The recently published final report from the United States’ government Defense Science Board Task Force on Cyber Deterrence paints a grim picture that is very much in line with casual perceptions from news over the last 18 months – that Russia and China have obtained, and are maintaining, a significant lead in capabilities for critical cyber attacks against the west.
The report states that foreign cyberweapons capabilities ‘far exceed’ the United States’ ability to defend its own critical civil and military infrastructure.
‘[Major] powers (e.g., Russia and China) have a significant and growing ability to hold U.S. critical infrastructure at risk via cyber attack, and an increasing potential to also use cyber to thwart U.S. military responses to any such attacks. This emerging situation threatens to place the United States in an untenable strategic position. Although progress is being made to reduce the pervasive cyber vulnerabilities of U.S. critical infrastructure, the unfortunate reality is that, for at least the next decade, the offensive cyber capabilities of our most capable adversaries are likely to far exceed the United States’ ability to defend key critical infrastructures.’
The findings also advise that secondary superpower threats such as North Korea and Iran have ‘growing potential’ to use native or third-party cyber-weaponry to carry out ‘catastrophic attacks’ on United States infrastructure across the board.
It further iterates that more minor nation states similarly enabled by easy access to distributed cyberattack methods could, while individually unable to severely compromise the U.S. economy, cause significant aggregate damage over a sustained period in a way the report characterises as ‘death by 1,000 hacks’.
The report recommends a three-point strategy as an ‘urgent priority’: first is ‘tailored’ responses to specific threats from individual nations or group, with the board surmising that ‘one size will not fit all’ in this respect; secondly it recommends particular attention to bolstering the defences of the ‘thin line’ of core U.S. missile strike systems, with acknowledgement that underpinning public infrastructure is critical to this aspect; finally, the report recommends an enhancement of the base capabilities for cyberwar in both the Department of Defence and the U.S. government in general – in this respect it notes the need for improvement in attribution, i.e. the potential to know at least from which nation state a cyber-attack originated.
The report repeats a common allegation that the U.S. military’s various facets are not working in concert against the diversity of challenges in cyberwarfare. Last week former commander of U.S. Cyber Keith Alexander commented on the isolation of the FBI, the defense department, the Department of Homeland Security and intelligence communities like the CIA:
“It’s not working. There are four stovepipes…If we were running this like a business, we’d put them together. You also have all these committees in Congress looking at all this, and it’s messed up.”