Cybersecurity: A Whole-of-National Power Approach
President Barack Obama’s decision to impose a range of sanctions against Russia for its successful network strike and information operation against the U.S. electoral process was an excellent first step towards an improved cyber deterrent capacity. However, we must do much more at home to harden our networks and critical infrastructure if we are to better meet the national security challenge.
To be a stronger, more resilent nation against cyber and critical infrastructure attacks, we must rely on all elements of national power, not just military institutions. Improving the physical and network security of critical infrastructure is a vital strategic challenge, a national security imperative, and needs to be a top priority for the incoming Trump adminsitration.
This is now the age of merged homeland and national security. Adversaries see critical infrastructure as a persistent target to be attacked. This, in turn, makes hardening physical and network infrastructure a key element of strategic deterrence. We must make both physical infrastructure—and the networks on which they depend—more defensible and resilient. Critical infrastructure is the nation’s operational and economic machinery, such as electrical power, water, financial, and transportation systems. Without their effectiveness, the United States will suffer grave damage to its national power.
Among the shortcomings in the protection of critical infrastructure is the lack of private sector voluntary and mandatory practices that leave companies persistently vulnerable. Defense of networks is and will remain an area for public-private partnership. Neither the public nor private sectors have the means to separately defend their networks and attendant dependencies. The private sector owns and operates the vast majority of networks associated with critical infrastructure, and private sector cyber security companies are just as capable—if not more so—than their government counterparts. Therefore, government must treat the private sector as a co-equal in network defense and response, and the private sector must acknowledge governments may be the best aggregator and dispenser of all-source threat data—meaning cooperation with government increases the chance of systemic network integrity.
The federal government must improve its accessibility to the private sector and elevate the mission of critical infrastructure network defense. Despite years of known penetration by strategic competitors like China, adversaries like Russia, and a host of non-state actors, there is still no central hub for national network defense. The military has built institutions for the defense of military networks, the FBI has built capability for investigating and prosecuting cybercrime, the Department of Homeland Security (DHS) has the nation’s only directorate focused on network and critical infrastructure resiliency, and the intelligence community’s NSA and CIA track threats and attack networks overseas. These four different communities have different focuses and authorities, and they compete for human capital and attention from the private sector, as well as make it difficult to determine accountability for successes and failures.
The United States must elevate the importance of domestic critical infrastructure and network defense. Successive Secretaries of Homeland Security have attempted to increase capacity and outreach to the private sector, and there is notable progress. We must accelerate this progress, and make it even more effective.
The DHS is the lead federal agency for securing the nation’s .com and .gov networks, and is the lead federal agency for securing the nation’s critical infrastructure and key resources. In the 14 years since Congress created the DHS, the nation has built a considerable web of information sharing, risk mitigation, and response capability that is far from perfect, but much better than not having made these investments. Those capabilities include the stand-up of the DHS National Cybersecurity and Communications Integration Center (NCCIC), and Community Emergency Response Teams (CERT). The DHS has a National Program Protection Directorate (NPPD) that is the nation’s only integrated network and physical critical infrastructure defense organization.
The DHS also maintains a network of Protective Security Advisors that conduct analysis of vulnerabilities and provide mitigation options for critical infrastructure owners and operators. Other parts of the DHS have co-built with states and localities a national network of Fusion Centers for the receipt, analysis, gathering, and sharing of all source threat-related information.
While the DHS may be the nation’s front line in countering network attacks against the homeland, Congress has failed to authorize the establishment of a singular DHS operating component that has this national security priority as its core mission. The private sector needs a clear, well defined primary federal point of contact, and absent a central, capable hub, the ever-important public-private sector partnership will not have a chance at optimization.
President-elect Trump and others argue the U.S. military should be given the mission of defending domestic critical infrastructure and its cyber networks, but this would be a major step backward. The U.S. military certainly has great capacity to defend its own network and plans for integrated network attacks in its war-fighting campaign policies, but this is vastly different than having the capacity to work daily with the private sector on homeland critical infrastructure security. Public-private sector cooperation is hard enough for industry, but just imagine the business reputation impact on companies that voluntarily share sensitive data with the U.S. military. It is a misnomer to call U.S.-based technology companies “American companies.” They are world-wide and have fiduciary responsibility to meet global shareholder requirements. Multi-national company cooperation with the U.S. government is hard enough, cooperation with the U.S. military is a reputation-killer.
There are also practical and legal constraints on assigning domestic critical infrastructure defense to the uniformed military. On the practical level, this would be an enormous mission requiring reassigning large numbers of personnel that would be diverted from support to on-going core defense activities like fighting the nation’s wars overseas. Second, the U.S. military would have to recreate long-standing relationships with private sector stakeholders—relationships already cultivated by DHS and FBI over the past 14 years. There would also need to be major changes in law as the U.S. military does not have domestic arrest and investigatory authority.
Rather than looking to the uniformed military to better harden our domestic networks, we should strengthen the capacity and reach of the DHS so it can become a stronger tip of the spear partner with the public and private sectors across the nation.
Russia’s attack on our electoral process highlights the need for better whole-of-national power response planning. Reflexively, some say the U.S. military should be responsible for attacking back. Some also argue Russia’s strike is an “attack on the nation,” thereby shifting action from “homeland security” to “homeland defense.” This is incorrect thinking and military-centric in an inherently non-military battlespace.
The Department of Defense (DoD) is the nation’s premier planner and has far and away the most capacity to operate in physical space. However, its primacy in planning masks the reality that the establishment of cyber deterrence and offensive options should be dominated by the non-war fighting community and rely less on military strengths. The military lacks most of the legal, policy, and regulatory authorities resident in the domestic agencies to effectively partner with the private sector.
There are profound differences between kinetic strikes and cyber-attacks—including network enabled strikes that have a physical effect—making non-military options preferred. Cyber is a means for espionage, criminality, suasion, facilitating military operations, and political activism. Countering these outcomes will most often come from our own tool kit of spies, covert action, economic sanction, and diplomacy. Of course, the U.S. military remains our vital ultimate guarantor of our physical security, but it is difficult to imagine the President turning to the uniformed military—excluding military intelligence arms like the National Security Agency (NSA) that are part of the intelligence community under the command of the DNI—to “hack back” or conduct non-attributable operations vital to cyber deterrence. Most likely, a President will turn to the intelligence community, the economic sanctions arm at the Department of Treasury, and diplomatic measures at the Department of State to make clear that we have the means and will to respond in kind.
Russian action against our political processes is not a first for Moscow, and such methods will not stop following the 2016 U.S. election. These actions do cross a threshold of aggressiveness that compels response, however, that response must come as a better defended homeland and the appropriate application of offensive tools. It may be easy to look to the uniformed military to protect against network-based aggression, but doing so would greatly reduce the capacity we have to stabilize the rapidly changing world order.