8 May 2021

War in All but Name

Derek Bernsen

The U.S. is already at war, and Great Power Competition is that war.[1] The information war that has raged in various forms since the 1920s has evolved into cyber operations, such as Moonlight Maze, and disinformation campaigns, as seen in the 2016 U.S. Presidential election.[2] The U.S. National Security Strategy has recently tried to prioritize cyber and information warfare—a necessary step in our modern world. Yet, these steps do not go far enough to counter adversaries in these domains. Information warfare, combined with political and economic acts of aggression, comprises the majority of actions between the United States and Russia, and the United States and China.[3] These actions are at levels of hostility not seen since the Cold War era, as evidenced by U.S. Cyber Command’s (USCYBERCOM) persistent engagement strategy and the Chinese strategy of Unrestricted Warfare.[4]

IMPLEMENTING AND PRIORITIZING NEW CYBER AND INFORMATION WARFARE INITIATIVES AS A PART OF THE NATIONAL SECURITY STRATEGY WILL BE CRUCIAL TO AMERICA’S SUCCESS IN MODERN GREAT POWER COMPETITION.

Ultimately, Russia and China plan on winning the Great Power Competition by undermining the U.S., sowing discord, and continuing a secret war until the positions in the world order are reversed.[5] Implementing and prioritizing new cyber and information warfare initiatives as a part of the National Security Strategy will be crucial to America’s success in modern Great Power Competition. Specifically, the U.S. must more effectively leverage its cyber capabilities, as well as improve its understanding of adversary information warfare tactics, to keep the balance in its favor. To compete in this raging war, the authors of the National Security Strategy must answer the question: how can the U.S. leverage strengths and overcome weaknesses in cyber and information warfare to regain domain superiority?

Understanding the information space and cyber domain, how they have evolved, and how adversaries seek to leverage its advantages to achieve national goals is key to setting a new National Security Strategy. First, we must define the term “information warfare.” The private sector understands information warfare as disinformation, propaganda, and other activities based purely on the use and manipulation of information itself. The Department of Defense’s definition, which also includes intelligence, cyber, and electronic warfare activities, is used here instead.[6] As nations figure out how to leverage the power of the Internet while protecting their interests, there is a growing balkanization of the Internet into territorial boundaries which must be defended.[7] With growing balkanization efforts, countries are increasingly using the Internet to control narratives, conduct espionage, and launch destructive attacks on adversary countries.

The first shots of this war happened years ago. On the Russian front, 1999’s Moonlight Maze is essentially an opening salvo.[8] Millions of dollars worth of DoD data was exfiltrated, yet there was no retaliation from the U.S. This lack of retaliation showed Russia that it could conduct information warfare against the U.S. with impunity. Since then, Russia has grown bolder.[9] Vladimir Putin became President of the Russian Federation the same year that Moonlight Maze occurred, and began a gradual shift back towards Cold War stances. His actions against Estonia and Ukraine are apt case studies in how to integrate information warfare and cyber operations with kinetic forces.[10] Russia's successful integration represents a huge leap forward for military utilization of the information domain, and a level of proficiency that the United States has not yet come close to achieving.

Meanwhile, China is playing a long game in cyberspace, on a scale unfathomable to western strategists. Michael Pillsbury’s examination of this Chinese strategy in The Hundred-Year Marathon describes many events which could be considered an opening salvo.[11] The 2007 test of a Chinese anti-satellite missile serves as a turning point towards increasingly aggressive actions.[12] Aside from public condemnation of China’s disregard for the space environment due to the debris field created that will be in orbit for decades, China faced little repercussion from the international community. Since then, and perhaps even before then, China has singularly demonstrated its intent to become a world power. Due to the world’s continued ignorance, China pursues this goal more aggressively with each passing year. Since 2007, China has become more combative than ever, especially in the cyber domain. In the past few years, the Chinese government has conducted cyber espionage operations against U.S. companies, and even meddled in the 2020 U.S. election.[13]

INFORMATION WARFARE PROVIDES THE PERFECT MECHANISM TO ERODE U.S. POWER WITHOUT RESORTING TO DIRECT CONFLICT.

China and Russia both seek to undermine U.S. power and influence.[14] Adversaries of the U.S. have made strides in defending their defined Internet boundaries whether it is Russia demonstrating their ability to cut themselves off from the rest of the world or China’s great firewall.[15] Russia meddled in the 2016 U.S. election through hack and leak operations and disinformation campaigns, and tried it again in 2020.[16] China, meanwhile, is on a trajectory to overtake the U.S. as the world’s superpower well before their target date of 2049, largely through economic cyberespionage, and Belt and Road Initiative efforts. One cannot misconstrue these adversary actions as a simple nuisance, or “growing pains” within far away nations. They are, in fact, carefully planned and executed stratagems. Any misinterpretation of this fact is likely by design: both China and Russia recognize that direct conflict would be devastating if it happened today and so they rely on other means to achieve their goals.[17] This affords them a way to fight the U.S. below the threshold of armed conflict. Though some countries, such as France, are beginning to quantify what constitutes an act of war in cyberspace, the U.S. has yet to follow suit.[18] Simultaneously, China’s pursuit of “assassin’s mace” weapons and other strategic advantages that will improve their odds of winning a war if it turns into direct conflict.[19]

