The Threat

Political paralysis may pose the biggest hurdle to securing U.S. networks.

The story of cybersecurity is one of attackers consistently outpacing defenders. When the Internet was designed, security was not a consideration. No one predicted that the new technology would become a global infrastructure or that there would be an incredible increase in speed, connectivity and the number of users (currently more than 2 billion). Rapid, unexpected growth combined with a too-rosy view of technological progress has led to some very real dangers.

The absence of rules to govern international behavior in cyberspace compounds the problem. The effect of the new technologies is not to dissolve borders but to shrink distance. On the Internet, St. Petersburg and Jinan are as close or closer to readers of this magazine as are the buildings across the street in terms of the time it takes to reach them. The combination of porous networks and global reach in a weakly governed environment enables lawlessness and malicious activity on an unforeseen scale.

What can we say about threats to the United States in cyberspace? They are largely foreign, and foreign governments play a central role in directing or supporting them. The greatest threats come from advanced, state-sponsored actors who have the skill and resources to overcome most defenses. Technological improvements will squeeze out less sophisticated actors, but advanced opponents will continue to improve their capabilities.

The starting point for thinking about cyber threats is to differentiate between an exploit and an attack. Calling every bad act in cyberspace an attack is confusing and unhelpful. The distinction between exploit and attack revolves around whether a malicious action in cyberspace is equivalent to the use of force with conventional weapons. If there is no damage, death or destruction, then it is not an attack. Using this definition, which is consistent with international law, only two cyber incidents qualify as real attacks-the Stuxnet virus, which destroyed equipment in an Iranian nuclear facility, and Israel's alleged disruption of Syrian air defenses in 2007 during a raid on a suspected nuclear facility. The efforts to coerce Estonia by crippling that wired nation's websites in 2007, while troubling, were not an attack, which is why NATO's Article 5, which calls for all members to respond jointly to an attack, was not invoked.

The greatest cyber threat to the United States and its allies comes from espionage. The Internet has created what one senior U.S. intelligence official calls "the Golden Age of signals intelligence." Nations no longer need expensive ground stations, satellites, airplanes or ships to spy. They can create a global intelligence capability with a few laptops and a high-speed connection. Cyber espionage includes traditional efforts to collect information on an opponent's intentions and military capabilities (and there have been damaging losses of advanced military technology), as well as economic espionage, where foreign governments, companies and citizens steal intellectual property and confidential business information.

Economic espionage is not new, but the Internet has made possible a vast increase. Foreign competitors steal business plans, intellectual property and product designs. The technology acquired from American high-tech companies eventually will make foreign competitors stronger. Some call this leakage of technology death by a thousand cuts-each too small to be fatal but whose cumulative effect is ultimately crippling. The economic espionage problem is a digital counterpart to the struggles to protect intellectual property in a globally connected economy. A new spate of espionage cases involves stealing information on the future of the global economy. In March, the preparatory documents for the last G-20 summit were purloined and in what could be a related incident, the International Monetary Fund was hacked. The most likely beneficiary is another government seeking to gain an edge in global financial negotiations.

Russia and China are among the most active nations in cyber espionage against the United States. Both have long-running programs-Russian cyber espionage dates at least to 1982, when Soviet cyber spies are known to have stolen a Canadian firm's software that included a logic bomb planted by the CIA. The Russians are technically sophisticated and take advantage of skilled cybercriminals in their country. By contrast, the Chinese flood the space with many loosely coordinated private agents. Both nations would point out that the United States engages in cyber spying, but not economic espionage, and we do not tolerate cybercriminals and employ them as proxies.

Countries may try to improve their collection capabilities by tampering with information technology products. China already believes-wrongly-that information technology from U.S. companies is loaded with backdoors. The United States feels the same about Chinese products. Trying to manipulate the IT supply chain can be difficult and costly, but it is not impossible. Our opponents are not inept and will not sell obviously flawed products; the most likely scenario is that they will sell "clean" products and then exploit the access they gain to collect information and create a capability for disruption. The best target for a supply chain attack is telecommunications.

Cybercrime Pays

The problem is that while cyber espionage is costly and damaging, it is often invisible. Companies may not even be aware of what has been taken. The easiest way to think about this is to ask how much U.S. companies would have been paid if their intellectual property had been purchased rather than stolen. Estimates vary widely but all agree the cost is in the billions of dollars.

