In Search of Rules for Cybercombat
WASHINGTON — Ask finance ministers and central bankers about their worst nightmare and the answer is almost always the same: Sometime soon the North Koreans or the Russians will improve on the two huge cyberattacks they executed last year. One temporarily crippled the British health care system and the other devastated Ukraine before rippling across the world, disrupting shipping and shutting factories — a billion- dollar cyberattack the White House called “the most destructive and costly in history.”
The fact that no intelligence agency saw either attack coming — and that countries were so fumbling in their responses — led a group of finance ministers to simulate a similar attack that shut down financial markets and froze global transactions. By several accounts, it quickly spun into farce: No one wanted to admit how much damage could be done or how helpless they would be to deter it.
Something has changed since 2008, when the United States and Israel mounted the most sophisticated cyberattack in history on Iran’s nuclear program, temporarily crippling it in hopes of forcing Iran to the bargaining table. ( The two countries never acknowledged responsibility for the attack.)
A cyberarms race of historic but hidden proportions has taken off. In less than a decade, the sophistication of cyberweapons has so improved that many of the attacks that once shocked us — like the attacks Iran mounted against Bank of America, JPMorgan Chase and other banks in 2012, or North Korea’s hacking of Sony in 2014 — look like tiny skirmishes compared with the daily cybercombat of today.
Yet in this arms race, the United States has often been its own worst enemy. Because it has been so incompetent at protecting its cyberweapons, those weapons have been stolen out of the electronic vaults of the National Security Agency and the C.I. A. and shot right back at them. That’s what happened with the WannaCry ransomware attack by North Korea last year, which used some of the sophisticated tools the N. S. A. had developed.
Nuclear weapons are still the ultimate currency of national power, but they cannot be used without causing the end of human civilization — or at least of a regime. So it’s no surprise that hackers working for North Korea, Iran’s mullahs, Vladimir V. Putin in Russia and the People’s Liberation Army of China have all learned that the great advantage of cyberweapons is that they are the opposite of a nuke: hard to detect, easy to deny and increasingly finely targeted. And therefore, extraordinarily hard to deter.
That is why cyberweapons have emerged as such effective tools for states of all sizes: a way to disrupt and exercise power or influence without starting a war. Cyberattackers believe there is almost no risk that the United States or any other power would retaliate with significant sanctions, much less bombs, troops or even a counter cyberattack.
So while the United States remains the greatest cyberpower on earth, it is increasingly losing daily cyberconflicts. The range of American targets is so wide that it is almost impossible to understand all of the vulnerabilities. And because most of those targets don’t belong to the government — banks, power grids, shipping systems, hospitals and internet-linked security cameras, cars and appliances — confusion reigns over who is responsible for defending them. The United States has the most fearsome cyberweaponry on the planet, yet we’re afraid to use it for fear of what will come next.
The United States’ problem isn’t toughness — it’s an absence of strategy. The larger lesson of the past few years is that unless it gets smarter about deterring cyberaggression, much of what binds our digitally connected society will be eaten away. The United States has spent so much time worrying about a “cyber Pearl Harbor,” the attack that takes out the power grid, that it has focused far too little on the subtle manipulation of data that can mean that no election, medical record or self- driving car can be truly trusted.
The United States needs to establish global norms clarifying that some targets are off limits: election systems, hospitals and emergency communications systems, and maybe even electric power grids and other civilian targets.
Microsoft’s president, Brad Smith, has proposed digital Geneva Conventions that begin to establish those norms, outside the structure of governments and treaties. It’s an imperfect solution, but a start. Intelligence agencies hate this idea: They want the most latitude possible for future operations. But in any arms control negotiation, to create limits on others, you need to give up something. Otherwise, the United States will remain trapped in an endlessly escalating war, one it may well lose.