The U.S. Department of Defense Cyber Strategy, a report released April 23, highlights the government's efforts thus far in realizing its role in cyberspace since the publication of its first formal strategy in 2011. The United States already has clearly demonstrated its technological edge in conducting espionage and sabotage online, as with the Stuxnet attack against Iranian centrifuges in 2008. However, the U.S. military's capabilities in the potential war-fighting domain of cyberspace do not equal its land, sea and air dominance. The Pentagon's cyber strategy focuses on this reality as much as it does on further incorporating cyberspace capabilities into its military structure. While the Department of Defense recognizes cyberspace as an operational domain, it also recognizes that it must share this domain to safeguard U.S. interests.
U.S. Cyber Capabilities
The U.S. government, with the Department of Defense leading the way principally through the National Security Agency, began developing and employing offensive cyber capabilities — acts of espionage and industrial sabotage — years before formally defining cyberspace as an operational domain. The scope of past U.S. intelligence operations in cyberspace was revealed by Edward Snowden's leaks and the demonstrable efforts to sabotage Iran's nuclear program. However, the Pentagon's capabilities do not safeguard its own information technology infrastructure and have generally been ineffective in defending U.S. interests in cyberspace.
To discourage cyber attacks, the U.S. government has used the threat of economic sanctions, criminal prosecution of foreign state officials, and the prospect of physical military action stemming from its 2011 declaration that cyber attacks constitute an act of war. Yet, aside from the prospect of physical military action or economic sanctions, the U.S. government still lacks any effective deterrence to cyber attacks. These breaches continually cause financial losses for the U.S. private sector, and state and non-state actors continue targeting government institutions. To defend in cyberspace (rather than engaging strictly in espionage), the military must play an auxiliary role in a domain it must share with other government organizations and the private sector.
The U.S. military's capabilities in the potential war-fighting domain of cyberspace do not equal its land, sea and air dominance.
The private sector owns and operates roughly 90 percent of the physical infrastructure that constitutes the abstract world of cyberspace. Though the Pentagon has proved resourceful in researching and exploiting new vulnerabilities in cyberspace, it lacks the authority to ensure that U.S. interests are protected against such exploits. In other words, the United States' ability to conduct espionage and sabotage in cyberspace depends on the same types of vulnerabilities that threaten its own economic interests. To rectify this, the Pentagon's top priorities in developing its cyberspace strategy focus on defense — namely partnering with domestic government agencies and the private sector to ensure that U.S. interests are safeguarded from cyber attacks by foreign state and non-state actors.
Not all countries that employ offensive capabilities and espionage in cyber space — such as China, Russia, Iran or North Korea — face the same dynamics in defending their own information technology infrastructure. The Chinese government, for instance, maintains strict control over the network infrastructure and the information passing through it within its borders. This allows for much greater control over its security of the network technology, though it stems from China's particular concern for social control.
The Pentagon's Limitations
Protecting U.S. economic interests abroad has been one of the U.S. military's tasks since its inception. However, defending commercial activity that takes place on the Internet involves a different skill set and political constraints than, say, safeguarding international sea lanes. Both the U.S. military and law enforcement face a complex landscape in cyberspace, where their jurisdictions are complicated by the global nature of the Internet's infrastructure and the U.S. distinction between private and public ownership. This situation is not likely to change much, because any efforts to expand law enforcement or military jurisdiction or authority likely would face significant opposition in the United States.
This lack of authority over infrastructure is just one barrier for the military in dominating cyberspace. Though the Internet's inception was rooted in defense research and development, the increasing importance of the Internet to global commerce and the abstract landscape of cyberspace are shaped by both the private sector and popular use. In 2000, 400 million people were using the Internet; that number will grow to some 3.2 billion by the end of 2015. The very nature of the Internet — once a collection of a few networked computer terminals — has rapidly evolved to encompass nearly every facet of life through an increasing number of different devices that communicate over the global network as part of the Internet of Things. New technologies, and thus new vulnerabilities, are constantly emerging in cyberspace — innovations around which the Department of Defense must continually adapt.
Any efforts to expand law enforcement or military jurisdiction or authority likely would face significant opposition in the United States.
By partnering with the private sector, the Department of Defense can help maintain stronger situational awareness of the ever-changing landscape. The Pentagon may lack the authority to enforce security compliance in the private sector, but it is in an advantageous position, particularly given the power of the intelligence community, to advise the private sector about the current technical vulnerabilities that permit cyber attacks. This kind of cooperation requires the will of individual actors in the private sector and large corporations that also often rely on overseas infrastructure, which can complicate partnerships. However, the Pentagon's own communications rely on numerous networks, many of which can fall victim to malware propagated on the Internet. In its latest cyber strategy report, the Department of Defense admits it lacks the "visibility and organizational structure" to defend such networks, furthering the need for partnerships in defending its cyberspace interests. The dynamics behind this need are not likely to change in the foreseeable future.
The Challenging Nature of Cyber Attacks
In cyberspace, attacks and espionage are conducted independent of geographic range, and expenses are often negligible compared to physical spying or acts of aggression. For example, a distributed denial of service attack against a U.S. company relying on its Internet presence for business can be organized by a small group of individuals at little expense, particularly compared to the resources necessary to even investigate the authorship of such an attack. The impact of cyber attacks is far greater on developed countries with greater reliance on the Internet — a fact that gives state actors in the developing world and non-state actors a significant advantage. On Dec. 22, 2014, for example, an unidentified actor isolated North Korea from the global network via the country's weak link in China, possibly in retaliation for the 2014 cyber attack on Sony Pictures Entertainment, which the U.S. government publicly attributed to North Korea. Whether or not the incident was tied to the Sony attack, the effect of isolating North Korea — which only retains around 1,000 unique Internet Protocol addresses — was minimal.
The asymmetric nature of threats in cyberspace, including potential attacks by non-state actors, makes employing an effective deterrence more challenging for the Department of Defense. Economic sanctions and military responses are less useful against common threats from lone hackers, organized crime and activists. Even distinguishing attribution of a specific attack between state and non-state actors can be a daunting task. For example, though the U.S. government appears confident in blaming North Korea for the Sony hack, many cyber security analysts still question the validity of the accusations.
There is no doubt that the Pentagon has been aggressively seeking ways to improve its capabilities in cyberspace. Its latest cyber strategy report highlights how the Department of Defense wants to further integrate its growing capabilities within its traditional combatant command structure. As the U.S. military continues to embrace cyberspace as a domain, it will find that its traditional role in other operational areas does not necessarily translate to this new and increasingly critical territory. Thus, the military will share cyberspace defense duties with other government agencies and the private sector in an effort to protect U.S. economic interests and the military's own networks.