An expert explores the complexities cyber introduces in the national security landscape.
In an era when we live so many aspects of our lives online—from sharing details on social networks to managing our finances—our privacy and identity have become increasingly vulnerable. But such vulnerabilities reside within the confines of our private, civilian lives.
What’s at stake when nations turn to cyberspace to display aggression, compromise intelligence, or threaten adversaries?
The high-profile hacks of recent years—Sony, the Democratic National Committee—and the recent “distributed denial of service” attack have brought cyber security to the fore in national and international security circles. In the following interview, Professor Reveron explains the concept of national security, intelligence, and war in the age of cyberspace. His responses reflect his personal opinions, not those of the Belfer Center or the Naval War College.
When Cyber Security Becomes a National Security Issue
Traditionally, national and international security have resided in physical domains: land, sea, space, and air. But the virtual world today has altered that landscape significantly. What are some security challenges that arise in the “borderless” realm of cyberspace?
Fundamentally, cyberspace is a civilian space, and it’s a human construct unlike the other physical domains you listed. Without engineers, developers, and users, cyberspace would not exist. One of the key differences between, say, land borders and cyberspace is that cyberspace is always changing. It’s potentially infinite because more networks, more devices, and more users are constantly being added. All that is contracting the world where someone in Cambridge, Massachusetts can directly engage with government officials in Canberra, Australia. Or worse, an organization 7,000 miles away can influence an election, steal intellectual property, or disrupt individuals’ online lives.
Cyber challenges the traditional national security divide … The Department of Defense is responsible for .mil. The Department of Homeland Security is responsible for .gov. But we all live in .com. And there’s no equivalent to city or state police to protect us there.
There’s another difference. We are historically, legally, and culturally comfortable with national governments protecting airspace, and land borders and sea boundaries. The national security system largely provides defense beyond the borders and not within them.
Cyber challenges the traditional national security divide: federal government is responsible for international challenges, and state and local governments are responsible for domestic ones. The Department of Defense is responsible for .mil. The Department of Homeland Security is responsible for .gov. But we all live in .com. And there’s no equivalent to city or state police to protect us there.
Since 90 percent of cyberspace resides in the private sector, many new security issues arise. We’re talking about Amazon servers, which might host your e-mail account. We’re talking about Microsoft Windows or the Apple operating system, which is your interface into cyberspace. Your personal phone is managed by one of the big telecom companies.
Unlike airspace and land borders, the government does not have a natural role in these spaces to promote security or protect citizens.
Government has to balance its obligations to protect national security without compromising the ability of corporations to innovate or citizens to maintain their privacy.
Cyberspace in national security raises interesting questions about the role of the national government in protecting this civilian space. There are all sorts of civil liberties at play, and we need to appreciate that expertise resides in the IT sector.
When it comes to nuclear weapons, for example, the expertise inside the United States is largely, I think, within US national labs and some government-funded university programs. But the expertise in cyberspace lies in publicly traded companies like Microsoft, Apple, Facebook, or McAfee, or privately held IT startups—not inside the federal government.
Yet, if major cyber events increase in frequency or impact, citizens will demand that government regulate the IT sector or respond to cyber attacks. Government has to balance citizens’ demands and its obligations to protect national security without compromising the ability of corporations to innovate or citizens to maintain their privacy.
The Trump administration spun-off US Cyber Command from a preexisting structure. But the next big question to consider is whether Cyber Command should remain connected to the National Security Agency. The NSA and the intelligence community are working hard to protect national security by preventing a terrorist attack or countering foreign intelligence activities against the United States. Unfortunately, that’s not a mainstream perspective, which hampers the cybersecurity discourse.
How has cyberspace changed the way nations act in times of conflict or tension?
Cyber tools give governments a means to attack, retaliate, or exercise levels of coercion that are short of war. Probably the easiest example would be North Korea.
A big area of debate is whether cyber is a war-fighting tool or an intelligence tool.
When North Korea wanted to express dissatisfaction with the US due to a movie release, it didn’t attack US forces in South Korea or harass commercial ships bound for the US. Instead, it conducted a cyber attack against Sony Entertainment. While North Korea remains provocative with missile and nuclear tests, cyber tools give the country a way to conduct attacks or harass without escalating into physical war.
You write in your book Cyberspace and National Security that given the infancy of cyberspace, there are significant gaps in governance, policy, and law. What implications do these gaps have for the international community?
A big area of debate is whether cyber is a war-fighting tool or an intelligence tool. Right now it tends to be more widely used in espionage as an intelligence tool.
That’s partly because when we look at conflict between countries, it isn’t really that common. Most conflict in the world today is internal. It’s civil war in Syria, civil war in Afghanistan, insurgency groups in Nigeria or Colombia.
We haven’t seen cyber interface in a traditional war-fighting role (yet). Dozens of countries are developing military cyber commands, though. So the next interstate conflict will likely include cyber attack.
It’s rare that another country invades another. Russia’s invasion of Ukraine is the most recent example. But state invasion of another country doesn’t happen that often. We haven’t seen cyber interface in a traditional war-fighting role (yet). Dozens of countries are developing military cyber commands, though. So the next interstate conflict will likely include cyber attack.
Nonetheless, in legal terms, it’s not necessarily the means of an attack but the effect. If it’s violent, widespread, and sustained, then legal scholars will argue that it doesn’t matter if it’s a cyber attack or a missile attack—what matters is the impact.
