The task of attribution is also very difficult. The skills required to create a cyber weapon are the same as those that can make an attack nearly impossible to trace. Cyber operations are asymmetric in that the build-up to a confrontation may be undetectable, and once it has occurred, it could be impossible to determine its origin.
In cyber warfare, attacks occur at nearly the speed of light. You get little warning or time to react. The initial strike is likely to eliminate any effective defense, counter attack, or human response; only an automated defense would work quickly enough to have any effect.
Additionally, the viable lifespan of a kinetic weapon can be years, while a particular cyber weapon is only useful as long as the vulnerability in the target system remains in place. Once “patched,” the weapon becomes useless, at least on that target. So, again, the situation is asymmetric. Cyber weapons must be developed in secret and are in essence a “one-use-only” kind of weapon. Their mere existence is a carefully guarded secret. It’s hard to defend against a weapon you have not seen in action, nor been warned of the vulnerability that it is intended to exploit.
The actors in a cyber conflict need not be the usual nation-state groups, and even if they are, the build-up and execution of an attack would be difficult to detect. This form of combat is accessible to many potential adversaries—including those who have no kinetic capabilities. The combatant who dominates the kinetic arena does not necessarily do so in the cyber domain, and without the latter, it’s not clear who has the advantage. In short, the introduction of cyber capabilities to a conflict can render nearly any situation an asymmetric one.
What does all this mean for the United States? Are we in a perilous position with respect to our cyber capabilities? We belong to an elite group regarding our ability to initiate offensive capabilities. However, we are vulnerable when it comes to defense: If we are attacked first, the asymmetric nature of cyber warfare could limit our ability to prevail.
Why? Because the United States depends more heavily on network-centric systems—military, economic, personal—than do most other countries. We rely on networks for banking, electricity, air and rail travel, consumer goods distribution, communications, and defense command and control. A cyber attack on the United States would have devastating effects.
What’s to be done? We need to educate and develop a new generation of cyber warriors—experts who are much better at navigating the cyber battlefield than anyone else. We can’t know who will initiate the next major cyber attack or what it will be. But it will come. When it does, we’ll all be asking the same thing: How did this happen, and who’s going to “take care of it”? We need to educate the people who can tip the balance of the asymmetric nature of cyber warfare in our favor—and give them the tools and authority to do it. And we need it right now.