The Debate
What Kind of Cyber Defense Does America Need?
We are at War in cyberspace. While lawyers might quibble about the definitions of armed attacks, the fact of the matter is that, for around a decade, we’ve been in a series of consistent— albeit small-scale—conflicts in cyberspace. They have intensified recently, particularly since the start of the COVID-19 pandemic, and have had a massive impact on the American public and private sectors. Standing alone, cyber-enabled economic warfare conducted by China drains the American private sector of billions of dollars a year, with total damages estimated in the trillions. Former NSA Director Gen.
Keith B. Alexander described this concerted effort as “the greatest transfer of wealth in human history.”
Even worse, in the last six years alone, we’ve seen our adversaries undertake attacks tantamount to acts of war. For example, we’ve seen North Korea and Iran engage in the affirmative destruction of data and the bricking of computer systems here in the United States. And the threat level continues to grow. Just last year, then-director of National Intelligence Dan Coats told Congress that Iran is actively “preparing for cyberattacks against the United States and our allies” and noted that “China has the ability to launch cyberattacks [in the U.S.] that [could] cause...disruption of a natural gas pipeline for days to weeks.” Russia’s covert influence campaign undermined public confidence in our elections and rule of law institutions, but Russia is also actively “mapping our critical infrastructure with the long-term goal of being able to cause substantial damage,” including by “disrupting an electrical distribution network for at least a few hours.”
Notwithstanding the significant costs imposed on the American people and our economy by these activities, the Russians and others have paid little price for their actions. While we’ve imposed limited sanctions against Russia (primarily because Congress pushed for them), have indicted some key actors in both Russia and China and imposed some limited trade measures against China, the continued pace of activity from our adversaries in cyberspace makes clear that they are largely undeterred. This is especially clear given the frenetic activity we’ve seen in the recent months as threat actors have sought financial and strategic gains, including targeting institutions conducting cutting-edge vaccine research.
And yet, even in light of all this, there are those who would have us unilaterally disarm—or significantly constrain ourselves—when it comes to responding to cyber activities.
In order to stop the current onslaught in cyberspace, we must effectively deter our opponents by making the costs of taking action against us outweigh the benefits. For far too long, we have failed to do this in the nascent cyberwar and, as a result, our enemies have gotten more bold. As such, the fact that American offensive actions in cyberspace might be painful for our adversaries is not
a bug—it’s a feature. We should be careful to avoid unnecessarily imposing costs on civilians or causing wanton damage to people and property. But for the better part of a decade, our opponents have fundamentally undermined our economy, conducted deliberate and destructive attacks and are actively putting in place capabilities to conduct very real harm to our people. Given all this, now is exactly the wrong time to unilaterally disarm.
Notwithstanding some recent important changes to our cyber response posture, we still face a significant onslaught. There are many reasons for this, including that when we do act, our responses appear to have been fairly limited in nature and may not impose significant enough costs. We should be clear about our capabilities, put out a clear declaratory policy on cyber redlines and be earnestly willing to take swift, decisive and visible action when those lines are crossed. It’s not that deterrence doesn’t or can’t work in cyberspace—it’s that we simply don’t really practice deterrence today.
And to those who say deterrence is always escalatory, one need only look back at recent history to prove them wrong. In the early part of the Syrian civil war, notwithstanding his infamous redline on chemical weapons use in Syria, President Obama waffled publicly after the Assad regime used
“The fact that American offensive actions in cyberspace might be painful for our adversaries is not a bug—it’s a feature.”
sarin on its own people. He ultimately backed off, significantly weakening us in the eyes of friends and foes alike.
In contrast, when the current administration responded to Iranian proxy attacks killing Americans in Iraq with a devastating blow, taking out its elite military leader, Qassem Soleimani, American newspapers were full of editorials opining that we were on the precipice of full-scale war with Iran. All the hand-wringing was for nought. Rather than take us into war, the current administration’s bold and forceful response got the attention of the Iranians, forcing them to rethink their decades of attacks on American forces.
So what does all this tell us? First, it ought to be clear that, with cyber threats at an all-time high, now is not the time to step back. To the contrary, we ought to provide more resources and authority to those taking the fight to the enemy in cyberspace. Second, we need to help build up our defenses at home so that we can limit the damage caused. The American government must provide effective, real-time direct assistance to critical infrastructure providers in the private sector to help them rapidly upscale their defenses. This collective defense approach will require the government to collect and share highly classified intelligence at scale and speed and actively collaborate with the private sector on defense. If we are to succeed in this very real war, we must make clear to the world that while we did not start this fight, we will bring it to a successful close.
→ Jamil N. Jaffer is the founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School. The views expressed in this article are the writer’s own.