Frankly, even losses of this size can seem minuscule in a $14 trillion economy. Some hope that if companies only knew how much they were losing, they would pay more attention to cybersecurity, avoiding the need for mandatory government action. But many companies expect to lose 2 percent to 3 percent annually to "pilferage" and the cost of cyber espionage, with a few exceptions, stays below that threshold. Cyber espionage and crime are for many companies an operating cost, not an existential threat.

Cybercrime focuses on money rather than intellectual property. For a smart criminal-and smart means living in a country that tolerates cybercrime-this is risk free. There have been no extraditions from sanctuary countries. The most sophisticated cybercriminals reside in Eastern Europe and the former Soviet Union. These places are havens for cybercriminals, who sometimes act as proxies for their host governments, providing those governments a degree of deniability for espionage. This is what we saw in the exploits directed against Estonia in 2007 and Georgia in 2008.

Cybercrime pays well. One pair of cybercriminals made $2 million in one year from click fraud on Facebook. Another pair created those bogus malware warnings that flash on computer screens-the FBI says those cybercriminals made $72 million from people paying to have the phony threats "removed." A gang in Russia extracted $9.8 million from a U.S. bank over Labor Day weekend in 2008. Few of the criminals in these cases are ever indicted, much less convicted, and in some cases, their identities remain unknown. Million-dollar crimes probably happen every month, but are rarely reported.

The most advanced cybercriminals can launch cyberattacks on a par with many militaries, but so far, we have not seen them act as mercenaries, or cyber guns for hire, probably because their government patrons would frown on this. The situation could change as we see the commoditization of cyberattack techniques. Cybercriminals already can draw upon online black markets that offer the latest hacking tools, new software vulnerabilities, botnets (remotely controlled computers) and credit card data.

Threats to the American financial system from cybercriminals are likely overstated. They would rather extract money than crash markets, but there are disquieting trends. The 2010 "flash crash," where automated trading systems made stock prices plummet, showed the potential for disruption. The penetration of Nasdaq showed that someone is interested in markets and has the skill to hack them. While it is unlikely that nations with advanced cyber capabilities would crash the financial system-they have too much invested in the United States-they could disrupt it. A more likely scenario is that cybercriminals, in an attempt to manipulate stock prices or to gain insider information, could in-advertently cause a crash.

Cyberwar is a concern, but it remains hypothetical. Pronouncements that Chinese espionage amounts to cyberwar are exaggerated and carry some risk. China is not the only nation to engage in espionage in cyberspace, so we want to avoid defining spying as an act of war. Cyberwarfare likely would involve disruption of crucial military network services and data, the creation of uncertainty and doubt among opposing commanders, and damage to critical infrastructure.

Russia's use of cyber exploits in combination with an armored assault against Georgia showed the potential military use of cyber techniques, but suggest that cyber will complement conventional forces rather than replace them. It is very unlikely that we will ever see a pure cyberwar that relies only on cyberattacks. A pure cyberwar-keyboard versus keyboard-is more likely to annoy than to provide decisive advantage. It would be like poking a bear with a stick-little harm is done and the risk of a damaging response too great.

The United States is a particularly attractive target, given how much our military depends on networks and information. Foreign militaries or other opponents, if we get into a shooting war, will attempt to damage or destroy the U.S. military's informational advantage, starting with attacks against military networks and perhaps escalating to attacks on critical infrastructure in the American homeland. One nation-state opponent penetrated U.S. Central Command's classified network in December 2008 to implant malware that could have scrambled or erased data.

The Stuxnet worm confirmed that skilled attackers could damage or destroy critical infrastructure. Only five or six nations have the ability to launch Stuxnet-like cyberattacks, but others seek to acquire them. Thirty-six countries have military doctrine for cyber conflict. Cyberattack will be like the airplane-within a few years, no self-respecting military will be without this capability. Cyberwarfare is cheap, and to quote the head of Israeli military intelligence, "cyberspace grants small countries and individuals a power that was heretofore the preserve of great states."

Our most advanced cyber opponents have reconnoitered America's critical infrastructure, but this is not very different from a satellite flying overhead to map possible missile strikes. No country is likely to use cyberattack capabilities against the United States unless we are in a military conflict with them. There is, of course, the possibility of miscalculation or error.

