In the cyber realm today, the United States and other nations face the greatest mismatch I have ever seen between the extremely high level of threat and the very low level of preparation. We are headed toward a cyber Pearl Harbor—a harbinger of a crippling attack on the U.S. financial sector or energy grid—and we aren’t ready. Maybe only an incident of that magnitude will wake us up to the enormous danger we’re confronting, but I hope we don’t need to suffer through such an assault to address the risks.
There are seven billion people on the planet, but perhaps twenty billion (or more) devices connected to the internet. And there are already twenty-three victims of malicious cyber activity every second, according to a 2016 report from Norton. As Fletcher experts report in the pages ahead, we face risk at every level, from national security and critical infrastructure, to banking, to the most intimate details of our personal lives, which are far too often unprotected in the supercomputers we casually carry in our pockets and purses. Russia’s interference in U.S. politics is particularly troubling. Of all the threats our world confronts, only cyber cuts across so many dimensions.
We must make it harder, costlier, and more time intensive for our adversaries to attack us.
Although this is a global problem, the United States is the most visible, exposed, and lucrative target nation. While we have made progress, we need to defend against malicious cyber activity and deter belligerents with improvements on several fronts: a more robust military capability; better organization within the U.S. government; higher levels of societal education about the risks we face; better technology and equipment; and vastly improved private-public cooperation. We must make it harder, costlier, and more time intensive for our adversaries to attack us.
I would argue that it is also time for the United States to create a dedicated cyber force. While the individual services today—Army, Navy, Marine Corps, Air Force, and Coast Guard—are working hard, they are like five horses who can often pull in slightly different directions. The current distributed force not only breeds redundancies, threatens unity of command, and fosters unproductive competition, but it also dilutes the core competencies of our cyber planners, operators, trainers, and commanders. A new stand-alone cyber force would resolve these problems, as well as help recruit and retain America’s next-generation warfighters—a diverse pool of technical experts and social scientists who can navigate both virtual domains and Washington bureaucracy.
We must also signal both the capability and the will to use our cyber abilities. The United States has been reluctant to operate offensively, in part because of fear of compromising our intelligence community’s tradecraft, but cyber operations are a legitimate means of projecting national power. We must convince the world that we will use our cyber capabilities against those who threaten us. Anything less will embolden our adversaries.
There’s a lot of work left to do and the stakes could not be higher. Let’s get to it.
James Stavridis, F83, F84, former NATO supreme allied commander, is dean of the Fletcher School of Law and Diplomacy at Tufts University.
Estonia’s Cyber Unit Holds Lessons for a More Secure Online Future
By Heather Stephenson
The Baltic country of Estonia was subjected to an unprecedented cyberattack in April 2007, shortly after it removed a controversial Soviet-era war memorial from its capital. Over the course of three weeks, distributed denial of service attacks shut down government communications, ATMs, and media websites. The digital hostile takeover—Estonian officials attributed it to Russia, which denied involvement—was the first cyber assault to target the security of an entire nation, inspiring Wired magazine to dub it “Web War one.”
Tech experts from the private sector rushed to help their government respond. “They came out of patriotism; we didn’t pay them,” recalled Marina Kaljurand, F95, then the Estonian ambassador to Russia. The IT community, together with help from international partners including NATO, eventually contained the problem and got the country back online.
Inspired by its home-grown, high-tech volunteers, Estonia created a new group within its voluntary military organization the next year: the Estonian Defense League’s cyber unit. Made up of IT experts, lawyers, and economists, it stands ready to respond to online warfare, in the same way traditional military reservists are prepared to join active-duty forces.
Estonia’s experience offers a warning to other countries, and its cyber unit offers a model for response, said Kaljurand, who later became foreign minister of Estonia and is now the chair of the Global Commission on the Stability of Cyberspace, a nonpartisan policy group. “The attacks of 2007 were really primitive,” she said. “Now we are talking about WannaCry, NotPetya—we are talking about hacking democracy.”
The cyber unit has been embraced by Estonians, but there would be challenges in adopting it elsewhere. In the United States, for example, citizens tend to be less trusting of their government’s motives, and Silicon Valley leaders have a more contentious relationship with Washington, D.C. There’s also the question of scale: The U.S. population is more than three hundred times larger than Estonia’s.
Still, Kaljurand said governments must find ways to partner with the private sector to ensure cybersecurity. “We need a multi-stakeholder approach. Not just IT geeks, but also civil society, academia. If governments want to be efficient, they have to cooperate with all the actors who are in the field.”
Contact Heather Stephenson, editor of Fletcher Magazine, at firstname.lastname@example.org.
The Rise of Data Hacking
A sample of some of the highest profile data breaches in recent years.
Number of credit card accounts compromised in a 2013 hack of Home Depot self-checkout terminals.
Number of households affected by a 2014 attack on JPMorgan Chase, the largest banking breach in history.
Number of people whose personal and financial data was exposed in a 2015 attack on the Anthem health care network. (No medical records were affected.)
Number of Facebook users possibly affected by Cambridge Analytica’s data mining around the 2016 election. (Not technically a breach, the activity violated Facebook policies.)
Number of people whose personal data, such as Social Security numbers, were exposed by the 2017 hack of Equifax, the worst corporate breach to date.