US losing dominance in cyber war

After decades of unquestioned global security dominance, the United States is now grappling with an uncomfortably level playing field in one of the world’s most dangerous arenas – cyber warfare.

The news last week, which is expected to continue through this week and be part of the discussion at the confirmation hearing for retired Gen. James Mattis as secretary of defense, has focused an enormous amount of attention on Russia’s attempts to influence the American presidential election. Alongside a dispute between what appears to be a unified U.S. intelligence community and President-elect Donald Trump, recent hearings have made it clear that the cyber threat from other state and non-state actors seeking to damage the United States is much wider than previously believed.

The United States has been a lone global military superpower since the collapse of the Soviet Union, but officials have noted that the new cyber warfield is cheap to enter, relatively easy to work in and doesn’t necessarily favor the massive advantages the United States has maintained in conventional security.

As National Security Agency director Adm. Michael Rogers said during a Senate Armed Services Committee hearing, “Those who would seek to harm our fellow Americans and our nation utilize the same internet, the same communication devices and the same social media platforms. . . . We’re watching sophisticated adversaries.”

Later, he would add the U.S. need for “speed, speed, speed.” The cyber threat, like the rest of the cyber world, is “ever-evolving” and favors the agile. In that world, the advantages the United States has in outspending the rest of the world – by a wide margin – on defense becomes less important.

Consider that the primary cyber threats to the United States come from the same places that remain the primary non-cyber threats, what are known as “4+1,” or China, Iran, North Korea, Russia and the Islamic State/al Qaida. Combine the military spending of those four nations and the terrorist organizations, and the United States outspends them by more than 2 to 1.

The topic is expected to come up Thursday when Mattis, Trump’s nominee to head the Pentagon, appears before the Armed Services Committee. While Mattis, a retired Marine general sometimes nicknamed “Warrior Monk,” hasn’t often addressed the cyber threat, he did when appearing before the committee in 2011. His comments at that time weren’t particularly revealing, though. “As we adapt to a thinking adversary,” he noted, then later asked for funding for “the flexibility to rapidly and proactively counter new, emerging and future threats.”

Jacqueline L. Hazelton, a security expert at the U.S. Naval War College, wrote in an email response to McClatchy’s questions that the cyber world might not make it possible for others to topple the United States, but smaller goals have become easier to reach.

“There are important ways in which cyber generally can level the playing field because it favors mind over mass and matter,” she wrote. “There are a lot of quite clever people in other states besides the United States who are devoting their lives to cyber.”

That doesn’t mean the United States isn’t formidable in the cyber world. And it doesn’t mean that the cyber world exists in a vacuum.

In an email answer to questions, cyber security expert Jon R. Lindsay at the University of Toronto, said it was important to remember that the cyber world exists within the non-cyber.

“Is the playing field leveled?” he wrote. “Many people think so, but I think that incumbents have tremendous advantages here because the planning requirements are considerable and cyber is most useful when combined with other forms of power.”

Still, Lindsay made the point that “many people can do things today online that were really expensive yesterday.”

Director of National Intelligence James Clapper said change in reality required different rules.

“Cyber is different than a nuclear threat,” he said. “You can’t see it and evaluate. It’s ephemeral. . . . This is a tool that doesn’t cost much, and sometimes is hard to attribute.”

He added about the improvement in American efforts to counter cyber attacks: “Our security is better, but it’s still not good enough.”

That’s the sort of language that often accompanies a request for increased funding. Clapper did suggest U.S. intelligence could use “a supercharged U.S. Information Agency” to help in the global information war. Clapper, though, is retiring this month and senators were asking him for ways to help in this effort.

Consider the efforts to deal with the threat posed by the 4 + 1 group.

Beyond the debate on the Russia effort to use hacking, propaganda and misinformation by spreading fake news on social media, there is a recent NATO report that found members and supporters of the Islamic State “have both cultivated our appetite for their content war and dominated it almost exclusively, unopposed. . . . Western military forces – in most cases – are in fact anti-social. There is no real intention of engagement, no replies to comments or tweets. We busy ourselves measuring likes, comments, shares, retweets and reach but the parade of shallow vanity metrics being delivered in reports as a solid return on investment does little to measure or quantify the actual strategic effect applied.”

In other words, Western nations with vast advantages in resources are losing in the cyber area of social media. The result has led to a global brand awareness, which has boosted the terrorist organization’s recruitment.

Meanwhile, North Korea was blamed in 2014 for hacked email accounts at Sony Pictures Entertainment. In that case, hackers had threatened terrorist attacks on theaters showing the movie “The Interview,” a comedy about a fictional plot to assassinate North Korean dictator Kim Jong Un.

The Chinese military espionage group People’s Liberation Army has been suspected for years of using cyber warfare to spy on and hack into American defense installations as well as steel, nuclear power and solar power companies. At the Senate Armed Services Committee hearing last week, Clapper noted there had been an overall reduction in Chinese hacking attacks, however.

Still, Clapper said: “Our adversaries are pushing the envelope.”

What the threat of cyber warfare provides them is the ability to cause havoc in America without necessarily being detected. In the discussion on Russia interference in the U.S. elections, the intelligence officials have made it clear that they have no way to gauge the effectiveness of the attack, and there are no voices being raised to consider changing election results.

Instead, it is what this attack says about U.S. cyber security, and vulnerabilities, that is worrying. Sen. John McCain, R-Ariz., insists that the United States doesn’t really have a strategy for how to react to a cyber-attack, or what even constitutes an act of cyber-warfare.

“What seems clear is that our adversaries have reached a common conclusion, that the reward for attacking America in cyberspace outweighs the risk,” he said at the hearing. He added that if that trend is not reversed, the frequency and intensity of attacks “will only grow.”

At the Senate Armed Services hearing, Sen. Lindsey Graham, R-S.C., got into a brief exchange with Rogers, one point of which summed up the general concern.

Graham asked Rogers and Clapper whether the Chinese, Iranians and North Koreans were all capable of repeating the aggression Russia showed in trying to interfere with the elections, and was told yes in each instance.

He then asked, regarding the possibility of cyber attacks against the United States: “Is this going to stop until we make the cost higher?”

“We have got to change the dynamic,” Rogers answered. “Because we’re at the wrong end of the cost equation.”

Matthew Schofield: 202-383-6066, @mattschodcnews