Critical American infrastructure like the electric grid will remain vulnerable to catastrophic cyber attacks from Russia and China for at least 10 years, according to a Pentagon study.
A report by a Defense Science Board task force concludes that the decade-long cyber vulnerabilities must be mitigated while the Pentagon quickly creates new cyber deterrence capabilities, including offensive cyber weapons designed to inflict damage on adversaries and their leaders.
The 44-page report, "Task Force on Cyber Deterrence" was made public Feb. 28. It is based on a two-year study by a panel of military and defense experts.
The report presents a dire picture of weaknesses in both military and civilian information and control systems that are being exploited by advanced cyber warfare states such as China and Russia, along with second-tier cyber threats from states such as North Korea and Iran.
"The United States, as well as our allies and partners, are at serious and increasing risk of severe cyber attack and increasingly costly cyber intrusions," the report concludes. "The requirement for enhanced deterrence is, in our view, not debatable. Nor is the need to accelerate the implementation of deterrence measures."
Russia and China pose the greatest cyber attack dangers. Both governments are increasing their already substantial capabilities for cyber attacks on U.S. industrial control systems that operate critical infrastructure.
Even if U.S. networks are hardened, "such progress will not be adequate to deny Russia and China the ability to unleash catastrophic cyber attacks on the United States, given their massive resources, and capabilities-at-scale (e.g., intelligence apparatus, ability to influence supply chains, and ability to introduce and sustain vulnerabilities) to dedicate to their objectives," the report said.
The report notes that in the past several years the United States has been hit by cyber attacks and costly data thefts by the Russians, Chinese, Iranians, and North Koreans.
China engaged in a massive cyber theft campaign over at least the past decade, according to the report. Despite a promise from Chinese leader Xi Jinping to halt the thefts, Chinese intellectual property theft "has reduced but not stopped."
Russia also hacked U.S. institutions and used the information it obtained to try to undermine voter confidence and affect the outcome of the 2016 presidential election, the report said.
According to the report, foreign nations already appear to have placed malicious software inside computer networks used to control the U.S. electric grid. The foreign malware is known as "Havex" and "BlackEnergy," both of which have been linked to attacks on industrial control systems. BlackEnergy has been used in electric grid attacks in Ukraine and was traced to Russia's government by security analysts.
The task force suggested that if it is acceptable to preposition such malware inside infrastructure controllers, "then the United States may wish to take such actions—if for no other reason than to deter an adversary from 'pulling the trigger' on similar implants it may have placed in U.S. systems."
Rep. Elise Stefanik (R., N.Y.), chair of the House Armed Services subcommittee on emerging threats and capabilities, said the report highlights the threat of cyber warfare.
"Cyber warfare and influence campaigns being waged by state and non-state actors represent a national security challenge of generational proportions," Stefanik said.
"I remain concerned about our apparent lack of a coherent whole-of-nation strategy, but the tangible recommendations in the report are a good place for Congress to start building that strategy," she added.
As for non-state cyber attacks, hackers linked to groups called Anonymous and New World Hackers were blamed for disrupting Internet service over a wide area of the country in cyber attacks against the Internet domain name system provider Dyn in October 2016.
However, the report warns that recent cyber attacks by non-state actors did not rise to the level of "high end" attacks that could be undertaken by advanced cyber warfare states such as Russia and China.
The United States likely will face devastating cyber attacks in the coming years as foreign cyber attack capabilities increase.
"A large-scale cyber attack on civilian critical infrastructure could cause chaos by disrupting the flow of electricity, money, communications, fuel, and water," the report said. "Thus far, we have only seen the virtual tip of the cyber attack iceberg."
"Russia and China have both been part of the problem to date, and could take this threat to the next level by using cyber in sustained campaigns to undermine U.S. economic growth, financial services and systems, political institutions (e.g., elections), and social cohesion," the report said.
To create a new cyber deterrence plan, the report recommends that the commander of U.S. Cyber Command, Adm. Mike Rogers, develop strategic offensive cyber capabilities that could be used to deter a cyber attack against U.S. critical infrastructure. The command also should produce deterrents against cyber campaigns to steal data and influence U.S. elections.
"These strategic offensive cyber capabilities should hold at risk a range of assets that the adversary leadership is assessed to value," the report said.
