America’s cyber security situation is in disarray. Ironically, the most technologically advanced country in the world is struggling mightily to protect itself and its interests in the digital domain. Recent events show that the pervasiveness and complexity of cyber threats are growing. At the same time, American cyber security efforts have been severely restricted by domestic and foreign political pressures. These pressures have left the United States more vulnerable to cyber attacks. If these trends continue, America will face increasingly serious threats from state actors and even more serious threats from non-state actors like terrorists.
Cyber security is a relatively new dimension of the national security apparatus. Its importance is tied to technological advancement and the increasing interconnectedness of the global community. In the 1990s, cyber security was a relatively unknown realm, at least to the public eye. The 9/11 attacks changed all of that by exposing the reality of backdoor weaknesses in a variety of national security areas. Today, cyber security merits its own page on the official White House website and its own division within the Department of Defense. Earlier this year, James Clapper, the Director of National Intelligence, testified before the Senate that cyber security is now the single most pressing national security threat—more so than Iran’s nuclear program, the Syrian conflict, or any other issue. Why? Because significant cyber threats are growing more pervasive and complex.
Major cyber attacks on American interests—both public and private—continue to proliferate. Just weeks ago, for example, Adobe Systems announced that hackers had stolen the financial records and other sensitive information of 2.9 million clients. Major American newspapers have recently been attacked by the so-called “Syrian Electronic Army,” a group friendly to Bashar al-Assad. Even the NASDAQ stock exchange was the victim of a hacking operation. Experts have also observed new threats targeting mobile devices and Internet-enabled cars. These changes—and scores of other unsettling events—illustrate the expanding reach and intricacy of cyber threats. The implications for America’s national security are profound: public stock exchanges vulnerable to hackers, a national power grid in danger of cyber attacks, and government agencies whose communications are at risk, just to name a few.
All of this is not lost on Washington. The federal government has even planned a large-scale drill for next month to simulate a potential cyber attack on the country’s power grid. But domestic and foreign political pressures have largely tied officials’ hands. The biggest blow to advancements in cyber security came from the Edward Snowden scandal. The National Security Agency, often considered the world’s most innovative cyber security organization, now faces enormous hurdles as it tries to maintain and expand its operations. Its plan to establish an extensive national cyber defense system was derailed by the Snowden revelations. Enraged reactions from allies like France, Mexico, Brazil, and the European Union have likewise put pressure on the NSA to curtail its surveillance programs. The Snowden incident has also dissuaded Congress from seriously considering important cyber security legislation this year. As public attitudes have become more sensitive to personal privacy, the cyber issue has become almost taboo in Washington. To add insult to injury, the recent government sequester and shutdown have undercut federal cyber security initiatives. This unpredictability discourages bright minds from joining government cyber programs. These myriad domestic and foreign political pressures have stifled improvements to America’s cyber security.
These setbacks in U.S. cyber security have left the country in a vulnerable position. Because the intensity of cyber threats continues to evolve at a rapid pace, any stagnancy in cyber capabilities allows America’s enemies to gain the upper hand. This is a serious blow to U.S. national security. The stakes are higher now because not only do adversaries like China, Russia, and Iran have sophisticated cyber capabilities, but these same technologies are also on track to become available to non-state actors like terrorist groups. “The trend in information technology is commoditization—products get smaller, cheaper and more powerful.” Until now, most state-sponsored cyber-attacks on American interests have been relatively limited in scale, considering the kind of damage that is possible. Foreign states seem to operate under the impression that there is some sort of limit to the amount of cyber conflict they can wage against American interests before the United States reacts with force. No such scenario has ever emerged, but it is reasonable to assume that a threshold of unacceptable cyber damage exists, even if it remains undefined by the United States. This appears to be a sufficient deterrent to state actors that could otherwise inflict more widespread damage. However, once terrorist groups have access to the same technology, the risks to U.S. national security will be much greater. A single terrorist cell could inflict significant damage on the power grid, disrupt the global economy via a stock exchange, or commit numerous other crimes on a large scale.
If these trends continue, the United States will have to shift its cyber strategy to concentrate on the non-state actor threat. At some point, terrorist organizations will be able to launch significant cyber-attacks against American assets. These attacks could well become preferable to more traditional tactics like bombings. The United States will also have to deal with increasingly complex cyber threats from state actors. In the absence of strong cyber security legislation—and if the stifling effects of sequestration and other political pressures continue—adversarial state actors will only be more incentivized to attack America’s digital assets. While the sheer scale of most state-sponsored attacks will probably not increase drastically, their potential effects will grow to include new targets like the stock market.
In order to counter these growing threats from both state and non-state actors, the United States must dedicate more funding to cyber defense programs. Proper oversight of these programs is another debate in and of itself; but in pragmatic terms, the country needs to encourage innovation in its cyber defenses. Because cyber security depends on continual innovation, it is important to insulate this sector of national security from across-the-board financial cuts like sequestration. Private-public partnerships and information sharing are also key to protecting both government and commercial assets. A voluntary information-sharing framework already exists, but Congress should strengthen this model through more forceful legislation. Timely action is important because much of America’s future security will depend on its current dedication to the cyber element.