The U.S. government has super cyber defense strategies backed by secret tools making us invulnerable to attack.
Recap–a rising threat
The actual defensive and offensive cyber attack/cyberwar capabilities of governments around the world are speculative, at best. However, it would be a mistake to assume that behind the scenes, the U.S. government has super cyber defense strategies backed by secret tools making us invulnerable to attack. –Again, this is because boundaries between public and private Internet domains are porous. Consequently, once malware and other malicious cyber attack tools are developed by major international nations, they become increasingly vulnerable over time to theft by smaller governments (e.g., North Korea) and, ultimately, to the black market for sale to criminal groups, including terrorists.
Other factors creating growing instability
As with other weapons technology, governments almost invariably ignore the long-term downside of escalating military capabilities. In fact, they are driven by an imperative expressed by John Paul Jones several centuries ago–“It seems to be a law of nature, inflexible and inexorable, that those who will not risk cannot win.” That said, with the increasingly lethal potential of modern weapons, beginning with the ‘nuclear balance of terror’ beginning mid-20th century–and now with cyber weapons, what benefit does ‘winning’ have if the outcome is lose-lose? –That said, if the objectives of an opponent are driven by an illogical, barbaric ideology, all bets are off.
To date, major terrorist organizations have either not obtained nuclear weapons technology–or, perhaps, not yet implemented whatever secret capabilities they already have. A parallel uncertainty increasingly applies to future to cyber warfare capabilities.
Emerging rules of engagement?
Recent statements from the U.S. government indicate that the Defense Department is attempting to establish ‘rule of engagement’ to govern future cyber conflicts.
- Case in point– when the U.S. government officials discuss U.S. offensive cyber capabilities, they have said “any future attack would be made in accordance with the laws of armed conflict, and that the “Defense Department will always be attentive to the potential impact of defense policies on state and non-state actors’ behavior.” This language signals that the United States wants to avoid attacks that would hurt civilians and expects other nations and non-state entities to adhere to this imperative.
- New documents specifically acknowledge that the United States is capable of attacking other countries’ information systems, and is willing to do so under some circumstances. One states there “may be times when the President or the Secretary of Defense may determine that it would be appropriate for the U.S. military to conduct cyber operations to disrupt an adversary’s military related networks or infrastructure so that the U.S. military can protect U.S. interests in an area of operations.”
- The U.S. also now claims that deterrence is possible in cyberspace, despite challenges in identifying the source of an attack. Just today, for example, China once again asserted that the attack on the U.S. Operation of Personnel Management in September was not directed by their government, as U.S. officials had assumed, though it apparently came from hackers inside the mainland. –Nonetheless, the U.S. government believes it has the forensic tools necessary to identify hackers (but how quickly?) and punish them in proportional measure to damage done.
- Finally, the U.S. is betting on ‘deterrence by denial’ – i.e., attempting to make defense systems so resilient that they are invulnerable to attack. Unfortunately, regardless of U.S. military cyber defenses, most U.S. infrastructure is in the private sector, where security is notoriously weak. Installing defensive security measures is expensive and, to date, optional for large corporations. They often chose not to comply even with minimal measures.
- Finally, it will be interesting to see if the United States now starts to take action against businesses and individuals who buy and sell cyber attack tools. This is probably already happening covertly.