How Inadequate American Responses to Cyber Attacks Impair Foreign Policy

By Nils Peterson

Problem

In the modern era, warfare goes beyond air, land, and sea to include cyberspace. This new realm of war forms a central part of American military force because computers undergird the United States’ ability to wage war. The ability to use cyberspace to launch attacks against America from a distance also bolsters the United States’s enemies’ capacity for warfare. Hacking that has physical consequences or steals vulnerable information permeates this cyber world, as seen by the 2010 Stuxnet attack, attributed to joint Israeli and American efforts, on an Iranian nuclear facility. (Nakashima and Warrick 2012) Furthermore, the United States’s weak and inadequate responses to cyber attacks by foreign state actors on civilian companies and industrial control systems substantially impair the future efficacy of American foreign policy.

By attacking civilian infrastructure hackers undermine the United States’ ability to secure its data. This hacked data gives future tools to foreign nations to repeatedly interfere in the political process of the United States. For example, in 2017 the Chinese government hacked Equifax and stole sensitive information such as the Social Security numbers of 147 million Americans. (Barrett 2020) China could attempt to blackmail future political candidates with this data. By potentially forcing a candidate to support a different policy or be blackmailed, China could indirectly influence the grand strategy of American foreign policy. China’s ability to leverage the hacked information to recruit spies should not be discounted. 

Hacked data also gives future tools to foreign nations to threaten the military-industrial complex, the close association of the government with leading companies who produce armaments, that is central to America’s ability to wage war. Russia turning off the power grid, and thus their industrial control systems, in Ukraine in 2015 (Summers, Walstrom, and Park 2019) demonstrated how to bring life for ordinary citizens to a standstill. If this occurred in the United States, companies like Boeing and Lockheed Martin would not be able to produce necessary military equipment. Furthermore, without power there is no internet. This would be a massive blow to the United States military bureaucracy’s ability to function and decrease its ability to respond quickly to threats around the world. In 2017 the virus NotPetya, created by Russia, hit the shipping giant Maersk, and almost forced the company to close. (Greenberg 2018) American companies, even giants essential to America’s war effort like Boeing and Lockheed Martin, are not immune to the same type of attack. 

Lastly, in 2018 NATO Secretary General Jens Stoltenberg declared a serious cyber attack against a member nation to be grounds for triggering Article 5. He specifically mentioned the level of attack necessary to trigger Article 5 would remain vague so as not to prompt attacks immediately below that threshold. (Stoltenberg 2018) The organization’s reprisal strategy, not necessarily limited to cyberspace, also remains vague for the same reasons. Notably, it may no longer be possible to limit a cyberattack to cyberspace as seen by the National Security Agency’s (NSA) cyber attack with the Stuxnet virus in 2010 that destroyed Iranian centrifuge tubes used in enriching uranium. (Lauder 2016)

Recommendations

The United States government should invest in research that aims to increase the resilience of civilian and government organizations. Resilience refers to an entity’s ability to regain operational capacity after a cyber attack. Even the most heavily protected data will be hacked, as seen by the 2016 hack of the NSA by a group known as Shadow Brokers. (Shane, Perlroth, and Sanger 2017) Increasing resilience and decreasing the incapacitating effects of cyber attacks would decrease the incentive for targeting the United States. 

The government’s investment should start by focusing on research in industrial control systems, necessary equipment for power grids around the country. In 2007 a staged cyber hack demonstrated the ability to set a diesel generator on fire. (Love 2017) Since this time, hackers’ abilities to exploit bugs and zero day flaws, which refer to vulnerabilities in a system that give the operators no time to release a patch once exploited, have increased dramatically. The investment focus should be geared toward improving response time to zero day flaw exploitations because these threats are the most dangerous to America’s power grid.

To address the threat of foreign state actors stealing or attempting to destroy data from civilian companies the United States government should partner with companies like Boeing and Lockheed Martin to run annual cyberwar games similar to Locked Shields, an annual international cyber defense competition. This would expose the cybersecurity flaws of the private sector. Furthermore, it would allow the government to intervene during a cyber attack in the most efficacious manner because it knows the same information regarding the attacked vulnerability as the private sector.

Lastly, the field of cybersecurity changes rapidly, and given its highly technical nature, threats may not be identifiable to untrained individuals. Thus, a fund to be used for running diagnostic tests during times of emergencies should be set up and made available to all appropriate cyber security governmental personnel. Ensuring the bureaucratic measures to access this fund remain negligible is crucial due to the time sensitive nature of cyber warfare.

Conclusion

The United States government should invest in research that aims to increase the resilience of civilian and government organizations. Specifically, the investment should target improving the security of industrial control systems, which undergird the American electrical grid. To ensure the flexibility of the American response to threats in cyberspace, it is warranted to establish a fund to be used for all necessary diagnostic testing during times of crisis. Previous American responses to hacking were inadequate in discouraging future cyber-attacks. For an efficacious future foreign policy the United States must deter any form of cyber aggression that affects American interests. This mandates investment in developing America’s resilience regarding cyber attacks.

Bibliography

Barrett, Brian. 2020. “How 4 Chinese Hackers Allegedly Took Down Equifax.” Wired

Greenberg, Andy. 2018. “The Untold Story of NotPetya, the Most Devastating Cyberattack in History.” Wired.

Lauder, Jo. 2016. “Stuxnet: The Real Life Sci-Fi Story of ‘the World’s First Digital Weapon’.” Triple J. Australian Broadcasting Corporation.

Love, David L. 2017. “Cybersecurity: Industrial Control Systems and the U.S. Electric Grid.” MS&E 238 Blog. Stanford University.

Nakashima, Ellen, and Joby Warrick. 2012. “Stuxnet Was Work of U.S. and Israeli Experts, Officials Say.” The Washington Post

Shane, Scott, Nicole Perlroth, and David E. Sanger. 2017. “Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core.” The New York Times

Stoltenberg, Jens. “How NATO Defends Against the Dark Side of the Web.” Wired.

Summers, Julia, Michael Walstrom, and Donghui Park. 2019. “Cyberattack on Critical Infrastructure: Russia and the Ukrainian Power Grid Attacks.” The Henry M. Jackson School of International Studies.


Also published on Medium.