THIS CONFLUENCE OF ADVANTAGES COMBINED WITH THE ABILITY TO CONDUCT OPERATIONS FROM NEARLY ANYWHERE ON EARTH AND THE INDECISION AROUND WHETHER INFORMATION WARFARE EXISTS BELOW THE THRESHOLD OF ARMED CONFLICT MAKES THIS AN IDEAL DOMAIN TO COMPETE IN FOR ADVERSARY NATIONS LOOKING TO SUPPLANT THE UNITED STATES.

Information warfare provides the perfect mechanism to erode U.S. power without resorting to direct conflict. Developing or buying even the most sophisticated cyber capabilities are orders of magnitude cheaper than the research, development, production, and maintenance of kinetic forces and equipment.[20] Utilizing social media and other Internet platforms has made disinformation and propaganda cheaper and more effective than ever.[21] Cyber and information operations also have the advantage in difficulty of attribution.[22] A sublimely executed information warfare operation would erase its own tracks and sow doubt about whether it even happened, or spread misinformation about an operation that did—or didn’t—happen. The elements for a good information warfare campaign also apply to conspiracy theories.[23] Emotionally charged, self-sealing information utilizing human psychology as a weapon that spreads like wildfire and is impossible to dislodge or contain once it has taken hold. This confluence of advantages combined with the ability to conduct operations from nearly anywhere on Earth and the indecision around whether information warfare exists below the threshold of armed conflict makes this an ideal domain to compete in for adversary nations looking to supplant the United States.
LEGACY SYSTEMS CREATE A TARGET IN THE NETWORK THAT FEW PEOPLE KNOW WELL ENOUGH TO DEFEND.

This is especially the case where American legacy systems abound. Banking systems are infamously old and still run on thirty-year-old legacy software, giving adversaries an easy target.[24] While efforts are underway to upgrade, some will likely remain for another few decades. Especially as programmers willing to learn and work with these aging systems dwindle. Exacerbating this, many utility companies and Industrial Control Systems/Supervisory Control And Data Acquisition (ICS/SCADA) systems can easily be found on publicly available tools that constantly scan the Internet.[25] This is also a problem for the U.S. military which often clings to Windows XP and older systems. The Department of Defense has demonstrated its dependence on these legacy systems by paying Microsoft millions each year for continued support.[26] The Department of Defense is notorious for its struggle with its own acquisitions process ensures this is not a problem that will just go away.[27] Rob Joyce, the former head of Tailored Access Operations, in a 2016 talk, said the National Security Agency succeeds when intelligence professionals know a target’s network better than even its administrators do.[28] Legacy systems create a target in the network that few people know well enough to defend.

Demonstrations of the power and importance of cyber and information warfare frequently occur worldwide. Russia conducted cyber operations in Ukraine in order to facilitate the annexation of critical territory.[29] The malware NotPetya alone caused more damage worldwide than if an adversary had sunk a U.S. warship—not considering loss of life—something that would almost certainly garner a declaration of war.[30] Warfare has changed, cyber operations can no longer be relegated to the sidelines. Cyber, like aviation in the early 20th century, is not fully utilized and the nations who bring it to its full potential will become major players in future conflict. As former Estonian President Toomas Ilves said, “you don’t need to physically attack a country to debilitate it”.[31] Chief of Naval Operations, Admiral Gilday captured it perfectly when he said “We’re not fighting an enemy that people can see, and we’re not fighting a war where international norms exist. But make no mistake, we are in conflict day-in and day-out in the cyber realm.”[32] Our modern world doesn’t care much about formal declarations of war and strictly classifying actions.

Though the U.S. has been slow to respond, there are many changes to the National Security Strategy that, if incorporated now, would counter adversarial strategies and better defend the Nation. First, the U.S. should re-establish the United States Information Agency. Second, learning from Estonia, the U.S. must establish programs to teach people how to implement better cybersecurity and recognize disinformation. Third, the U.S. needs to incentivize the overhaul of legacy systems and better cybersecurity posturing. Fourth, the U.S. must grow cyber expertise in the military and better integrate cyberspace operations with kinetic forces.

A NEW UNITED STATES INFORMATION AGENCY COULD COORDINATE INFORMATION DISSEMINATION GOVERNMENT WIDE AND HELP TO ENSURE THE TRUTH IS AVAILABLE WORLDWIDE.

