Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow him on Twitter @Jason_Healey.
America's generals and spymasters have decided they can secure a better future in cyberspace through, what else, covert warfare, preemptive attacks, and clandestine intelligence. Our rivals are indeed seeking to harm U.S. interests and it is perfectly within the president's purview to use these tools in response. Yet this is an unwise policy that will ultimately backfire. The undoubted, immediate national security advantages will be at the expense of America's longer-term goals in cyberspace.
The latest headlines on covert and preemptive cyberplans highlight just the latest phase of a cyber "cult of offense" dating back to the 1990s. Unclassified details are scarce, but the Atlantic Council's study of cyber history reveals covert plans, apparently never acted upon, to drain the bank accounts of Slobodan Milosevic and Saddam Hussein. More recent press accounts detail cyber assaults on terrorist networks (including one that backfired onto U.S. servers) and Stuxnet, which destroyed Iranian centrifuges. American spy chiefs say U.S. cyber capabilities are so prolific that this is the "golden age" of espionage, apparently including the Flame and Duqu malware against Iran and Gauss, which sought financial information (perhaps also about Iran) in Lebanese computers.
Offensive cyber capabilities do belong in the U.S. military arsenal. But the continuing obsession with covert, preemptive, and clandestine offensive cyber capabilities not only reduces resources dedicated for defense but overtakes other priorities as well.
President Obama himself has presented the United States with a choice: "[w]e can either work together to realize [cyberspace's] potential for greater prosperity and security, or we can succumb to narrow interests and undue fears that limit progress."
Which choice will observers believe the president has made? America insists it wants a secure and peaceful cyberspace while sabotaging Iranian facilities with Stuxnet. Our government argues Chinese industrial espionage is completely unacceptable, but that disruptive and preemptive covert attacks are not escalatory but an acceptable norm. U.S. diplomats struggle to remain credible trying to convince Russia and China that the United Nations Charter and Geneva Convention apply to cyber conflicts. Nations question the U.S. model for peaceful Internet governance with the result that proposals from China, Russia, and even Iran get more support than those from U.S. diplomats.
Imagine for a moment you coordinated cybersecurity response for a major U.S. bank. Otherwise useful U.S. infrastructure protection efforts may seem less sincere to you when you learn that the government discovers critical vulnerabilities in major U.S. products but shares nothing with you or company. Instead it weaponizes them to attack and spy on Iran. You can't even deduct your costs countering the predictable counterattack, the widely reported Iranian denial of service attacks against the U.S. finance sector.
Cyberspace, American leaders have not fully realized, is not like other national security issues. America's true cyber power is not the National Security Agency or Cyber Command, but our technology companies that create and maintain cyberspace and the factories, banks, small businesses, artists, and citizens that use it to enrich our commerce and culture and share it worldwide. Cyberspace isn't primarily a domain for warfighting, but the most liberating technology since the printing press.
The cyber age has barely begun. But already cyberspace is so dangerous, and with so few norms, it has been called the new Wild West. Its future is still a jump ball, however, and there is no way of knowing how sensitive that future could be to the wrong decisions today.
It is just barely possible that covert and preemptive U.S. cyber strikes will make that world more peaceful; the opposite seems far more likely. Conflicts in cyberspace—unlike those in the air, land, sea, or space—are more likely to cascade, escalate, and reflect against civilians as we all share the same cyberspace. If the U.S. government, with little public input, settles on the lowest common denominator of aggressive norms now, then tomorrow's cyberspace could end up ungovernable and nearly unusable, no longer the Wild West but Somalia.
The president will hear few dissenting opinions about these possibilities as debate is smothered, limited to a select few behind closed doors. Clearance levels are equated with wisdom, classification with truth, and special agents prowl to find leaks. Outside voices are rare, so few in the debate will have had the responsibility to help secure a business against cyber attacks, hoping that tomorrow would be safer and more secure than today.
President Obama has written that the "digital world is no longer a lawless frontier, nor the province of a small elite." Yet they are just the ones driving U.S. policy, sadly, to that very end.