Global Governance Futures 2027 fellow Evan Sills explores the need for national security policymakers to develop their technical literacy.
A lack of cyber literacy and education is compromising America’s national security options. But, equally important, our senior national security leaders struggle to analogize between the cyber and physical domains, and identify appropriate responses to cyber attacks from nation-states. This has led to the public shaming of countries that conduct cyber attacks on other countries, but very little in terms of retribution. Responses have typically been limited to economic sanctions and other retaliatory actions that have already been used. It is urgent that our national security leaders start adapting and creating new responses to cyber attacks so that the defensive toolkit expands at the same rate as the offensive toolkit.
When the Cold War began, political scientists and policymakers were faced with a new technology that changed the world: nuclear weapons. Deterrence theory evolved to include nuclear weapons, and the nuclear triad became an important tenet of American military doctrine – taught to generations of students that followed.
We are quickly learning that traditional deterrence theory does not apply equally to cyber weapons: it is hard to display force on the internet, attribution is difficult and easily faked, and the weapons themselves are more varied and abstract than nuclear weapons. In a recent series of articles on the Lawfare Blog, Dr. Herb Lin discusses the inherent differences between cyber weapons and intelligence operations conducted in cyberspace: namely, “a successful intelligence operation is one that the adversary never knows has happened…[B]y contrast, a military operation (such as one conducted by US Cyber Command) is supposed to be noticed by the adversary–if it has no effect, it’s been unsuccessful.” While these ideas should continue to come out of academia, government policymakers need to be able to combine a technical understanding with inside government knowledge of actual capabilities – which is particularly necessary in the case of a heavily-classified issue such as cyber weapons.
Cyber weapons can impact many assets, and in multiple ways, making knowledge of their uses more complex than as with nuclear weapons. Understanding how the internet works and how cyber weapons operate requires technical knowledge and a certain level of comfort with technology and the internet. These skills are not being taught sufficiently, and certainly not to our political scientists and policymakers.
A range of cyber weapons have been used by governments that goes beyond traditional hacking for the purpose of stealing information. Denial-of-service attacks (overloading a website so it is unusable), misinformation campaigns (releasing false information or altering real documents), and destroying physical objects are all methods that have been used previously by nation-states. However, a host of other options exists, including spreading information to citizens about their leadership, integrity attacks (altering data to cause doubt in its authenticity), and fundamentally compromising a nation-state’s place on the internet (cutting off its access entirely or taking down the Great Chinese Firewall).
The Russian campaign against the Democratic Party and the US election system has heightened the necessity to develop a response that shows their intolerance of these attacks without starting a dangerous escalation. White House Press Secretary Josh Earnest admitted in early October that, “the rules of the road when it comes to cybersecurity in large part are not well established,” making it difficult to formulate a response.
In assessing how to respond to the series of Russian attacks, experts discuss a range of options in the physical world, including trade sanctions, indictments and various kinetic actions, and there are examples of all of them working previously. What this discussion misses is that offensive attacks are innovating and evolving with technology – but defensive responses have stayed the same. While there is confidence in knowing how a country will likely respond because a tactic has been used against them before, it is not clear that old options will be effective in deterring new types of attacks.
Equipping our policymakers with a better understanding of the internet and cybersecurity will enable them to make more informed decisions on a range of other issues as well, including encryption, intelligence and internet regulation. In the long run, this should improve the lives of all citizens, who have legitimate concerns regarding intelligence collection, insecurity of personal data and their governments’ ability to reach optimal decisions on complex issues in the US, such as the Vulnerability Equities Process.
Educating policymakers should happen on both long-term and short-term tracks. In the long term, the education system should provide general education in information technology. While students learn how to use computers early in their education, they learn very little about how they actually work, and just as importantly, how the internet works. In essence, today’s students know how to use the script and read it but they cannot do the writing. This lack of cyber literacy and education is compromising our national security options by limiting the imagination of our policymakers and academics.
In the short term, the US government can prioritize improving the capabilities of its policymakers in two key ways. First, it can prioritize bringing new employees into the government with technical expertise. Particularly in national security, fewer public-private dialogues take place because of classification issues about potential capabilities and their ramifications, so having knowledgeable people at the table is crucial. Second, the US government should provide opportunities for its policymakers to fill this knowledge gap with seminars, online classes and crash courses that will provide a foundation to policymakers. While time-consuming to acquire, knowledge of how the internet and computers work should be considered required for policymakers. Every government department relies on the internet to get out its message and on data to perform its duties better; therefore understanding the costs of losing such data, or the ability of employees and constituents to access its resources, is an important part of its mission.
Equipped with this knowledge, policymakers will be able to evaluate new policy options and hopefully imagine new tools as well. From using cyber tools to expose Vladimir Putin’s assets and personal information to attempting to take down China’s Great Firewall, there are a number of possibilities that could be legitimate responses to cyber attacks against the United States. Ultimately, our policymakers are responsible for determining which of these tools are most appropriate and will have the optimal effect. Having a range of response options, both in the physical and digital worlds, will enable nation-states to continue to have maximum flexibility and opportunity to avoid escalation to violence.
Evan Sills is a director at Good Harbor Security Risk Management and a Global Governance Futures 2027 fellow. The views expressed here are his own and do not represent those of his employer.