The United States might not be quite as far ahead of other nations in terms of cyber capabilities as many people think – including potential rivals in the Asia-Pacific, analysts say. It should be a sobering thought for US policymakers at a time when national security analysts around the world have grown increasingly vocal over the proliferation of offensive cyber capabilities by state and non-state actors.
‘There are definitely concerns about cyber warfare proliferation,’ says Kristin Lord, vice president at the Center for a New American Security, who says she believes that Americans need to take the threat seriously. ‘This isn’t like missiles, which require transporting large materials that can be detected. We are talking about knowledge and code.’
China, Iran, North Korea and Russia are all seen as likely possessing offensive cyber capabilities that can inflict serious damage on the United States and its allies. The question is whether they also have the intent to proliferate these capabilities on the black and grey markets.
According to Lord, the United States is particularly concerned about scenarios involving collaboration between criminal groups (motivated by financial gain) and state adversaries (wanting to advance their national security interests). ‘We’ve already seen indications of states using criminal groups as proxies for attacks. We also know that countries like North Korea are aggressively trying to develop their cyber capabilities,’ she says. ‘The open black market, which already exists in the criminal world, is therefore a big concern. It provides a place for states and criminals to find each other.’
Robert Giesler, a senior vice president and cyber security director at technology applications company SAIC, says the threat of proliferation is exacerbated by the fact that the technical gap between the United States and its potential adversaries may not be as wide as Americans often like to think. ‘It’s a dangerous assumption to believe that the US is far ahead in cyber capabilities,’ he says. ‘There’s a low barrier of entry in this market. We should never use the term dominance in cyber when a 16 year-old can still launch an effective cyber attack.’
Faced with such a complex domain, what can the United States do to mitigate the risks posed by foreign cyber capabilities?
One answer would be to significantly ramp up US investments in defensive capabilities. According to Giesler, the United States is certainly already further along in defensive cyber security practices and capabilities than the rest of the world. However, Lord cautions that the United States ‘can’t put a protective wall around every possible target. Unlike terrorism, the number of potential targets is almost infinite and not limited by geography.’
Another option would be to invest in developing offensive capabilities. After all, attack is often said to be the best form of defence. Yet many analysts privately question whether the United States may already have lost its advantage in this space. Given that offensive cyber capabilities remain ‘some of the most closely held secrets’ in the world, Lord says it’s difficult to know whether this is true or not. But this is driving black hole decision-making based largely upon classified intelligence briefings.
Ultimately, offensive capabilities provide some form of deterrence in the cyber domain, which is driving investment in this space. However, analysts also point out that offensive capabilities are not the only effective form of deterrence available. For example, Lord argues that the United States should ‘invest a lot more in recovery and reconstitution. Redundancy provides a new form of deterrence.’
In the years ahead, policymakers will also need to base their decisions around a shrinking federal budget. As a result, Lord thinks that the United States is ‘going to have to quickly set priorities, starting with what are the most important networks to protect.’
The real challenge will be for the United States and its allies to ensure they have accurate assessments of the threat posed by potential adversaries in the cyber domain when making decisions.
While Lord doesn’t believe that offensive cyber capabilities directed at the United States represent an existential threat on a par with a nuclear weapon, she and other analysts still contend that potential adversaries could inflict tremendous harm on the United States even with existing capabilities. For this reason, ‘intelligence agencies are spending a lot of time, for example, trying to assess China’s capabilities.’ However, Lord points out that these assessments can’t easily be verified.
This ambiguity necessitates a cross-domain deterrence that seeks to leverage not only offensive and defensive capabilities, but also effective diplomacy, to head off the cyber threat. ‘Diplomacy may ultimately be more effective’ than defensive and offensive capabilities, Lord says. But, for now, the United States is likely to continue both tactical and strategic investments in what is proving to be an increasingly hostile cyber threat landscape.