America Is Losing the Cyber War

Russia, China, Iran and North Korea routinely launch cyberattacks on civilian areas, hacking private companies or undermining foreign militaries, using online tools to manipulate information or digital propaganda to shape others' opinions, and employing digital mercenaries to do the work.

The Chinese military stole U.S. plans to the technically sophisticated F-35 Joint Strike Fighter, allowing Beijing to create the copycat J-31. Hackers with connections to the Iranian government were charged earlier this year for attacks on U.S. banks and a dam in New York. North Korean operatives released a trove of damaging emails from Sony as the entertainment company planned to release a comedy with an unflattering portrayal of the country's leader. And Russia is widely suspected in a hack of the Democratic National Committee that could amount to a bid to undermine the integrity of the upcoming U.S. election.

The U.S., as of right now, is not fully prepared to match incidents like these.

In Georgia and now in Ukraine, Russia has demonstrated its ability to integrate full-scale cyberwar into its military maneuvers, further threatening U.S. allies along its border. But shortcomings with such 21st-century tactics plague America's military, which emerged from the Cold War, dedicated 15 years to fighting insurgencies in the Middle East and now faces the potential for a different kind of combat against potential foes who time and time again have tested its cyber capabilities.

Complicating the ability to hit back nimbly are strict policies on how the U.S. is willing to conduct digital warfare. There are hard-line and at times overly dense barriers between cyber operators cleared to carry out the government's business and those who aren't, even though the latter often find themselves inadvertently at the front lines of digital warfare. War planners often lump all digital instruments under the homogenous subject "cyber," even though that represents a broad variety of tools and mediums, and don't yet have policies governing how to respond if forced to. And, perhaps most importantly, the U.S. has proportionately little experience with this kind of battle in the real world.

"The assumptions for a lot of us in this space is the nations who have been at combat the longest would have developed a robust way of including these tools into battlefield use," says Jason Healey, an Air Force veteran and frequent adviser to the White House, Pentagon and private sector, now a senior research scholar at Columbia University.

Too many U.S. combat commanders believe developing cyber tools is as clear-cut a process as making and employing conventional weapons. Bombs or bullets, for example, produce reliable effects each time the military chooses to employ them, and everyone along the chain of command understands the specific consequences of doing so.

"I don't see us having that kind of confidence at any one of those levels," Healey says of the current cyber alternatives.

America's cyber shortcomings were at the center of a congressional hearing earlier this month during which Sen. John McCain, the chairman of the powerful Armed Services Committee, pressed the nation's two top officials for digital combat to appraise the military's ability to respond to cyber aggression.

"The cyber threat is one of the greatest challenges we face," offered Marcel Lettre, undersecretary of defense for intelligence.

The Arizona Republican prodded, citing former Joint Chiefs Chairman Martin Dempsey's troubling acknowledgement in January 2015 that cyber is the only major field of warfare in which the U.S. doesn't have an advantage over its foes.

"It's a level playing field," the Army general said at the time, "and that makes this chairman very uncomfortable."

When pressed on whether this was still the case, Navy Adm. Michael Rogers, the head of both the National Security Agency and U.S. Cyber Command, simply told McCain, "Yes."

One of the greatest problems facing the military and other elements of the U.S. government that work in warfare and intelligence is the private sector's unwillingness to share information with them and their unwillingness to share with one another, particularly across government agencies that don't routinely interact. Dempsey referenced this in 2015, and experts maintain it's still a problem today.

"There's a lot of talk in the U.S. about public-private partnerships," says Nate Fick, a Marine Corps and Iraq War veteran who now serves as CEO of Virginia-based cybersecurity company Endgame. "Most of them are thin."

The government routinely informs private industries Endgame works with if they've already been subject to an attack, Fick says, granting them information they might not have been able to compile on their own. But companies that have been targeted rarely to return the favor over concerns of giving up sensitive materials, particularly if it means working with large bureaucracies like the CIA or NSA where information on hacks quickly becomes classified and less likely to be shared.

Contributing to this problems is the government's insistence on treating cyber operations as a clandestine field. Incidents of hacking usually become classified once they reach the government level, making it difficult to share publicly or even within the government.

This compartmentalization is just one example of a broader problem the government faces, that cyberwarfare is so relatively new that it has not yet established a set of rules or procedures for how it should respond to incidents of cyber attacks or hacking.

The advent of a new kind of weapon has historically prompted the military to develop some sort of doctrine informing its commanders how to respond. The appropriate use of nuclear missiles, for example, has routinely come under review within military circles as that weapon's significance changes over time.

These rules are never perfect nor complete, and their application still relies on leaders having to make decisions specific to that time. This was true during the Cuban Missile Crisis, the 2001 Hainan Island incident in which a Chinese fighter jet and U.S. surveillance plane collided, or any other time when an isolated encounter could have turned into global war.

Private sector cyber specialists say most global powers wielding the ability to hack understand how far is too far and don't cross the line between economic espionage and an act of war.

Cyber, however, is doubly complicated because malicious actors are technically capable of hiding their tracks or, perhaps more damagingly, making it appear a hack was carried out by someone else. But even a firm understanding of an opposing force has its limitations.

"The U.S. can get pretty far," says Matt Devost, managing director at Accenture Security. "I would say in a majority of significant attacks, the U.S. government has a high level of confidence with regards to who was involved.

"But, it might not have the political will to release those details or the methods in how the attribution was achieved," he says.

That has led to speculation and uncertainty about the frequency and the effectiveness of U.S. responses. Weeks after the FBI named the attacker in the Sony hack and days after President Barack Obama vowed to "respond proportionally," the internet in North Korea experienced a widespread blackout lasting nearly 10 hours that some experts believe shut down service as broadly as to the entire country. U.S. involvement has never been proved, and the failure could simply have been a coincidence. Russia, too, has claimed that U.S. interests have waged cyber attacks on its state-run news service. And the Stuxnet virus America reportedly engineered with Israel that was discovered in 2010 successfully sabotaged an Iranian nuclear facility.

In other cases the U.S. has restrained itself, such as in the aftermath of a hack on the Office of Personnel Management that released personal records of over 20 million Americans, supposedly orchestrated by the Chinese. The administration was reportedly hung up over how to respond without escalating the conflict.

It's a chronic problem in government, particularly in the military, where officials and senior leaders have become reflexively reluctant to talk about cyber operations and particularly the successes of America's foes.

The circumstances that have previously prompted releasing this information have been extreme and usually already somewhat a matter of public awareness. Blaming North Korea for the 2014 hack and release of emails from Sony, for example, was one of the few times the U.S. government has spoken publicly about a cyberattack. The same has been true for implicating Iranian actors in denial-of-service attacks against U.S. banks, as well as some instances of Russian activity in Ukraine.

Despite all these restrictions, the U.S. military is working to catch up.

The head of the Marine Corps sent a message to all the troops under his command in January discussing new exercises they would undertake to try to meet the capabilities of adversaries he didn't name, but which very likely included Russia and China.

"As we have remained engaged in the current fight and operationally committed, our enemies and potential adversaries have not stood idle," wrote Gen. Robert Neller, the Marine Corps commandant. "During these years, they have developed new capabilities which now equal or exceed our own."

Neller repeated this warning in an August message to all Marines, announcing he would create a new experimental unit to study how to prepare for future wars. Developing greater cyber capabilities was one of the principal mediums he cited.

The U.S. Army is actively working to incorporate cyber operators into its conventional military units. Specialists experimenting with these new tactics tell U.S. News they're focusing on learning to reverse-engineer enemy opponents' cyber tools to defeat them before they have any effect on American targets.

"It burns their toolsets because cyber weapons are unique in one way: Unlike a 2,000-pound bomb that you can drop, or a Hellfire missile you can fire, and you know that's going to achieve the same effect every time you do it, against a target with a cyber weapon, if we can catch that weapon, see what it does, then reverse-engineer it, we can stop it," says Army Capt. Robert Busby, a defensive cyber operations planner based out of Fort Gordon, Georgia.

"Every time you fire that weapon, you're basically hitting the 'tank' with 'rubber bullets,'" Busby adds. "We can deter them, because if they know they're going to burn a tool the second they use it, they're going to be a lot less likely to use it."

Part of the sluggishness in America's ability to adapt to these threats stems from its decision to lump together with cyber what the military calls information operations – propaganda – and electronic warfare, or hacking and jamming the enemy's ability to use its computers and other forms of communication equipment. Cyber, however, has won out as the military's principal focus.

That shortcoming has come under new scrutiny, following reports the White House would like to split the NSA from U.S. Cyber Command, Rogers' "dual hat" jobs.

"I would not sell short what we've done in 15 years of war," Healey says. "But that's been against a relatively unsophisticated adversary. Without a doubt the Russians have been able to do this against a more sophisticated opponent and learn some lessons about how to put cyber against information warfare and against electronic warfare."

Part of Russia's effectiveness has been its willingness to rely on hired guns, including criminal syndicates who can wage digital war for cheap and more swiftly, but who aren't as beholden to the state as America's federally vetted cyber operators are.

"Putin has no problem with that, and right now that's his asymmetry," Healey says. "Maybe that's going to be useful for him against Ukraine but that's not going to do so well if you ever have to face NATO combat power."