Until very recently, America’s battles have all been waged somewhere in physical space—on land, in the air, on water or in outer space. Many of these domains come along with inherent features that make life harder or easier in battle. History tells us, for example, that defenders generally have an easier time on mountains or hills with a view. Underwater, sound waves travel easily, so countries with the quietest submarines are more effective. And, in space, gravity sets boundaries on where you can go and when. To overcome these obstacles takes human ingenuity, but also a healthy respect for these environmental limits.
Americans are quickly learning now about a fifth domain: cyberspace. In some ways, this battlespace is the same as the others. It’s an arena where countries are competing with one another for political or economic advantage. But it’s also different in some fundamental ways. And how the world decides to use this space will go a long way toward determining how disruptive—or destructive—war in this domain will become. Michael Hayden, the former CIA director under President George W. Bush, believes the United States has a lead role to play in setting up man-made institutions to shape state behavior.
Unlike air, sea or land, Hayden told an audience at George Washington University Tuesday, cyberspace “is almost defenseless. There are no natural barriers up here in this domain.”
There are a few ways to solve this problem. One is to make some cyber activities prohibitively costly. The United States could, for instance, link cyber espionage attempts such as the kind China has allegedly committed with other issues in the U.S.-China relationship. As a start, lawmakers such as California’s Sen. Dianne Feinstein have complained directly to Chinese officials. But since Beijing doesn’t officially acknowledge its hacking activities, the United States might need to get more aggressive. Threatening to restrict the number of visas Washington gives out to Chinese nationals could be one way to deter further hacking, Hayden said.
A more significant step would be for Americans to decide how they want to be protected in cyberspace. It’s a more complicated problem than today’s debates over information-sharing and privacy currently capture.
Think about all the public services you use, directly or indirectly. There are rules governing each. When the cops come knocking, they need a warrant to search your house—but firefighters don’t generally need to ask to save your home. In other words, there isn’t just one best way to protect public safety online.
“Do you want it to be the way the military defends you?” asked Hayden. “The way law enforcement defends you? The way firemen defend you? The way the Centers for Disease Control defends you? Those are all models, they are all legitimate, they all work—in specific domains.”
For now at least, a broad consensus seems to be developing in favor of a more aggressive setup. A Washington Post poll last year found 50 percent of Americans in favor of heavy federal involvement in investigating cyber threats, even if it came at the expense of personal privacy. Only 38 percent thought otherwise. Meanwhile, the Pentagon has plans to dramatically increase the size of its cyber staff, though it’s not clear where all the manpower will come from. And as many businesses across the country are now becoming aware of gaps in their cyber defenses, Washington has been equally invested in going on offense. More and more, it looks as if the militarized model is taking over.
Yet even that approach contains pitfalls. Suppose the Defense Department gains access to a foreign network. Because it isn’t a large step from snooping around to wreaking havoc inside the system, taking that step becomes exceedingly tempting. And that’s true for any state. Setting up a world where checks against that temptation are easily violated raises the baseline risk of an accidental cyber war.
Thankfully, said Hayden, the vast majority of cyber problems the United States has dealt with so far have been attempts at cyberespionage—not cyberattack. And there’s a big difference between the two.
Colloquially, said Hayden, “we use cyberattack for anything unpleasant that happens to us on the Web. In my business, a cyberattack is someone using a weapon comprised of ones and zeros to effect damage. We don't call cyberespionage a cyberattack.”