In the intelligence realm, a cyber attack takes the form of economic espionage or intellectual property theft. There are many accusations of Chinese state entities or sponsored groups targeting American companies for intellectual property, which is then used to benefit Chinese business.
… geographically the US has been pretty lucky and immune from conflict, unlike other parts of the world. Cyberspace changes that—especially because the US is one of the most connected countries. And we increasingly put more of ourselves in this domain.
In fact, the US and China signed an agreement about two years ago that said neither country would use their intelligence services to conduct economic espionage for commercial value or gain.
But they didn’t agree to outlaw espionage. That’s in part because governments rely on their intelligence sources as a warning mechanism to see if there are dangers—to validate what’s being said in public or private meetings.
Although cyber attacks haven’t yet been seen in traditional warfare, it will come. This will change the American experience of warfare, no?
Yes. What really interests me is that geographically the US has been pretty lucky and immune from conflict, unlike other parts of the world such as the Middle East today, Southeastern Europe in the 1990s, or Southeast Asia in the 1970s. Cyberspace changes that—especially because the US is one of the most connected countries. And we increasingly put more of ourselves in this domain.
If you think about it, American presidents have used military force about 50 to 60 times since World War II. Those conflicts always take place overseas. We’re not defending our own borders. Missile strikes and air strikes are not happening inside the United States. Our enemies have had very little opportunity to retaliate against the US population through traditional warfare. Cyberattacks can change this.
Banking, telecommunications, and electrical power: these three sectors are vital to the functioning of our society. And they are potentially exposed in future conflicts through other military cyber components.
Through cyberspace, foreign adversaries could target Americans and the big sectors, such as banking, telecommunications, and electrical power. These sectors are vital to the functioning of our society, and they are potentially exposed in conflict now.
Again, let’s contrast this with the terrestrial world. Russian bombers regularly fly down the US West Coast as a show of force. Canadian and American planes intercept these bombers. We’re fairly prepared for those scenarios.
What we’re not prepared for is when, say, Russia-based hackers attack US entities. As investigations continue on Russia’s influence operations in the US, it’s unclear in law whose responsibility it was to protect the US system.
Cyber security is one of the growth areas at the national level. Certainly, large-scale hacks are driving this because the US systems and networks are so vulnerable. Both at the government and individual level, people recognize we must now prioritize cyber security.
How is the international community working cooperatively to address cyber threats and vulnerabilities? There have been efforts within the UN and NATO to set some standards across the board, but what are some of the challenges?
There are local instances, like the Boston Global Forum. The forum regularly convenes groups of experts from around the world to develop a set of international norms to regulate government behavior in cyberspace. I was part of the group developing these norms for the last two G7 summits. Participating countries looked at our norms as a way to try to reinforce state behavior.
The first step we established involved controlling government behavior. The next outlined the responsibility of governments to control malicious behavior that exists below the state level. When we meet again in the near future, we will closely examine ways to improve cyber defense.
Chinese military intelligence is one problem, but we expect regular bilateral meetings and relationships between the US and China to control state behavior—military or intelligence.
But there isn’t a great mechanism to control individual behavior because organized crime has moved into cyberspace. You can look at tax fraud in the US—people filing false tax returns—and identity theft as examples. This is where governments have to regulate cyber behavior within their own borders.
Cyber security is one of the growth areas at the national level. What’s driving this are large scale hacks certainly, because the US systems and networks are so vulnerable. Both at the government and individual level, people recognize we must now prioritize security.
We have to promote these norms. Through the Boston Global Forum in September, we held another meeting on cyber civil defense, which was designed to give civilians some guidelines for dealing with attacks.
Again, let’s contrast this with the terrestrial world. Russian bombers regularly fly down the US West Coast as a show of force. Canadian and American planes intercept these bombers. We’re fairly prepared for those scenarios.
What we’re not prepared for is when, say, Russia-based hackers attack US entities or US individuals. It’s unclear in law whose responsibility that is.
Cyber security is one of the growth areas at the national level. What’s driving this are large scale hacks certainly, because the US systems and networks are so vulnerable. Both at the government and individual level, people recognize we must now prioritize security.
Companies—even IT companies—are looking for some clarity on standards. The National Institute for Standards and Technology recently released some efforts to improve cyber security through its Framework for Improving Critical Infrastructure Cybersecurity.
If you had to predict one significant change in our progress in cyber security internationally over the next decade, what would that be?
I can think of a few things. Essentially, we should better regulate behavior between governments and ensure they take responsibility for controlling the malicious activity emerging from their borders.
An agreement on international norms for how governments behave in cyberspace would involve everything from protecting civil liberties to adhering to the Law of Armed Conflict in cyberspace, which outlaws targeting civilians.
Governments also have to crack down on malicious cyber activity inside their borders. Organized crime has moved into cyberspace, and identity theft is a business. Tax fraud is a business. Governments have to prioritize those spaces as well to ensure there’s trust in the economy.
A third prediction is that software companies will prioritize security. Cyber attacks are the result of vulnerabilities in the software that we use. As more nontraditional devices like thermostats, televisions, and refrigerators are added to networks, software security needs to improve.
Finally, we will all begin to practice better cyber hygiene. Update your software, don’t click on links that promise things too good to be true, and change your passwords. The future will require us all to be vigilant.
