(this is written from an USA perspective, but applies elsewhere, too).
WASHINGTON — Ask finance ministers and central bankers around the world about their worst nightmare and the answer is almost always the same: Sometime soon the North Koreans or the Russians will improve on the two huge cyberattacks they pulled off last year. One temporarily crippled the British health care system and the other devastated Ukraine before rippling across the world, disrupting shipping and shutting factories — a billion-dollar cyberattack the White House called “the most destructive and costly in history.”
The fact that no intelligence agency saw either attack coming — and that countries were so fumbling in their responses — led a group of finance ministers to simulate a similar attack that shut down financial markets and froze global transactions. By several accounts, it quickly spun into farce: No one wanted to admit how much damage could be done or how helpless they would be to deter it.
Cyberattacks have been around for two decades, appearing in plotlines from “Die Hard” movies to the new novel by Bill Clinton and James Patterson. But in the real world, something has changed since 2008, when the United States and Israel mounted the most sophisticated cyberattack in history on Iran’s nuclear program, temporarily crippling it in hopes of forcing Iran to the bargaining table. (The two countries never acknowledged responsibility for the attack.)
As President Barack Obama once feared, a cyberarms race of historic but hidden proportions has taken off. In less than a decade, the sophistication of cyberweapons has so improved that many of the attacks that once shocked us — like the denial-of-service attacks Iran mounted against Bank of America, JPMorgan Chase and other banks in 2012, or North Korea’s hacking of Sony in 2014 — look like tiny skirmishes compared with the daily cybercombat of today.
Yet in this arms race, the United States has often been its own worst enemy. Because our government has been so incompetent at protecting its highly sophisticated cyberweapons, those weapons have been stolen out of the electronic vaults of the National Security Agency and the C.I.A. and shot right back at us. That’s what happened with the WannaCry ransomware attack by North Korea last year, which used some of the sophisticated tools the N.S.A. had developed. No wonder the agency has refused to admit that the weapons were made in America: It raised the game of its attackers.
Nuclear weapons are still the ultimate currency of national power, as the meeting between President Trump and Kim Jong-un in Singapore last week showed. But they cannot be used without causing the end of human civilization — or at least of a regime. So it’s no surprise that hackers working for North Korea, Iran’s mullahs, Vladimir V. Putin in Russia and the People’s Liberation Army of China have all learned that the great advantage of cyberweapons is that they are the opposite of a nuke: hard to detect, easy to deny and increasingly finely targeted. And therefore, extraordinarily hard to deter.
That is why cyberweapons have emerged as such effective tools for states of all sizes: a way to disrupt and exercise power or influence without starting a shooting war. Cyberattacks have long been hard to stop because determining where they come from takes time — and sometimes the mystery is never solved. But even as the United States has gotten better at attributing attacks, its responses have failed to keep pace.
Today cyberattackers believe there is almost no risk that the United States or any other power would retaliate with significant sanctions, much less bombs, troops or even a counter cyberattack. And though Secretary of Defense Jim Mattis has said the United States should be prepared to use nuclear weapons to deter a huge non-nuclear attack, including using cyberweapons, against its electric grid and other infrastructure, most experts consider the threat hollow.
At his confirmation hearings in March to become director of the N.S.A. and commander of the United States Cyber Command, Gen. Paul Nakasone was asked whether our adversaries think they will suffer if they strike us with cyberweapons. “They don’t fear us,” General Nakasone replied.
So while the United States remains the greatest cyberpower on earth, it is increasingly losing daily cyberconflicts. The range of American targets is so wide and deep that it is almost impossible to understand all of the vulnerabilities. And because most of those targets don’t belong to the government — banks, power grids, shipping systems, hospitals and internet-linked security cameras, cars and appliances — confusion reigns over who is responsible for defending them and who will decide when to strike back. We have the most fearsome cyberweaponry on the planet, yet we’re afraid to use it for fear of what will come next.
Consider the Russian cyberattacks that preceded the well-known hacking of the Democratic National Committee’s computers in 2015 and 2016. Just before, Russian hackers had taken up residence in the unclassified servers at the State Department and the White House, and later deep inside the systems of the Joint Chiefs of Staff.
