Congressional computers have been penetrated, probably by the Chinese. The avionics system of the F-22 fighter may be compromised. Computers of our presidential candidates were hacked into — and probably not by teenagers on a lark. Last year’s advance of Russian tanks into Georgia was accompanied by the disruption of Georgian government computer systems.
These are only public manifestations of a new reality: Attacks on computer systems will be an integral element of future conflict, and the United States is more dependent on computer networks than any other nation.
Both policymakers and the military are in the early stages of coming to grips with this threat. We need to take some important first steps to strengthen our national capability to defend ourselves in cyberspace.
First, we must abandon the notion that static defenses will help us against sophisticated threats. One bipartisan Senate bill proposes to establish a government committee to set standards for all computer systems and software. This is the electronic equivalent of building a Maginot Line of concrete fortifications against a mobile enemy. It may keep common criminals at bay, but it will be no defense against a mobile and adaptable top-tier adversary. American government and private computer systems operate on an interconnected global network that is constantly changing like a biological organism. It operates at light speed, and both friends and adversaries are connected to the same network. We must anticipate that the most dangerous players will stay quiet until a time of national tension.
Our cyber-defense capabilities must be inherently dynamic, with a close connection between system operators, intelligence analysts, and the researchers who can rapidly build and deploy tools to protect or restore vital capabilities.
Second, our intelligence on other countries’ cyber-capabilities must be strengthened. We have scores of trained experts who know the ins and outs of foreign radars and missile systems and almost none who are daily tracking cyberthreats in all their manifestations.
What new tools are under development and how do they work? How do other countries and non-state actors train their people? What do they value and what, if anything, can deter them? How do the entities that pose a threat communicate and who commands them? Who are these guys, anyway? We need to know more about our sophisticated adversaries before they strike so that we can defeat them.
Third, while there are national security systems we certainly need to protect, our greatest vulnerability as a nation is outside the government. Our banking system, our telephone communications and our electricity grid are all owned and run by private companies and are interconnected to the global computer network. We must anticipate that an adversary determined to cause economic damage or enhance the fog of war will exploit these vulnerabilities.
Currently, there is a strong disincentive for private entities to reveal that their computer systems have been compromised. For example, a bank that lets people know that its computers have been penetrated will see business move elsewhere and stock prices drop even if its competitors are dealing with the same problems.
Yet an important part of protecting ourselves is sharing information about what probes and compromises are found before a period of crisis or heightened tension. While the government could mandate reporting of certain threats, some problems are so difficult to identify that failure to report would be easily justified. And a compliance-oriented reporting system will not encourage the learning needed or expand the capacity of critical private-sector systems to protect themselves.
A better approach is to align the interests of stockholders with the interests of national security by establishing a trusted safe harbor where private entities can confidentially share information and get help from cyberexperts in and out of government. Such an information clearinghouse could, without attribution, share information with other private entities so that everyone benefits. The motivation to share information would be immunity from liability when private entities report problems.
Government and private computers in this country are attacked millions of times a day. Many of these attacks are easy to identify and stop. The most sophisticated ones are not, and we must establish patterns of close cooperation and information-sharing among public and private experts to give ourselves the best chance to mitigate a substantial attack on vital systems.
Cyberwarfare is a realm where technology is fast outpacing policy, doctrine and law. We must start closing the gap.
Heather Wilson, a representative from New Mexico in the U.S. House from 1998 to 2009 and served on the House intelligence committee for six years. She consults on cybersecurity and other national security matters but has no financial stake in the policies advocated here.