© The HillThe long game: Why the US must rethink its cyber strategy
The massive SolarWinds hack sent shockwaves throughout the U.S. government and highlights some stark realities for the United States and its cyber-capabilities. With the intelligence community officially attributing the hack to Russia's foreign intelligence service, the implications are profound. A foreign adversary's ability to breach networks associated with crucial U.S. agencies, including the Departments of State, Defense, Homeland Security and more, and go unnoticed for nine months, is unprecedented and calls into question the effectiveness of U.S. cyber-defense.
State-sanctioned cyberattacks and espionage are not new phenomena, but they have increased at an alarming rate in recent years. With broad vulnerabilities across all levels of government and society, the United States must reevaluate its approach to advancing its interests while also protecting itself in this emerging fifth domain of war.
The United States should pursue a revitalization of its military and diplomatic approaches to cyber-warfare. The U.S. government's Cyber-Solarium Report asserts that the United States needs to actively "promote good behavior," foster better cybersecurity in order to defend national networks and deprive enemies of procuring any benefits, and "maintain the capability, capacity, and credibility to retaliate" should a cyberattack happen. While the report states that the U.S. must "defend forward," it is vague in defining a "proportional response to a cyberattack." For example, could nuclear weapons, as some Pentagon officials suggested, be appropriate?
Deterrence exclusively through cyberspace is not the solution. The United States must treat cyberspace as the fifth field of warfare. Some have suggested that the United States should establish a "Cyber Force" - a seventh branch of the U.S. Armed Forces that would ensure consolidation of resources and "unity of command," allowing the other military branches to devote resources to their "core warfighting domains."
But this logic is flawed because all U.S. military branches rely on cyberspace to conduct their operations, both strategically and operationally. Moreover, cyberspace is not a physical domain like the four others - it is virtual, and efforts to strengthen cyber-capabilities would focus on recruitment rather than the development of weapons systems. An enhancement and reorganization of U.S. cyber operations, through CYBERCOM, would fill the existing gap.
Under the U.S. Defense Department's (DoD) current structure, CYBERCOM is a unified combatant command that coordinates cyber operations across the military. The Joint Chiefs of Staff (JCS) should coordinate a modernization plan, a Joint Cyber Doctrine (JCD), for the organizational and functional structure of CYBERCOM. Doing so would enable the combatant command to study its vulnerabilities and strategic advantages.
Such a plan should include: recruitment and career advancement, training, individual and inter-branch command and control, and cross-military integration with key allies.
Recruitment is paramount to CYBERCOM's success. DoD must promote the recruitment of computer science and information technology college graduates. The private sector leads the way in recruitment, enticing employees with benefits and a relaxed culture. Serving one's country is enticing, but there need to be efforts to "rebrand" what it means to be a soldier - especially in cyberspace.
Moreover, CYBERCOM should be split from the NSA, primarily due to the NSA's prioritization of intelligence, which is distinct from offensive and defense cyber-operations. Different missions necessitate bifurcated organizational structures. JCD should outline structural changes optimizing coordination across the military branches, further integrating cyber-interests into the broader interests of the four other domains.
JCD must also define retaliatory measures for cyberattacks, reliant on in-depth coordination between local, state and federal governments, as well as requisite U.S. and international legal standards. Potential responses, coordinated by CYBERCOM, should draw on all military capabilities, not merely cyber, and JCD should specifically state the inter-departmental process by which retaliatory measures are determined. The deepening interconnectedness and growth of "smart cities" presents an influx of new targets for adversaries, and the federal government should be fully equipped to deter malign action.
Parallel to military organization, the United States should prioritize cyber-issues within the State Department, through actions rooted in the failed Cyber Diplomacy Act of 2018. An empowered independent office, headed by an ambassador-at-large, would be prudent. Cyberspace is lawless, and attempts to create "international rules of the road"
have been tempered. The absence of a well-resourced and ambassador-level cyber office in the State Department has handicapped U.S. pursuits of global cyber-interests, especially as China and Russia have prioritized shaping international rules and norms. The cyber ambassador and their office would further engagement with multilateral bodies and should be staffed by both technical and diplomatic experts.
Given the near impossibility of establishing an "arms control" treaty for cybers-weaponry, the United States, while needing to pursue all diplomatic avenues, must prioritize the revitalization of CYBERCOM's organizational structure. Doing so will address one of the greatest security challenges facing the United States and prepare the U.S. military for the future of warfare. Otherwise, shocking attacks such as SolarWinds will continue to devastate the U.S. government and allow its adversaries to move towards cyber superiority.
A'ndre Gonawela and Ryan Rosenthal are the co-founders and co-hosts of The Burn Bag, a national security and foreign policy-oriented podcast.