The Perfect Weapon: War, Sabotage and Fear in the Cyber Age

Cyberattacks have been around for two decades. As President Barack Obama once feared, a cyberarms race of historic but hidden proportions has taken off. et in this arms race, the United States has often been its own worst enemy. Because our government has been so incompetent at protecting its highly sophisticated cyberweapons, those weapons have been stolen out of the electronic vaults of the National Security Agency and the CIA and shot right back at us. Cyberweapons have emerged as effective tools for states of all sizes: a way to disrupt and exercise power or influence without starting a shooting war. Cyberattacks have long been hard to stop because determining where they come from takes time — and sometimes the mystery is never solved. But even as the United States has gotten better at attributing attacks, its responses have failed to keep pace. Today cyberattackers believe there is almost no risk that the United States or any other power would retaliate with significant sanctions, much less bombs, troops or even a counter cyberattack. So while the United States remains the greatest cyberpower on earth, it is increasingly losing daily cyberconflicts. The range of American targets is so wide and deep that it is almost impossible to understand all of the vulnerabilities. And because most of those targets don’t belong to the government — banks, power grids, shipping systems, hospitals and internet-linked security cameras, cars and appliances — confusion reigns over who is responsible for defending them and who will decide when to strike back. We have the most fearsome cyberweaponry on the planet, yet we’re afraid to use it for fear of what will come next. So what is to be done?

• First, the United States must significantly improve its cyberdefenses. The wide-open vulnerabilities in America’s networks have essentially deterred the United States from credibly threatening retaliation against the Russians, the Chinese, the North Koreans and the Iranians. One way to start is to make sure no new equipment goes on the market unless it meets basic security requirements.
• Second, we must decide what networks we care most about defending — and make those priorities clear. 
• Finally, the United States needs to end the reflexive secrecy surrounding its cyberoperations. We need to explain to the world why we have cyberweapons, what they are capable of and, most important, what we will not use them for.

[Sanger is a national security correspondent for The New York Times. This article is adapted from his forthcoming book]