How the United States of America Positions Itself Against Cyberattacks

Technology and computer science are being developed dramatically. It is hard to find something that is not related to computers directly or indirectly. Billions of mobile phones and computers are being used by people all around the world. This web, where all devices are connected to each other and that we can’t see, is an irreplaceable part of our lives.

Cyberspace and Cyber Attacks

Cyberspace can be defined as all computer systems and networks in existence, including air-gapped systems (Kello,2013). Moreover, there are so many benefits of cyberspace, in such a massive connected world, which can easily turn into weapons of war and crime as states are trying to gain power, which might lead to conflicts.

We have been living on Earth, our lovely planet, for millions of years. Throughout this time, although all humanity needs peace, it is difficult to think there was a time period when everyone was at peace. If we can’t share our planet, expecting cyberspace sharing in peace is not realistic. As expected, millions of cyberattacks are occurring daily. Cyberattack refers to the using code to harm or to stop others computer systems for politics or strategic purpose (Kello,2013). Even though the definition of attack may remind us killing or harming people, cyberattacks’ aim is not directly killing or giving physical explosions. After realizing cyberattacks can be as effective as wars on other countries’ economy and slowing down other countries’ progress, cyberspace seems a new place to let countries show their abilities. Humanity has suffered from millions of deaths of wars and, though hazardous, cyberattacks don’t kill anyone.

Although cyberattacks are associated to computers, they can have huge effects on a nation. There are two types of cyberattack effects; direct and indirect. Indirect attacks aim to capture or to take control slowly without urgency. Direct effects are about giving critical damage by blocking or breaking down vital computer systems. For both types, every state must be careful to protect its policy and nation because one missing threat may give enormous damage to a state’s situation, such as the economy. Threats in cyberspace are increasing on a daily basis. Securing cyberspace, where everyone can be affected and attacked by anonymously, is extremely challenging.

The definition of war is changing which means cyberspace is becoming the next battle place. The low cost of cyberattacks and high success rate means every state can be in the world most powerful countries list. Small states, especially, can affect the world if they have power in cyberspace. This situation leads to question: Who needs a gun when you have a keyboard? On the other hand, The United States of America, still a world superpower, has a big influence in cyberspace even though it is vulnerable. Being a superpower automatically creates enemies even if the superpower state does not provoke. For this reason, it is not a surprise that the U.S. is one of the most attacked countries.

U.S. Vulnerability: Developed Economy

It is impossible to ignore computer systems in the modern economies. In this information age, everything is related to a computer at some point. If computer systems fail, everything related to computers becomes vulnerable, such as whole sectors of the economy (Cashell, 2004). Finance, transportation, aviation, manufacturing and many assets would crash, even vital public services such as hospitals, and military. This effect of computers on economy increases daily because computers are becoming more interconnected with our lives.

Developing cyberspace comes with its dangers: cyberattacks for economic damage. Since cyberattacks are easy and more rewarding, compared to physical attacks, they are unlikely to halt. Although analysis of the attacks and threat techniques are investigated through law and intelligence collection, identification for an attack’s origin is quite problematic. Cyberattack targets are usually high-value targets so one of the most attacked targets is the economic target. Thus, not only businesses that use computer systems must be careful about cyberattacks, so should government. A cyberattack might cause huge economic loss.

Threats might come from both states or non-states. Most states deny that they are related to attacks or the situation even when culpable. Both U.S. and the attacker state know its origins but this can’t be said officially. This is an advantage for the attacker and a disadvantage for those who are being attacked. For this reason, cyberspace is full of astonishments. The state to U.S. threats derived from conflicts between countries, as a response. However, there are numerous non-state threats for the U.S. as well. Those non-state threats might be induvial companies or institutions, which are hired by governments to make that government unrelated to the threats. Additionally, non-states’ purposes cannot be predicted nor easily identified.

U.S. economy is a free market economy where consumers are the dominant force, and manufacturing depends on what consumers want. In this kind of economic system type, even though the government is not supposed to interfere with economy, the U.S. government is responsible for some regulations such as establishing law and order, defining rules of property, setting market standards and creating labor force. The U.S. economy is based on mostly private sectors that are the engine for economic power dominance. For the states that want to harm U.S. economy, it is preferable to attack the private sector rather than U.S. national and military systems because attacking a superpower’s national and military systems might cause more harm. Thus, threats are not only for government’s systems, they may also target the private sector.

