With the Ukrainian resistance bogging down Vladimir Putin’s Red Army, Russia may turn more frequently to its cyberwarfare capabilities to inflict pain on Ukraine and the West. The Biden administration has explicitly warned U.S. companies of potential ransomware attacks in retaliation for sanctions imposed on Russia, and American officials and pundits alike have used the term “Digital Pearl Harbor” to describe the potential danger. The United States is vulnerable to rapidly expanding cyber threats from Russia and a host of other adversaries. Without dramatic action, a cyber catastrophe is nearly inevitable—whether it happens now or in the future.
While the U.S. has maintained its primacy in conventional warfare capabilities, cyberspace has offered aspiring competitors, smaller authoritarian regimes and non-state actors an opportunity to level the playing field. China, Russia, Iran and North Korea have distinguished themselves as the “big four” bad actors, using cyber tools to strengthen their military, intelligence services and police—and, unlike the U.S., these four also leverage cyber technology to support commercial activities. Their targets have ranged from U.S. elections and government personnel data to critical infrastructure and digital supply chains, receiving outsized returns on their investment in offensive cyber capabilities.
Yet while the cyber threat landscape has dramatically expanded, the U.S. response has been inadequate, both in terms of national organization and technical capabilities.
Much like the WWII-era Manhattan Project, which ensured the U.S. won the race to nuclear weapons, we should confront our current, dangerous moment by launching a “Cyber Manhattan Project” to make revolutionary leaps ahead in cyberspace, understanding that complete technical overmatch against our adversaries is the surest path to deterring bad actors.
So how can this be done? We need to harden our defenses by being smarter about how we deploy our current capabilities, while rapidly building for the future.
Assigning major responsibility for defense against cyberattacks to the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA), while well intentioned, has proven insufficient. With some exceptions, it is widely understood within the cyber community that CISA simply does not have the technical expertise to execute its mission, while some of the world’s top cyber talent works in the National Security Agency (NSA) and U.S. Cyber Command (CYBERCOM). Splitting the nation’s defensive cybersecurity (DHS/CISA) from its offensive cyber operations (NSA/CYBERCOM), only makes us more vulnerable. America does not maintain separate militaries for defense and offense, for good reason.
But cyberspace poses unique challenges because of the good and appropriate laws barring NSA and CYBERCOM from operating domestically. This is why former defense secretary and CIA director Robert Gates has long been calling for “a ‘dual hat’ senior DHS officer who would also serve as a deputy NSA director with the authority to task the NSA in real time to defend against cyberattacks.” While not a perfect solution, this would go a long way toward ensuring we have our best players on the field in times of crisis.
But it’s also important to remember that the best defense is a good offense. This is why NSA and CYBERCOM have adopted a “defend forward” strategy based on a doctrine of “persistent engagement”—constantly engaging with adversaries in cyberspace, testing, adapting and disrupting.
While the details of offensive cyber operations are closely held, NSA and CYBERCOM have proven adept at taking our adversaries offline prior to attacks, including in the lead-up to elections. DHS is not in the offensive warfare business, either by statute or by culture. Cyber “incident reporting”—in which private-sector entities alert and receive support from the government in the wake of cyber attacks—has been a major focus of DHS in recent years. This is a positive and important effort, but it is also analogous to counting the number of missiles that hit us after an attack. We need to focus on stopping attacks from happening in the first place by increasing our focus on preemptive cyber strikes and preemptive fixes.
Looking toward the future, it’s time to dramatically increase our investments. If the Department of Defense can mount a $15 billion, multi-year program for hypersonic missiles—which are important but relatively unlikely to be used—it can and should also prioritize spending on cyberwarfare, which is a persistent and daily threat. The White House has proposed just shy of $11 billion for cybersecurity in its 2023 budget proposal. But without structural changes to how the nation approaches its cyber capabilities, a large chunk of that money is unlikely to have the desired impact. We should prioritize spending on quantum computing and artificial intelligence—investments that could help solve one of the greatest challenges we’re facing: the talent crunch.
Ultimately, talent will be the primary variable in whether the United States can confront the threats in cyberspace. One major result of the original Manhattan Project was an infrastructure of skilled experts at Federally Funded Research and Development Centers like Los Alamos, Lawrence Livermore and Sandia Labs. A successful Cyber Manhattan Project would build a similar infrastructure by supporting smaller boutique firms, where much of the cyber innovation is happening today.
While the U.S. government may never be able to compete for talent with Silicon Valley when it comes to pay, it can take steps to stop bleeding the talent it does have. We should expand the ability for top talent to stay on in a reservist-type program, allowing individuals to pursue private-sector opportunities while retaining their ability to serve. We should make it easier to serve by offering a range of options to protect and defend our nation, from full-time service to reservist work to allowing mid-career professionals to enter federal service at a level commensurate with their private-sector standing.
But we must also be honest with ourselves about the challenges facing us in working with the tech industry. A lot has changed in Silicon Valley since William Draper—who had served as a second lieutenant in the Korean War and later served in numerous senior government roles—founded its first venture capital firms. Today, most people in Silicon Valley not only did not serve in the military, they don’t know anyone else who did either, and most emissaries from Washington are viewed with suspicion and consternation.
Conversely, people in the Pentagon don’t understand the Valley’s ethos. As Stanford University’s Amy Zegart recently stated, “Government agencies want technological capabilities from the Valley that they don’t have, and Silicon Valley companies have [national security] responsibilities that they don’t want.” Closing this gap will require some serious bridge-building, but there are thousands of cyber experts across the United States who will thrive with the sense of purpose that comes with defending our way of life from adversaries around the world. Our ability to dominate the battlefield of the future depends on them.
John Ratcliffe served as the sixth U.S. Director of National Intelligence. Abraham Wagner is a cybersecurity expert who has served in a number of positions within the U.S. Government. He has taught in this area at Columbia University and chaired the cybersecurity group on the Trump-Pence transition team.
The views expressed in this article are the writers’ own.