Someone could carry out an experiment or weapons test that goes out of control, or a reconnaissance effort could accidently disrupt critical services. This sort of accident could escalate into conflict. The few nations that have cyberattack capabilities, however, are careful to avoid actions that look like the use of force to avoid triggering a military response.

The threat of cyberattack is, like other military threats to the United States, deterred by our capability for violent response. But as cyberattack capabilities spread, our ability to deter will diminish. Confrontational states such as North Korea and Iran do not yet have the capability to launch sophisticated cyberattacks, but both are making serious efforts to acquire the capabilities. As with nuclear weapons, they will persist until they succeed, which is one reason it is important for the United States to strengthen its defenses.

Terrorists currently lack the ability to launch cyberattacks. If they had it, they would have already launched them. A few terrorist groups have talked about cyberattacks to disrupt the American economy and when one finally acquires that capability, it will use it despite the risks of a U.S. response, a dynamic that makes terrorists difficult to deter. This is another reason it is important for the United States to strengthen its defenses. We have some unknown period of time before terrorist groups or irresponsible nations like Iran or North Korea become sufficiently advanced in their cyberattack capabilities to strike the United States.

The United States is on a par, perhaps even ahead, when it comes to cyberwarfare. We are at a disadvantage in cyber espionage, and unable to do much about cybercrime as long as major nations think it useful to have proxy forces made up of cybercriminals. In one area, however, the cyber threat to our opponents is greater than it is to the United States. Just as the Gutenberg printing press changed governments in Europe with its books and broadsheets by creating new political forces, so has the Internet created new forces to which governments will have to adjust. This adjustment is a serious challenge to authoritarian countries whose leaders view the Internet as a threat to regime survival and information as a weapon.

It is true that sophisticated opponents could damage the United States through the illicit acquisition and release of information. The 2008 theft of campaign data from the McCain and Obama organizations shows the potential for mischief. Opponents could exfiltrate documents and send them to WikiLeaks or other media outlets. In one instructive example before the 2009 Copenhagen Climate Conference, someone hacked into scientific institutions, stole emails, edited them for maximum effect, and then released them in ways that damaged the case for action against climate change. Climate-gate showed how a skilled adversary could use cyberspace for global political consequences. While the conference may well have collapsed without external assistance, the email leaks count as a major coup. This is what WikiLeaks hoped to emulate with its release of sensitive State and Defense department files and others may try in the future.

As we have seen in the Arab Spring, if there is discontent, the Internet will amplify it. But dissent is a normal part of politics in the United States and other Western democracies. The effect of the Internet on democratic politics is challenging, but it is not as great a threat as it is to authoritarian regimes. WikiLeaks, which sought to damage the United States, had little effect. The annoying children of Anonymous or LulzSec held noisy protests-the digital equivalent of spraying a corporate headquarters or federal building with graffiti-but they did not bring down any governments.

The same is not true for Russia, China, Iran or other nondemocratic states. They depend on controlling information and throttling dissent. The Russian press reported that President Dmitry Medvedev, talking about the role of Western social networks in the Arab Spring revolts, said, "They have been preparing such a scenario for us, and now they will try even harder to implement it."

These countries would like to strangle free access to information. They will build technologies that will give them the ability to control cyberspace. Since they view social networks and access to information as a U.S. plan to destabilize their governments (and the State Department is subsidizing technologies to erode authoritarian control), they will use this to justify their own malicious actions. The larger political struggle over the values that shape cyberspace will shape our ability to make cyberspace more secure.

Cybersecurity is a public good-the market will never supply it adequately and in any case, no one expects companies to provide for the national defense. This is a federal function. Cyberspace is dangerous, but we can change this if we want. Greater international cooperation and regulation will reduce the risk. The alternative is to ignore the threats, pretend they are smaller than they are, and hope they will go away. Threats to the United States in cyberspace come largely from foreign sources, but the biggest threat may be domestic. Cyberspace is dangerous because we have let it become so. Our inability to agree on a new approach, our reliance on a failed strategy of voluntary action, makes us vulnerable and gives our opponents an edge. This domestic threat from paralysis and inaction is the threat experts fear the most.

James Andrew Lewis is a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies. Formerly in the Foreign Service and Senior Executive Service, he specialized in Asian regional security, technology transfer, Internet policy and military space programs.