There are many kinds of attacks that aim at economic loss. The loss of intellectual property, the loss of sensitive business information, giving damage by hacking, cyber espionage or stealing information are part of it. Since technology is changing and developing so fast, the way threats come is also changing and evolving according to vulnerabilities. Even if public and private targets that have a high-value and critical role in the economy have priority for attackers in order to harm the economy, less effective targets can be attacked to spread disinformation and propaganda. However, according to The Council of Economic Advisers, malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016 (The Cost of Malicious Cyber Activity to the U.S. Economy, February 2018). Cyberattacks against high-value sectors could be highly damaging to the U.S. economy. Recovering systems and making them more secure costs as much as a cyberattack damage. If we add up all the costs, the economic loss can be measured in hundreds of billions of dollars.

When a company undergoes a cyberattack, it affects the company’s future as well as its current situation. For example, there was a data breach in Equifax in 2017. Over 140 million personal data were stolen such as names, addresses, and social security numbers. After the data breach was revealed and Equifax announced that over 140 million personal data were stolen from company, their share price declined by 13.7 percent over the course of following trading day and CEO of the company resigned (The Cost of Malicious Cyber Activity to the U.S. Economy, February 2018). The breach caused a risk for the company’s whole business model. While the government took action to investigate the breach, the company’s stock value decreased dramatically. Furthermore, uncertainty about the company’s future made investors think twice to make new investments and the company’s future has been affected negatively. It is clear that cyberattacks can also have a magnificent effect on a company’s stock price. According to The Council of Economic Advisers, firms on average lost about 0.8 percent of their market value in seven days following the cyberattack (The Cost of Malicious Cyber Activity to the U.S. Economy, February 2018). This is a big loss for the U.S. economy.

Another example, Sony Pictures and Entertainment was affected by cyberattacks in November 2014. Over 100 terabytes of information were stolen including employees’ sensitive information and unreleased movies. It was the largest-scale destructive attack made against a private company at that time. After investigation about where the attack came from, security attributed the attack to North Korean hackers. A group that claimed to be responsible for the massive computer hack at Sony Pictures Entertainment demanded the company cancel the release of “The Interview,” a film comedy that depicts an assassination plot against North Korea’s leader (Richwine and Finkle, 2014). The movie released on online platforms instead of theaters. Estimating damage for Sony was $41 million but even one such article notes as follows: “But there are a lot more costs to come. In addition to expenses for investigation of the attack, IT repairs, and lost movie profits, Sony faces litigation blaming it for poor cybersecurity that exposed employees’ private information” (Elkind, 2015). The White House took this attack as a security issue. The attack had a big impact on the relationship between the U.S. and North Korea and influenced U.S. cybersecurity policy (The Cost of Malicious Cyber Activity to the U.S. Economy, February 2018).

Every attack, regardless public or private, aims at U.S. economy because it affects employees, customers and anyone who interacts with. Thus, U.S. government supports improving cybersecurity and regulations. The government conducts research on development of cybersecurity to make systems secure in order to protect the economy. One of the most important steps that can be taken by government is making laws for cybersecurity. However, this not only the government’s duty. Private sectors are as responsible as government. Since most of the attacks target private sector, the private sector has been developing cybersecurity tools with support of government and giving much more importance to cybersecurity. As cyberspace is expanding and many players are either joining or developing, cyberattack numbers have been increasing. The U.S government and private sector are making efforts to make their economy safe.

Public-Private Cooperation

Cyberattacks target both public and private sectors. They have impacts on national security, economy, public services etc. Politicians and cybersecurity experts have been aware of the threats of cyberspace since internet’s early years. After suffering attacks on public and private sectors, they realized that the threat is more dangerous than initially thought. Thus, U.S. government has begun to develop national cyber-security strategies. Although public systems are vital for the U.S., the private sector has started to play a leading role in the security of cyberspace. Since many services such as transportation and finance have been privatized, these strategies are heavily reliant on public-private cooperation (Madeline Carr, 2016).

