The nation that brought the world the mushroom cloud is now hard at work on a new project: coming up with cyberweapons so strong that their very existence would deter foreign governments from attacking U.S. databases and crucial computer systems.
The idea is to try to adapt a military concept that helped keep the world safe from nuclear bombings during the Cold War to the digital battlefield of the 21st century.
For four decades, the U.S. and the Soviet Union built up massive stockpiles of nuclear weapons but never used them. Part of the reason was the belief on both sides that any attack would be met with an equally devastating counterstrike. Military planners called the idea mutually assured destruction.
Today, plans for “cyberdeterrence” aim to develop something analogous for the digital era.
National security officials have recently stepped up their public warnings about the need to build such a deterrent.
“If we do nothing, then one of the potential unintended consequences of this could be, does this send a signal to other nation states, other groups, other actors that this kind of behavior is OK and that you can do this without generating any kind of response?” Adm. Mike Rogers said in a recent speech. Rogers, who is both the military’s top commander for cyber-operations as head of U.S. Cyber Command and director of the National Security Agency, made the remarks at the Aspen Security Forum in Aspen, Colo., last week.
Without an aggressive U.S. response as a deterrent, a rise in destructive cyberattacks against government and business appears likely, a recent intelligence assessment predicted.
“Until such time as we come up with a form of deterrence that works, we're going to have more and more of this,” said Director of National Intelligence James R. Clapper, also at the Aspen forum.
“I think the next wave, if you will, will be data deletions and data manipulation, which will also be very, very damaging,” Clapper said.
But despite a significant increase in the number of attacks, the Obama administration has not settled on a consistent policy for responding.
As the internal debates continue, the problem has escalated.
In recent months, thousands of emails have been sent to government addresses by hackers trying to entice federal officials into downloading carefully disguised spyware. The “spear-phishing” emails are tailored to convince the recipient to open an attachment.
The increase in state-sponsored computer attacks stems in part from a perception that “there is little price to pay for engaging in some pretty aggressive behaviors” online, Rogers said.
In many cases, hackers designed the spear-phishing emails using personal information stolen in earlier breaches of government databases, including what officials say was China’s theft of millions of security-clearance files from the Office of Personnel Management and the infiltration by Russian hackers of the State Department’s unclassified email system. Officials say the personnel records are a gold mine for designing future cyberattacks and approaching American government officials who might be turned into spies.
Those incidents were part of an escalating fusillade of cyberattacks, some of which caught U.S. intelligence off-guard.
In February 2014, hackers who officials say were linked to Iran erased hard drives and froze servers running slot machines and loyalty rewards programs at Las Vegas Sands Corp. casinos in Las Vegas. Sands was likely targeted because the casino company's owner, conservative billionaire Sheldon Adelson, had said the year before that a “mushroom cloud” could rise over Tehran if it continued its nuclear development program.
November saw the attack on Sony Pictures, in which hackers wiped out data and released sensitive files. The FBI said the North Korean government wanted to prevent the studio from releasing “The Interview,” a film that mocked leader Kim Jong Un. Sony has spent at least $15 million to repair the damage.
Then, the attacks on the State Department email system and the government’s personnel files proved how vulnerable some government systems were.
“The number of threats have gotten worse and are only escalating,” warned Mac Thornberry (R-Texas), chairman of the House Armed Services Committee. “We have to figure out how to retaliate against an attack.”
Building a cyberdeterrent, however, is more complicated in some ways than developing the capacity to retaliate against a nuclear strike.
One set of problems involves the unintended consequences of deploying a cyberweapon. Intelligence analysts have warned that if the U.S. decides to engage in tit-for-tat cyberattacks, the effect could ripple across the World Wide Web. Even though the Internet was invented by American computer scientists, existing defenses on U.S. computer systems may not be strong enough to withstand a series of counterattacks.
Another difficulty is identifying an attacker. If a nuclear-tipped missile were launched toward the U.S., it wouldn’t be difficult to identify where it came from. Determining the origin of a cyberattack is sometimes much harder.
“This is a new realm of war,” said Peter W. Singer, a fellow at the nonprofit New America Foundation in Washington and coauthor of the book “Cybersecurity and Cyberwar.”
“We need to get better at it. We need to develop a better deterrence model. But it’s never going to protect you against 100% of all attacks that’s sent your way.”
Military officials insist, however, that given enough time, they can develop tools that will work. During a congressional hearing in March, Rogers discussed the need to build up a stock of cyberweapons to deter foreign countries from trying to hack vital networks.
“Just as we fashioned a formidable nuclear capability that served us through the Cold War and beyond, I am confident in our ability to keep pace with adversaries,” he said.