD on Twitter @FDD and @FDD_CMPP. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.