For over 20 years, public-private cooperation has been described as a cornerstone for U.S. national security. After the Cold War, U.S. became one of the nations that took big steps for cyberspace and cyber-related terms. Since everything in life had started to be computerized the government invested on internet technology. Investing on internet technology lead them to realize that the private sector is a key factor and government input for the private sector was important. The government believed that “only the private sector has the skills and abilities to manage the complex process of developing new technologies and bringing them to market, while … [the] government plays a vital role in enabling the private sector’s efforts.” (NSTC Committee,1996).

While private-public cooperation is being developed, there are still conflicts about what cooperation means. No one seems to take responsibility for such an immense national security issue as neither the private sector nor politicians represent the public. For example, liability for national security remains an unclear point for cooperation. The U.S. is trying to overcome all unclear points in order to perfect cooperation. Despite this kind of unclear points, U.S. is one of the top nations that are able to maintain and secure public-private relationship with other countries in the world. However, the private sector has a big place in all areas such as software, hardware, manufacturing, and researching etc. The private sector in the U.S. is not only a big player for the U.S., but also for the world because there are many tech companies as powerful as some states and, sometimes have better resources to pinpoint, stop and respond to threats.

The main expectation of cooperation between the public-private partnership is to share information and prevent bureaucracy whenever possible. In 2010, the U.S. government published a report to clarify the cooperation of both public-private sectors and to determine which expectations were being met. (Madeline Carr, 2016). There are obstacles for sharing information in both sectors. One reason is that private sector is unable to share information as fast as attack is detected because attacks can’t be distinguished between a technical problem, low-level attack or a sustainable attack. Private companies also face obstacles as they might think that sharing information may cause loss of customer’s trust or that selling information would be better rather than sharing it. The government is creating a new law to compel private companies to share information and vice versa.

The private sector has an important, and sometimes unsolicited, role in national security when it comes to sharing information. These roles have at least three levels: passive defense, attribution of cyber-attacks, hack-back and other “active cyber defense” activities (Karine Bannelier, 2017). Passive defense aims at data protection which is supported by private law and institutions. For this purpose, the private sector is developing software, security tools such as firewalls and anti-theft systems, as well as helping customers to see what is going on their own network to detect vulnerabilities. Attribution of cyberattacks is another important issue for private actors. The big tech companies such as Google, Facebook, Yahoo, and Microsoft have developed a security system that notifies users when suspected attacks are detected. Furthermore, cybersecurity companies provide huge help and support to protect the U.S. from cyber-espionage and data theft. The third issue is active cyber defense. Private companies have a leading role active defense for national security since they also have a leading role in being attacked.

Public and private sectors can’t be contemplated separately and cooperation between them has increased rapidly. In order to make the U.S. more secure, public and private sectors must stand together. This is easier said than done. Despite the U.S. improving its cybersecurity cooperation, there are conflicts and weaknesses in the partnership which should be discussed between sectors. Although there are many problems, it is important to remember that public-private cooperation is the cornerstone for U.S. national security. As long as the U.S. keeps a balance in this sensitive relationship, it would always provide the advantage to prevent critical infrastructure damages. Acknowledging those facts is an essential part of national security (Karine Bannelier,2017).

U.S. Cyber Strategy

On February 14th, 2003 the White House published the National Strategy to Secure Cyberspace. It was the first national effort to focus on cybersecurity. In this paper, three strategic objectives were highlighted; “prevent cyber attacks against America’s critical infrastructures, reduce national vulnerability to cyberattacks and minimize damage and recovery time from cyberattacks to do occur” (the National Strategy to Secure Cyberspace,2003). After realizing cyberspace power, the U.S. government and military took essential steps to accomplish three strategic objectives. The government provided new norms and laws and supported private sectors to play a role. U.S. military established cyber forces as a new force alongside air force, navy and army.

Why would the U.S need a military cyber force instead of using private sector? Would military cyber force be effective and sufficient? After establishing a ciber force in the U.S. military questions started to arise. However, this world superpower has mainly three reasons for its uniformed cyber forces. The reasons are integration into full-spectrum operations, authority to operate in cyberspace and deployability (Christopher Paul,2014). This military organization has grown and new military organizations have been established. Now there are U.S. Army Cyber Command, the 24th Air Force, the Navy’s Fleet Cyber Command, and Marine Forces Cyber Command.

