The challenge in securing critical information
One decade ago, Cyber Command was born as a sub-unified command of U.S. Strategic Command with the mission of securing critical Defense Department networks from adversary incursion. Its creation codified a recognition that malign actors seeking to access, control, and exploit our information systems constituted a core national security threat and heralded a new domain of warfare: cyberspace. Cyber Command’s foundational charge to “ensure U.S./Allied freedom of action in cyberspace” is as vital today as it was 10 years ago. But the next 10 years will require U.S. cyber policy to confront a new challenge: to secure not only critical networks, but critical information — about everything and all of us.
The internet of things and future of connected devices promise an explosion of personal information to the tune of 175 zettabytes of connected data by 2025. As our homes, cars, appliances, wearables and factories come online, members of the connected population will have a data-producing interaction once every 18 seconds. Data generated by these interactions is already being used by internet companies for tremendous economic gain from targeted advertising-based business models.
Advancements in artificial intelligence and quantum information science are enabling those who control it to process this abundant information into valuable economic insights and military capabilities. As such, data is becoming an increasingly important geopolitical resource, recognized by world leaders from Angela Merkel to Shinzo Abe. In the United States, this data lacks robust security.
That’s risky, because our authoritarian competitors have recognized and acted on data’s value. Russia views information and artificial intelligence as essential to winning cyber wars as it undermines democratic regimes across Europe and in the United States with targeted disinformation campaigns. China has imposed a strict cost of doing business in-country on foreign companies in the form of data localization; its law requires all data collected in China be stored there. At the same time, China has invested heavily in data-rich industries in the United States.
Between 2000 and 2017, Chinese investment in the U.S. biotechnology industry totalled $3.8 billion. At least some of this investment has yielded access to health data, a sector estimated to constitute 40 percent of the world’s datasphere in 2025. The economic advantages of data access are reason enough for cybersecurity attention. But the potential biowarfare applications — personalized bioweapons targeted to attack precise individuals or groups with specific genetic markers — are frightening.
The explosion of unsecured personal information is also a counterintelligence problem. Take, for example, the U.S. Treasury Department’s Committee on Foreign Investment in the United States’ decision requiring the Chinese owners of the dating app Grindr to divest on national security grounds: The personal information available could compromise assets. A common cybersecurity trope is that our largest vulnerability is human. In the near-future, those who would exploit that vulnerability will have zettabytes more weapons in their arsenals.
Additionally, as machine learning systems rely on data for training, the ability to spoof or subtly alter training data presents a new attack vector. A future unmanned underwater vehicle or F-35’s augmented reality helmet with a world picture that is ever so slightly off due to altered training data could render data completely ineffective in conflict.
Lastly, information dominance is also about who controls information and internet infrastructure. Decisions on Huawei’s place in European 5G networks may be the most consequential in cybersecurity of the next decade. An authoritarian-controlled global information environment could make possible the oft-feared “cyber Pearl Harbor” event.
The United States and its like-minded allies should take legislative and policy steps now to protect our critical information for the next decade and beyond.
First, Congress should pass cybersecurity legislation for IoT devices. For example, The Internet of Things Cybersecurity Improvement Act of 2019, which the Senate will consider, requires all government-purchased devices adhere to minimum cybersecurity standards set by the National Institute of Standards and Technology. A step like this is long overdue. Second, as U.S. policymakers consider data frameworks including European landmark privacy legislation, the General Data Protection Regulation, they should understand data governance in the context of national security and geopolitical competition. Specifically, they should demand robust data protection and transparency on foreign access to data-rich industries. Cybersecurity professionals must be part of the data privacy conversation. Where possible, Cyber Command should endeavour to share best practices. Lastly, the government should monitor the health of telecom industry players in our own and like-minded countries, and act if necessary to ensure they remain competitive internationally.
In many ways, Cyber Command’s origins in U.S. Strategic Command reflect the enduring and increasing strategic value of information. We need a future cyber policy that reflects this strategic importance. Without it, we will struggle to maintain “freedom of action” and geopolitical competitiveness in a new era where critical information becomes essential critical infrastructure.
Lindsay Gorman is the fellow for emerging technologies at the Alliance for Securing Democracy.