LAS VEGAS — The term “cyber war” conjures mental images of hackers shutting down energy grids and hospitals en masse, but that’s not how cyberattacks have actually factored into recent armed conflicts, the U.S. military’s top cyber official said on Friday.
“There’s a huge difference between cyber war and then cyber in war,” Mieke Eoyang, the deputy assistant secretary of defense for cyber policy, said during a talk at the DEF CON security conference.
When Russia invaded Ukraine, many national security experts expected the conflict to become the first example of a modern cyber war, with Moscow’s formidable keyboard warriors unleashing digital devastation on infrastructure throughout Ukraine — and possibly beyond. But thanks to extensive support from the U.S. and other Western countries, plus years of experience, the Ukrainian government was able to repel most of those attacks.
When the anticipated chaos didn’t materialize, people started arguing that cyber had failed to live up to its much-discussed promise as a domain of war. They called it “the dog that didn’t bark,” Eoyang noted.
“Actually, the dog barked at the volume of a normal dog,” she said. “It just didn't cause the Ukrainians to roll over and say, ‘Okay, you can take our country.’ It was not going to do that.”
The mismatch between expectation and reality partly stemmed from how the U.S. military originally envisioned cyber conflict.
When the Pentagon created U.S. Cyber Command in 2009, officials placed the new digital warfighting unit inside of U.S. Strategic Command, which operates the country’s nuclear arsenal. As a result, Eoyang said, nuclear doctrine “infected a lot of the ways in which we thought about the cyber domain.” Military planners assumed that concepts like mutually assured destruction applied to cyberspace the same way they applied to nuclear weapons. Cyber capabilities —like malware capable of wiping the computer systems running power grids— acquired the same fearsome aura as nuclear-tipped ballistic missiles.
At the same time, U.S. officials began thinking about cyber conflict almost exclusively in the context of all-out war. A perpetual question in national security circles is how bad a cyberattack on the U.S. would have to be to rise to the level of an act of war and thus trigger an overwhelming U.S. military response, potentially including a nuclear strike. But in focusing on those apocalyptic scenarios, Eoyang said, “We didn't really think as carefully about a whole range of [ordinary] activity that was happening every day,” including espionage and ransomware attacks.
Today, the Pentagon finds itself with more cyberattacks than it can possibly respond to. “It's a really big threat space,” Eoyang said. “We have a lot that we have to take on.” And because the military “can’t be everywhere all the time,” she said, officials have looked for ways to enlist support in repelling cyberattacks and crippling the computer networks that are launching them.
But with the exception of a handful of defense contractors, U.S. companies can’t legally launch cyberattacks against America’s adversaries on behalf of the government. Instead, the Pentagon has turned to its international allies. In recent years, Eoyang said, the government has ramped up its sharing of sensitive intelligence with foreign partners so that they can act on it. It wasn’t easy to figure out how to do this quickly and securely, according to Eoyang, but now that the U.S. government has cracked that code, it’s able to lean more on its allies and share the burden of conducting [defensive] cyber operations.
But the Pentagon faces another challenge, Eoyang said. Many government officials still don’t understand how difficult it is to craft a digital attack that can bypass the often-sophisticated defenses of countries like Russia and China.
When faced with a limited range of options for responding to U.S. adversaries’ threatening or dangerous behavior, Eoyang said, policymakers often ask the military, “Can you just give me a cyber option?” But “it takes time and preparation, it takes understanding, it takes engineering, it takes coding” to design a cyberattack, she said. “It’s not what I think a lot of people expect.”
The Pentagon is constantly reevaluating its approach to cyberspace, and military leaders recently submitted a classified version of their 2023 cyber strategy to Congress. Eoyang said that the military hopes to release a public version of that document soon.
No comments:
Post a Comment