Dissolved in 1999, the United States Information Agency served to consolidate and coordinate “all of the foreign information activities.”[33] The agency operated many programs such as the Voice of America, Radio Free Europe, and more. These programs disseminated accurate information and helped combat the USSR who was notorious for disinformation and propaganda. The coordinated effort helped U.S. interests abroad. While the world has more access than ever to information thanks to the Internet, balkanization, censorship, and disinformation campaigns make it difficult for individuals to know what is true. Not to mention a growing distrust of major media outlets which pander to their audiences for ratings rather than maintain journalistic integrity. A new United States Information Agency could coordinate information dissemination government wide and help to ensure the truth is available worldwide. The U.S. cannot stoop to the level of China and Russia. It must instead be a bastion of truth. A coordinating body is needed to maximize the impact of this information. The Department of State’s recent fumbling of a campaign to raise awareness and gather information on election meddling highlights the need for better coordination.[34] With human psychology, information systems we’ve become so reliant on being used as weaponry, and the sheer scale of these campaigns, it’s easy to see the need for a coordinating body.

Cybersecurity and Infrastructure Security Agency 

The United States Information Agency would also be a good candidate to lead the second initiative, teaching individuals how to recognize disinformation. In a joint effort, the United States Information Agency and the Cybersecurity and Infrastructure Security Agency could take lessons from Estonia and push similar initiatives. Issuing digital certificates to every individual and company, improving their cybersecurity posture, and launching education programs are just two examples of the many successful efforts that are keys to Estonia’s success.[35] While the cost would be significantly higher for the U.S. than Estonia, the benefits of such a program would be exponentially greater. With costs for cybercrime alone costing upwards of five trillion dollars worldwide annually, and over one hundred billion in the U.S., even small improvements would cover the cost of the effort.[36] When security becomes ingrained in society, mistakes from government employees allowing incidents like the Office of Personnel Management hack and other attacks that allowed China to steal trillions of dollars worth of research on platforms like the F-35, will become less frequent.[37]

Additionally, the United States Information Agency and Cybersecurity & Infrastructure Security Agency could work with major technology platforms to combat disinformation. Assisting private companies in removing disinformation and accounts creating that sort of content would benefit from direct coordination with the government. Large platforms have shown that they will take these actions themselves, at least to some degree.[38] Facebook has even gone so far as to purchase and use exploits to help the FBI arrest people abusing its platform.[39] If the Cybersecurity & Infrastructure Security Agency were able to partner directly with the private sector, great strides could be made in defending the American people. Doing so would not take too much effort as many major companies already maintain a small cadre of personnel with security clearances, which could help facilitate this collaboration.

WHILE THE U.S. IS ALREADY AT WAR, IF IT CAN INCORPORATE AND PRIORITIZE THESE FOUR ACTIONS IN THE NEW NATIONAL SECURITY STRATEGY IT WILL BE SIGNIFICANTLY BETTER POSITIONED TO COMPETE, DEFEND, AND FIGHT WITH INFORMATION WARFARE.

Next, the U.S. needs to remove legacy systems. The insurance industry is attempting to improve cybersecurity with companies like Resilience offering incentive rates for significant security improvements.[40] The U.S. could similarly incentivize industries with tax breaks or preferential treatment in contract negotiations for taking steps to improve cybersecurity. This would push utility companies to make necessary upgrades or incentivize manufacturers of Industrial Control and Supervisory Control and Data Acquisition systems to build security into their products.

Finally, the Department of Defense needs to continue to grow its cyber force. U.S. Cyber Command has come a long way in demonstrating its value, conducting operations, and even helping the information security community through malware disclosures.[41] This momentum needs to be seized upon. As U.S. Cyber Command continues to hone its craft, it needs to start integrating with the more traditional parts of the military. Special Operations Forces are the obvious first candidate for integrating with cyber operations. Special Operations personnel are already asked to do more than the average unit and often are the first to experiment with new technology. The innovative and can-do mindset present in these units combined with the many unique skills and cross-training these units receive creates the perfect environment for the military to experiment with cyber and kinetic operations integration. Add in Special Operations’ history of psychological operations and influence campaigns which are already considered Information Warfare, and cyber becomes the logical next step for bringing the force into the future. Eventually the U.S. will need to realize the goal of integrating cyberspace operations with every operational branch of the military from infantry and armor, to ships, aircraft, and spacecraft. Furthermore, retired Admiral James Stavridis articulates the argument for a separate cyber branch of the military.[42]

While the U.S. is already at war, if it can incorporate and prioritize these four actions in the new National Security Strategy it will be significantly better positioned to compete, defend, and fight with information warfare. Adversaries will avoid a direct conflict and instead seek to leverage information warfare to undermine the U.S. and gain a dominant global position. A strategy enabling the U.S. to fight back must incorporate the rebuilding of the United States Information Agency, lessons from Estonia, incentivize the overhaul of our legacy systems, and fully integrate cyberspace operations throughout the military.

No comments: