A Necessary Contest: An Overview of U.S. Cyber Capabilities

The U.S. government began to worry about vulnerabilities in the cyber domain and to search for ways to reduce them more than twenty years ago. At the same time, in secret, it began developing and using offensive cyberoperations for military purposes while also ensuring that its intelligence agencies amended their collection activities to accommodate the arrival of the internet. The United States' major strategic opponents—Russia and China—at first lagged in developing these military capabilities but are now considered peers or near-peers in terms of their capabilities. Digital technologies and cyberspace have become a new and central domain of conflict among these powers and others. In this domain, however, the U.S. perspective on cybersecurity is somewhat outdated—still too close to its 1990s focus on protecting critical infrastructure and somehow deterring opponents—and no longer sufficient to manage national interests.¹

Nonstate actors do not have the ability or interest to launch a truly destructive cyberattack. Although, according to European intelligence sources, some Russian-speaking criminal groups have greater cyber capabilities than all but a handful of states and could carry out disruptive attacks, they have little interest in actions that do not yield financial returns (or these proxy groups may be constrained by the Russian state from offering their services to third parties). Terrorist groups lack the expertise and, in most cases, the interest to launch cyberattacks. The most active groups, Hezbollah and Hamas, act largely as proxy forces for Iran. This makes cyber conflict the domain of nation states, something demonstrated by a simple review of public and nonpublic accounts of cyber actions. It is inaccurate to look solely at "cybersecurity," as if this activity occurred outside the larger sphere of military and diplomatic relationships.

This essay examines how U.S. cyber policy has evolved in response to the return of great-power competition and the development of offensive cyber capabilities by the United States and other countries. While the 2015 UN General Assembly called on all nations to observe norms and confidence-building measures to increase stability and reduce the chance for cyber conflict,² the behavior of major powers in cyberspace is largely unchanged. Norms are defined by actions, and the United States is adopting a more active approach (both diplomatically and militarily) to advance its cybersecurity interests.

Starting with Critical Infrastructure

In thinking about cyber capabilities, a useful starting point is that almost all unclassified networks are vulnerable to persistent, well-financed, and skilled opponents. Pervasive vulnerability shapes cybersecurity. Cyber conflict participants take advantage of these vulnerabilities, in part because defense is still inadequate, and in part because of the lack of agreed rules for how cyber conflict should be conducted. The result is that cyberspace is largely an unconstrained field for conflict. A Russian or Chinese intelligence trawler would never dare sail into a U.S. port—and if it did, it would not go unchallenged—but the speed, ease of access, and relative covertness of cyberoperations means that intrusions by cyberpowers occur almost on a daily basis, sometimes detected, sometimes not, and with the perpetrators often unconcerned when discovered.

The initial U.S. approach to cybersecurity was focused on protecting critical infrastructure from a cyberattack by nonstate actors.³ This was in many ways an error, as the greatest risks turned out to be from espionage, intellectual property theft, and financial crime.⁴ The number of cyberespionage and cybercrime incidents increased dramatically in the first decade after the commercialization of the internet, and it continues to grow. Cybersecurity policy at the time did not consider the risk of political manipulation that blended hacking and social media. In retrospect, the chance of a catastrophic cyberattack on critical infrastructure is remote and the locus of cyber conflict has moved elsewhere.⁵

This first generation of U.S. cyberdefense was somewhat ad hoc. Legal authorities were unclear or lacking, and there was a struggle among agencies over who would lead cyberdefense. For example, the Department of Homeland Security for many years after its creation was uncertain about its mission in cyberspace. Much...