In a House Armed Services Committee hearing this week, experts from the private sector testified about the need for a new outlook on cyber strategy to better meet the challenges and opportunities for the future of cyber warfare in the United States.
“As we’ve seen in recent years, cyber is being used by both nation-states and non-state actors in ways that challenge our traditional notions of what is war,” U.S. Rep. Mac Thornberry (R-TX), chairman of the House Armed Services Committee, said in opening remarks. “It is being used to destroy, to steal and to influence.”
The hearing, “Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities,” included testimony from Jason Healey, nonresident senior fellow of the Cyber Statecraft Initiative at the Atlantic Council; Martin Libicki, adjunct management scientist at RAND; and Peter Singer, strategist and senior fellow at the New America Foundation.
“The United States can build a new set of approaches designed to deliver true cybersecurity, aiming to protect ourselves better, while reshaping adversary attitudes and options,” Singer said. “Or, we can keep on talking tough and simple, and continue to be a victim.”
According to the testimonies, there is currently too much focus on an impending “cyber Pearl Harbor.” While cyber weapons are useful tools of espionage and war, they cannot be classified as “weapons of mass destruction,” Singer said. The misconception of the imminent danger of cyber attacks has been causing a tunnel-visioned view of how to handle cyber vulnerabilities.
“We need a better understanding of end-to-end vulnerability,” Libicki said. “We cannot continue looking at each compartment piece, but as the whole like the attackers are looking at, at the damage they will achieve on the whole. And in that, we must have a military that can think on their feet and be sufficiently trained to put the pieces back together after a large-scale cyber attack.”
Healey, who is not concerned about the current cyber attacks that have taken place in the country, said that one of the problems today is that there are more than 6,000 people preparing for a fight separately, but a unified cyber force from the public, private and governmental sectors is what will create stronger protection.
“Cyber attacks have tended to take down 1s and 0s,” Healey said. “The more we bring in the Internet of Things, however, the more opportunity there will be to start bringing down things made of concrete. Cyber attacks now have not been that bad. And I think we will look back on these days as the halcyon days where people weren’t dying because of these attacks if we fail to create a proper response.”
The best response, Singer said, was creating a response of deterrence by denial, or resilience.
“By making attacks less beneficial to the attacker, you make them less likely,” Singer said. “Most importantly to the problem that we face in the diversity of cyber threats, it is useful for responding to them all.”
A unanimous opinion of the three was the disentanglement of the National Security Agency (NSA) and the United States Cyber Command, created under the NSA in 2009.
“Our most dynamic force is not Fort Meade and it will never be the Pentagon,” Healey said. “The private sector has better levers to handle and blur an attack in cyberspace. The NSA can attack back, but they don’t have the ability to bend cyberspace defensively like an independent Cyber Command would be able to. Sometimes two heads and two hats are more American than one.”
Singer said the initial reason Cyber Command had to be created under the NSA was to give a voice to the new force. That time, he said, has passed.
“They need to be split as the evolution of cyberspace has created new divides in information and security,” Singer said. “And it will not and should not be instantaneous. There needs to be a way to disentangle the two in a way that will not disrupt their efficiency and efficacy.”
With the evolution of cyberspace and the challenges it now creates, there is a need for trained individuals not only in the military, but always for those outside of the uniform, Singer said. Challenges of how to incentivize and pull talent to a cyber force needs to be addressed through the military as well as through academic and private programs.
“I think the division of cyber training depends a lot on what the military can and can’t do,” Libicki said. “And often times it’s a technical difference. You can’t say that physical will be military and that cyber will be non-military. You have to look at what tools do you use and how do you deploy those tools, whether those tools are based in architecture, code, or personnel. You have to follow the technologies to determines roles and missions.”