“Army Cyber Command provides a unity of command and effort in the synchronization of over 21,000 militaries, civilian and contract personnel responsible for Global Information Grid Operations; Defensive Cyberspace Operations; and, when directed, Offensive Cyberspace Operations. Army Cyber Command provides Full Spectrum Cyberspace Operations and Intelligence support to U.S. Cyber Command (USCYBERCOM) and in support of Army equities.” (U.S. Army, 2011)

The United States’ Department of Defense (DoD) is the responsible institution for protecting U.S. homeland including cyberattacks. As one of the most important institutions, DoD sets five strategic goals for its cyberspace missions:

• 1.Build and maintain ready forces and capabilities to conduct cyberspace operations
• 2.Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions
• 3.Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence

• 4.Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages

• 5.Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability (The DoD Cyber Strategy)

Threats are growing for the U.S in cyberspace. State and non-state players are trying to attack to the U.S. with developed technology and tools for diverse purposes in order to exploit U.S. vulnerabilities. Since the U.S. published its first cyber strategy, it has changed due to the fast changing environment and needs. The government has taken magnificent steps but must continue to do so.

Conclusion

We live in the digital age where all is connected via computer networks. Today from banking, transportation to health care, military, every single piece of information is on our computer systems, which in turn, create cyberspace. Software and codes make blurry lines between the cyber and real world. There is no company that doesn’t use computer systems as well as militaries all around the world.

As a superpower of the world, the United States of America is one of the most vulnerable and attacked nations. Even though it is the father of internet and cybernetics, there are several challenges to make nation’s cyberspace secure. Moreover, U.S. vulnerability comes from its open, secure and reliable internet network as its core value requires freedom of expression. Thus, U.S. economy is highly related to internet and cyberspace. Companies, individuals, and the government can be affected because of malicious cyberattacks. The U.S. is very vulnerable due to its developed economy. That same economy is also the engine for its power dominance. It’s a fascinating paradox.

Public and private cooperation is playing a big role in U.S. security. That’s why U.S. government is collaborating closely private sector to strengthen ties. Relying on the private sector is the key element and cornerstone for U.S. national security. The U.S. positions itself with strong cooperation with the private sector as much as possible. It is very clear that cooperation between the public and private sector is key to security especially in terms of cyberspace.

For a broad security perspective, the U.S. has made the effort to create a responsible cyber strategy that is able to provide safety. This is not only about government; it is also about the public-private partnership, educating personnel, etc. Like Lewis mentioned, “The most important implications of these changes for cyber security may well be that national policies must adjust to growing interdependence among economies and emphasize the need for cooperation among nations to defeat cyber threats.”

References

• Kello. 2013. The meaning of the cyber revolution. International Security. Vol. 38, Nr. 2, pp. 7-40
• Cashell B., Jackson W., Jickling M., Webel B., 2004, The Economic Impact of Cyber-Attacks
• Richwine, L. and J. Finkle. 2014. “Group claiming Sony hack demands ‘Interview’ not be released.” https://www.reuters.com/article/us-sony-cybersecurity-hackers/group- claiming-sony-hack-demands-interview-not-be-released-idUSKBN0JM2IS20141209.
• Elkind, P. 2015. “The Cyber Bomb is Detonated.” http://fortune.com/sony-hack-final-part/.
• Carr M., 2016, Public-private partnerships in national cyber-security strategies
• Technology in the National Interest (Washington DC: NSTC Committee on Civilian Industrial Technology,1996), p. 42, cited in Stiglitz and Wallsten, ‘Public-private technology partnerships’, p. 63.
• Karine BANNELIER and Théodore CHRISTAKIS, Cyber-Attacks - Prevention-Reactions: The Role of States and Private Actors, Les Cahiers de la Revue Défense Nationale, Paris, 2017.
• National Strategy to Secure Cyberspace, 2003
• Paul C., 2014, Lessons for U.S. Cyber Forces from U.S. Special Operations Command Acquisitions
• The Cost of Malicious Cyber Activity to the U.S. Economy,The Council of Economic Advisers, February 2018
• The economic impact of cybercrime and cyber espionage, Center for Strategic and International Studies, July 2013
• DOD, Department of Defense Cyber Strategy (Washington, DC: Office of the Secretary of Defense, April 2015).
• Gabi Siboni and David Siman-Tov, Cyberspace Extortion: North Korea versus the United States, INSS Insight No. 646, December 23, 2014.

Fatih DURUKAN