How to Enhance the United States' Electronic Defenses

Wesley K. Clark and Peter L. Levin | Foreign Affairs | November/December 2009, Vol 88, No 6

Authors: WESLEY K. CLARK, a retired four-star General, was Supreme Commander of NATO from 1997 to 2000, led the alliance of military forces in the 1999 Kosovo War, and is a Senior Fellow at the Ron Burkle Center for International Relations at UCLA. PETER L. LEVIN was the founding CEO of the cybersecurity company DAFCA and is now Chief Technology Officer and Senior Adviser to the Secretary at the Department of Veterans Affairs. The views expressed in this article do not necessarily represent the views of the U.S. government.

During the July 4 holiday weekend, the latest in a series of cyberattacks was launched against popular government Web sites in the United States and South Korea, effectively shutting them down for several hours. It is unlikely that the real culprits will ever be identified or caught. Most disturbing, their limited success may embolden future hackers to attack critical infrastructure, such as power generators or air-traffic-control systems, with devastating consequences for the U.S. economy and national security.

As Defense Secretary Robert Gates wrote earlier this year in these pages, "The United States cannot kill or capture its way to victory" in the conflicts of the future. When it comes to cybersecurity, Washington faces an uphill battle. And as a recent Center for Strategic and International Studies report put it, "It is a battle we are losing."

There is no form of military combat more irregular than an electronic attack: it is extremely cheap, is very fast, can be carried out anonymously, and can disrupt or deny critical services precisely at the moment of maximum peril. Everything about the subtlety, complexity, and effectiveness of the assaults already inflicted on the United States' electronic defenses indicates that other nations have thought carefully about this form of combat. Disturbingly, they seem to understand the vulnerabilities of the United States' network infrastructure better than many Americans do.

It is tempting for policymakers to view cyberwarfare as an abstract future threat. After all, the national security establishment understands traditional military threats much better than it does virtual enemies. The problem is that an electronic attack can be large, widespread, and sudden -- far beyond the capabilities of conventional predictive models to anticipate. The United States is already engaged in low-intensity cyberconflicts, characterized by aggressive enemy efforts to collect intelligence on the country's weapons, electrical grid, traffic-control system, and even its financial markets. Fortunately, the Obama administration recognizes that the United States is utterly dependent on Internet-based systems and that its information assets are therefore precariously exposed. Accordingly, it has made electronic network security a crucial defense priority.

But networks are only the tip of the iceberg. Not only does Washington have a limited ability to detect when data has been pilfered, but the physical hardware components that undergird the United States' information highway are becoming increasingly insecure.