Task force co-chairmen James N. Miller and James R. Gosler stated in an introduction to the report that "major powers, for example, Russia and China, have a significant and growing ability to hold U.S. critical infrastructure at risk via cyber attack." Moscow and Beijing also could block U.S. military forces from responding to such cyber attacks.
"Although progress is being made to reduce the pervasive cyber vulnerabilities of U.S. critical infrastructure, the unfortunate reality is that, for at least the next decade, the offensive cyber capabilities of our most capable adversaries are likely to far exceed the United States’ ability to defend key critical infrastructures," Miller and Gosler said. "The U.S. military itself has a deep and extensive dependence on information technology as well, creating a massive attack surface."
Additionally, Iran and North Korea both "have a growing potential to use indigenous or purchased cyber tools to conduct catastrophic attacks on U.S. critical infrastructure," they said.
"The U.S. government must work with the private sector to intensify efforts to defend and boost the cyber resilience of U.S. critical infrastructure in order to avoid allowing extensive vulnerability to these nations."
A third threat is posed by state and non-state actors that conduct persistent cyber attacks and costly cyber intrusions against the United States. While separately inconsequential, these attacks cumulatively could produce "death by 1,000 hacks," the report said.
The task force is urging the U.S. government to rapidly create and strengthen cyber deterrents through the use of offensive cyber and other attacks targeting foreign leaders.
The board recommends the military create a hack-proof "thin line" of U.S. strike forces made up of cyber warfare weapons, nuclear, and conventional weapons "in order to ensure that the United States can credibly threaten to impose unacceptable costs in response to even the most sophisticated large-scale cyber attacks."
"In effect, DoD must create a second-strike cyber resilient 'thin line' element of U.S. military forces to underwrite deterrence of major attacks by major powers," Miller and Gosler said.
The report said that while "pervasive cyber vulnerabilities" in the electric grid and other critical infrastructure are being reduced, "improvements are not on a pace to reduce risks to acceptable levels within the next decade."
"The unfortunate reality is that, for at least the coming five to ten years, the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures," the report said.
Until now, cyber deterrence has focused on denying adversaries the ability to attack U.S. information systems.
New cyber deterrence is needed to demonstrate that the United States will inflict unacceptable costs for attacks on its information system-dominated infrastructure.
Any massive retaliation against nuclear-armed Russia and China for cyber attacks would not be credible, yet the United States needs to develop both cyber and other capabilities that range from low-level disruption to "catastrophic destruction and loss of life," the report said.
Offensive cyber counter-attacks are essential to deterrence. Other military responses, as well as diplomatic, law enforcement, and economic responses, also should be developed.
Without providing details, the report says cyber deterrence will require knowing what foreign leaders value and then threatening or demonstrating that those elements can be damaged.
"A decision to conduct—or not conduct—a cyber attack on the United States will not be taken by a country; rather, it will be taken by a leader or small leadership group, and this leader or group must be the focus of U.S. deterrence planning," the report said.
The Pentagon's main focus for cyber deterrence "should be on key leadership individuals (including those who influence them) in the top four cyber threat nation-states: Russia, China, Iran, and North Korea," the report adds.
The report mentions the risk of escalation in responding to cyber attacks—a key worry of the Obama administration. But contrary to the passive cyber security policies of President Obama, the task force warned that inaction in response to cyber attacks leads to further attacks.
Escalation and loss of intelligence sources are a concern, "but not responding carries near-certainty of suffering otherwise deterrable attacks in the future," the report said.
The task force said the current cyber deterrence campaign "has been largely reactive and not effective."
As part of cyber deterrence, the United States must take steps to harden critical infrastructure, with electrical, water, and waste water systems urgent priorities.
The task force dismissed the idea of cyber arms control agreements with Russia or China as "not viable."
"Due to the nature of cyber systems and attack tools, the verification of cyber arms control limitations would not be feasible," the report said.
Cyber attacks on military systems could result in guns, missiles, and bombs failing to fire, detonating in place, or being misdirected against U.S. troops. Additional cyber attacks during a future conflict could disrupt supply lines, navigation systems, and other warfighting tools.
The Pentagon should create cyber attack-resilient forces made up of submarines with land attack cruise missiles, bombers with long-range missiles and ground-penetrating bombs, and strong command, control, and communications systems.
Because of military and civilian reliance on electricity, the report urged the Pentagon to focus on protecting the electric grid against cyber attacks through collaboration with electric power companies.