The U.S. Needs a Cyber Strategy Designed for Defense | Opinion

Cyber warfare is a new arrival to the foreign policy toolkit—so much so that our government seems uncertain of how to classify it. Should we think of cyberattacks like sanctions? Airstrikes? Espionage? Is "warfare" a misnomer?

Though any terminology will have its flaws, cyberattacks are best considered a scalable tactic than can function as a weapon of war, a weapon—like any more conventional weapon—whose use by the United States should be subject to constitutional oversight, constrained by rules protecting innocent civilians and designed for defense.

Thinking of cyberattacks as potential acts of war is perhaps counterintuitive. In common parlance, a "cyberattack" can be anything from phishing to ransomware, to hacking social media accounts, to denial of service attacks, to mass leaks of personal data or communications, to meddling in foreign elections via voter manipulation or sabotage of election results, to shutting down power grids, to damaging nuclear centrifuges, to remotely causing explosions or disabling enemy defenses. If the "internet of things" expands and self-driving vehicles go into widespread use, the destructive potential of cyber warfare will increase apace.

It is difficult to imagine a scenario in which phishing would be deemed an act of war—but blowing up a car or building, especially if the explosion kills people or damages national security infrastructure, is no less grave an act because the weapon of choice is digital. We can't draw a neat line between cyberattacks which may or may not be received by their targets as warfare: Damage to major utilities or political turmoil caused by election meddling are as capable of claiming lives as are explosions.

This scalability introduces a level of uncertainty absent with more conventional weapons and techniques, and that uncertainty makes restraint and accountability in the use of cyber warfare in U.S. foreign policy all the more important.

Constitutional oversight is a necessity. President Donald Trump has loosened prior administrations' cyberattack policies so the CIA can conduct cyber warfare at its own discretion, without presidential permission or any involvement by Congress. "Before, you would need years of signals and dozens of pages of intelligence to show that this thing is a de facto arm of the government," an unnamed former U.S. official told Yahoo! News. After Trump's changes, "as long as you can show that it vaguely looks like the [target, a category that can include religious institutions and charities]...,then you're good."

This laxity is a mistake that puts U.S. security at risk. The CIA has already used its new power for "a combination of destructive things—stuff is on fire and exploding," that official said, "and also public dissemination of data: leaking or things that look like leaking." This is the kind of behavior that could easily plunge us into war—but the Constitution assigns the power to initiate war exclusively to the legislature, and the role of commander-in-chief to the president. Shifting those responsibilities to an intelligence agency that by nature operates in secrecy, away from public debate, is a dangerous and undemocratic abrogation of duty. The American people and military should never be at risk of finding ourselves committed to a conflict started by bureaucracy.

NSA headquarters in Maryland, viewed in 2010
NSA headquarters in Maryland, viewed in 2010 SAUL LOEB/AFP via Getty Images

Also vital are civilian protections, like those for other weapons of war. Microsoft president Brad Smith has argued for a "Digital Geneva Convention," which would "call on the world's governments to pledge that they will not engage in cyberattacks on the private sector, that they will not target civilian infrastructure, whether it's of the electrical or the economic or the political variety," and that "they will not stockpile vulnerabilities," concealing them from private parties who could repair those problems (i.e., the companies whose software has been found to be vulnerable).

An international convention may not be feasible or even desirable, but we don't need it for the United States to codify such commitments in our own laws to protect civilians here and abroad. CIA and NSA stockpiling of software vulnerabilities has already made dangerous cyberattacks possible. This practice detracts from our security and that of our allies.

Lastly, beyond these procedural and humanitarian constraints, U.S. use of cyber warfare should be predicated upon a strategy of defense, not offense. "Across the U.S. federal government," Reuters has reported, an incredible "90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure."

This is exactly backwards—and remarkably reckless. That funding should be diverted to defensive measures immediately. This would include hardening online targets, as Cato Institute scholars Brandon Valeriano and Benjamin Jensen argue in their 2019 analysis on restraint in digital defense. Hardening measures "can range from employing 'white hat' hackers, ethical computer hackers who penetrate systems in order to identify vulnerabilities, to updating cyber defensive systems regularly," they note, as well as better educating federal staff about the nature of digital threats.

Securing major infrastructure and weapons systems is particularly important. The Government Accountability Office reported in 2018 that "from 2012 to 2017, [Department of Defense] testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development. Using relatively simple tools and techniques, tests were able to take control of these systems and largely operate undetected." In this context, that 90 percent figure represents utterly inexcusable negligence. Contrary to the usual sports platitude, as Valeriano and Jensen contend, "in cyberspace, the best defense is actually a good defense."

Absent those improvements, our government's cyber defenses are far from what they should be, as the Office of Personnel Management hack of 2016 and this year's attack on the Department of Health and Human Services demonstrated all too well. Instead of actively courting conflict that could well escalate into a shooting war, Washington should focus on making its own house secure. Stop playing hacker abroad and shore up our defenses, particularly while fears of foreign election interference run high across the political spectrum. Make cybersecurity a source of strength instead of risk by ending our programs of aggressive meddling in other nations' digital space and precluding their meddling in ours.

Bonnie Kristian is a fellow at Defense Priorities and contributing editor at The Week. Her writing has also appeared at CNN, NBC, USA Today, the Los Angeles Times and Defense One, among other outlets.

The views expressed in this article are the writer's own.