Friday, February 26, 2016

Waging War in Zeros and Ones

The U.S. dominates the fields of hardware and software. But it remains uniquely vulnerable because its so connected to the Internet. 

By GARY SCHMITT Feb. 25, 2016 7:39 p.m. ET 

Access to the Internet has become almost as ubiquitous as tap water—perhaps even more so. If Cisco Systems’ analysis is correct, some 75 billion devices—from kitchen ovens to nuclear power plants, from medical implants to satellites in space—will be connected to the Internet by the end of this decade. Through the narrow lens of access, it appears that we’re living a digital utopia: Information can be shared instantaneously, with little regard to borders or nationality.

Adam Segal sees such connectivity as a double-edged sword—or worse. Like the older commons of the sea, he argues in “Hacked World Order,” the new digital global commons has become an arena in which powers both great and small are now skirmishing and staking claims. In the past few years, the Internet has become a highway for economic espionage; a path to steal critical defense and security secrets; a tool for coercion and information warfare; and a place to lay the groundwork for potentially far more destructive cyberattacks on critical infrastructure should real war break out. Mr. Segal’s book is a compendium of all the various ways that these phenomena are playing out among the United States, China, Russia, Europe, Israel and nonstate actors like Islamic State and al Qaeda.
By Mr. Segal’s count, there are now more than two dozen states with teams and organizations whose job it is to design and conduct offensive cyber operations. Already, economic espionage by Russian and Chinese hackers against the United States has resulted in what one senior U.S. intelligence official has called “the greatest transfer of wealth in history.” Meanwhile, Russia directed cyberattacks against Estonia; China rifled through millions of U.S. government personnel files; Iran destroyed the computers of a Saudi oil company; North Korea hacked into Sony Pictures; and America (with a likely assist from Israel) attacked Iran’s nuclear program through the malicious software Stuxnet. As Mr. Segal puts it, if “history is one damn thing after another, the history of the digital age seems little more than one damn cyberattack after another.” 


By Adam Segal
PublicAffairs, 306 pages, $26.99
The paradoxical position the U.S. finds itself in, Mr. Segal writes, is that it is both “uniquely powerful and vulnerable” when it comes to the competition in cyberspace. It wields a dominant position in the fields of hardware, software and offensive cyber capabilities. But the U.S. is so connected to the Internet that its cyber borders are too many, too diverse and too poorly guarded to secure effectively.
In times past, a hegemonic position in a commons, like that of the British Royal Navy on the high seas, would be sufficient for a power to begin setting the norms for what can be and what shouldn’t be done in that contested space. But in cyberspace, the U.S. is not nearly that dominant. Even nations that would traditionally defer to the U.S., such as Germany and other European allies, are challenging the America-led system. Both for reasons of principle, such as privacy concerns, and for baser motivations, such as national commercial interests or regime stability, democracies and autocracies alike push policies that would fragment the open Internet. Some seek to censor content, while others want to “Balkanize” the net, creating national pockets of connection protected from foreign surveillance and American companies that dominate the Web commercially. 
It’s a trend, Mr. Segal argues, that is not going to be reversed anytime soon, if ever. Thus “the question for U.S. policy makers is whether to continue to fight the battle over competing visions of cyberspace or to design policies that mediate and respond to the splintering of the global Internet into national sovereignties.”
For Mr. Segal, such policies would begin with enhancing defenses for the government and private sector, ranging from the low end (two-factor authorization for log-in systems) to the high-end potential of quantum physics to provide a path to nearly absolute secure communications. But, he admits, at the end of the day such defenses cannot completely solve the problem. The reality is that hardware and software customers have an incentive to favor functionality and convenience over safety. From an accounting point of view, companies and governments know upfront what the cost of buying more security is, but can only guess what losses might accrue in their absence. In contrast, most states will have plenty of resources to toss at the offensive side, giving them the advantage. 
The author also says he would like to see greater cooperation between the private sector and the U.S. government, but then proceeds to lay out all the reasons that cooperation has been so difficult to establish: a lack of trust, liability concerns and ill-defined objectives. Finally, he argues that Washington needs to hammer out rules of the road with allies in Europe and Asia—and come to an agreement about consequences if those norms are ignored.
Of course, as Mr. Segal would concede, this doesn’t address how states like Russia, China and Iran behave in cyberspace. So far, naming, shaming and imposing a few sanctions has put barely a hitch in the step of these autocracies. To deter an adversary from crossing certain thresholds, a state must demonstrate that there will be a real cost for doing so. But, in cyberspace, the only way to do that is to expose a capability that, once revealed, becomes less effective.
To date, the uncertainty about what might happen should the gloves come off has kept the great powers from going “nuclear” in cyberspace. But self-restraint among states has a pretty spotty history when it comes to preventing the use of new military capabilities. Mr. Segal gives us plenty of reasons to wonder how long that restraint might last.
Mr. Schmitt is director of the American Enterprise Institute’s Marilyn Ware Center for Security Studies.

No comments: