As solid as the U.S. cyberoffense is, the defense leaves much to be desired, richly demonstrated by the litany of digital disasters, including the hacks of SolarWinds, the Office of Personnel Management, Equifax and Sony. The reality is that the U.S. government and private companies both underinvest in cybersecurity. Effective defense is a collective effort, but agencies and companies are often clueless and defenseless when it comes to countering the intrusions of countries like Russia, China or Iran.
In recent years, there have been suggestions that the United States might explore international agreements by which nations would agree to put constraints on cyberwarfare and espionage. But this idea isn’t really taken seriously. There’s a sense that rules are written by those with the biggest guns — that is Washington — can unilaterally impose global cyberorder.
The SolarWinds hack lays waste to that notion. Confidence that the United States possesses a monopoly on cyberweapons borders on hubris. Even though federal agencies do possess some of the greatest cyberespionage and warfare tools and talent on the planet, the playing field is disturbingly even.
Unlike nuclear weapons, or even sophisticated conventional arms, powerful cyberweapons are cheap to produce, proliferate with alarming speed and have no regard for borders. Unable to match the United States in military spending, Russia, China, Iran and even North Korea view cybertools as a great equalizer. Why? Because the United States is singularly vulnerable to cyberattack: America is more reliant on financial, commercial and government networks than our adversaries, and, at the same time, our systems are frighteningly open and vulnerable to attack. American networks represent targets for our adversaries that are simply too soft, juicy and valuable to resist.
So, does the United States give up and do nothing? Of course not.
First, the United States should recognize that it has entered an age of perpetual cyberconflict. Unlike conventional wars, we cannot end this fight by withdrawing troops from the battlefield. For the indefinite future, our adversaries, large and small, will test our defenses, attack our networks and steal our information. In this respect, cyberconflict is more like fighting a disease than fighting a war, a disease with intent, and for which no vaccine is likely to emerge.