Taking cyber power seriously
[Commentary] As Wired magazine put it, Oct 21’s distributed denial of service (DDoS) attack on Domain Name System provider Dyn was “a definite reminder of the fragility of the web, and the power of the forces that aim to disrupt it.” The fact that we haven’t experienced a serious kinetic-effects attack does not mean one is not coming or that we are prepared for it if it does. As National Security Agency's Curt Dukes noted, not one of the attacks in the past 24 months (OPM, the Democratic National Convention hacks, and so forth) has involved use of a “zero day” exploit — the most potent and unpredictable kind of cyberattack, because it involves a software vulnerability that has not yet been discovered or used. They have all been carried out using more mundane, well-understood vulnerabilities.
What would it mean to take cyber power more seriously? Earlier this year, AEI published a report on An American Strategy for Cyberspace, which I coauthored with other AEI scholars. Our recommendations included being more willing to retaliate against cyberattacks when they occur, loosening the reins on government’s use of active defense, and if the stakes merit it, even taking preemptive action. Whatever the details of the solution, the time has come to realize that cybersecurity is no longer just about embarrassing e-mails and lost credit card numbers. In today’s world, cyber power has the capacity to cripple infrastructures, disrupt economies, enable deadly terrorist attacks, and profoundly threaten America’s national security. We ought to be taking it more seriously than we are.