At the State Department, the eviction took weeks, shutting down systems during negotiations on the Iran nuclear deal. The hackers were even bolder at the White House. Instead of disappearing when they were exposed, they fought back, looking to install new malware as soon as the old versions were neutralized. “It was basically hand-to-hand combat,” recalled Richard Ledgett, the deputy director of the N.S.A. at the time. It appears the attackers just wanted to prove they could go, and stay, anywhere in the American government’s network.
Yet out of a reflexive secrecy about cyberoperations — motivated by an unwillingness to acknowledge both our vulnerabilities and our detection abilities — the United States never called out the Russians for what they were doing. Nor did we exact any punishment. That proved to be a huge mistake.
If Mr. Putin thought there was no price to be paid for invading White House systems, why wouldn’t he attack the Democratic National Committee? And as the Russian attacks continued, no one in the American government detected the larger pattern or Russia’s ambitions to affect the election. Most officials assumed it was plain old espionage.
“It wasn’t that we had our radar off to these kinds of attacks,” a senior official told me. “We hadn’t even built the radar.”
By the summer of 2016, some Obama administration officials, waking to the threat, proposed counterstrikes that included exposing Mr. Putin’s hidden bank accounts and his ties to the oligarchs and cutting off Russia’s banking system. But the potential for escalation caused Mr. Obama and his top aides to reject the plan.
“It was an enormously satisfying response,” a senior American official told me later, “until we began to think about what it would do to the Europeans.”
Mr. Obama also understandably feared that anything the United States did might provoke Mr. Putin to tinker with election systems just enough to give credence to Donald Trump’s warning that the system was “rigged.”
Since the election, the American retaliation has included closing some Russian consulates and recreation centers and expelling spies — actions one Obama national security official called “the perfect 19th-century solution to a 21st-century problem.” President Trump has signed off on some additional economic sanctions against individual Russians.
But the United States’ problem isn’t toughness — it’s an absence of strategy. The larger lesson of the past few years is that unless we get smarter a lot faster about deterring these pernicious, hard-to-find forms of cyberaggression, much of what binds our digitally connected society will be eaten away. We have spent so much time worrying about a “cyber Pearl Harbor,’’ the attack that takes out the power grid, that we have focused far too little on the subtle manipulation of data that can mean that no election, medical record or self-driving car can be truly trusted. And ultimately that absence of trust will destroy the glue of American society the way the Stuxnet computer worm destroyed those Iranian centrifuges. It will cause them to spin out of control.
So what is to be done?
First, the United States must significantly improve its cyberdefenses. The wide-open vulnerabilities in America’s networks have essentially deterred the United States from credibly threatening retaliation against the Russians, the Chinese, the North Koreans and the Iranians. One way to start is to make sure no new equipment goes on the market unless it meets basic security requirements. We won’t let cars on the road without airbags, so why do we do less with the systems that connect them to the internet?
Second, we must decide what networks we care most about defending — and make those priorities clear. Mr. Mattis’s threat to turn to nuclear weapons hardly seems credible — unless the cyberattack would create an existential threat to America. That requires an intensive public review of what is critical to our nation’s survival. President Trump forfeited the perfect opportunity when he decided against a commission to learn the larger lessons from the 2016 election. Our politics have gotten in the way of our safety.
Finally, the United States needs to end the reflexive secrecy surrounding its cyberoperations. We need to explain to the world why we have cyberweapons, what they are capable of and, most important, what we will not use them for. Clearly, it is in the nation’s interests to develop global norms clarifying that some targets are off limits: election systems, hospitals and emergency communications systems, and maybe even electric power grids and other civilian targets.
Microsoft’s president, Brad Smith, has proposed digital Geneva Conventions that begin to establish those norms, outside the structure of governments and treaties. It’s an imperfect solution, but a start. Intelligence agencies hate this idea: They want the most latitude possible for future operations in an uncertain world. But in any arms control negotiation, to create limits on others, you need to give up something. Otherwise, we will remain trapped in an endlessly escalating war, one we may well lose.