A global surge in cyberattacks necessitates a U.S. cyber-defense doctrine – maybe even a military branch for cyberspace.
Cyberspace – that invisible, virtual domain on which so much of the visible, actual world depends – is a battleground where our enemies are not just threatening U.S. interests, but attacking them.
“We are not going to deter the adversary with defenses only,” argues Katie Sutton, President Trump’s nominee for assistant secretary of defense for cyber policy. Sutton vows “to strengthen our offensive cyber capabilities to ensure the president has the options he needs to respond to this growing threat.”
The actions of our adversaries underscore the soundness of Sutton’s argument.
· China According to IT security firm Mandiant, a force within the People’s Liberation Army known as Unit 61398 has stolen hundreds of terabytes of data from 141 companies. (One terabyte equals about 83.3 million pages of text.) The Office of the U.S. Trade Representative adds that China’s cyber-harvesting of U.S. intellectual property costs U.S. firms as much as $600 billion annually.
Those numbers explain why Gen. Keith Alexander, former commander of U.S. Cyber Command (CYBERCOM), has called China’s cyber-siege of the United States “the largest transfer of wealth in history.”
Yet Beijing’s cyber-campaign against the United States extends far beyond industrial-scale theft.
In 2024, China’s Salt Typhoon operation “breached at least eight U.S. telecommunications providers,” according to a CSIS tally of cyberattacks.
China’s Volt Typhoon cyber-campaign has “targeted communications, energy, transportation, water, and wastewater systems in the U.S. and its territories,” according to published reports. For a time, Beijing pretended it had no role in Volt Typhoon. But in 2024, Beijing let it be known that it was indeed behind Volt Typhoon – doubtless to send a message to Washington.
Equally worrisome, China penetrated the Office of Personnel Management and compromised the personal data of 21.5 million Americans who have worked for or contracted with the federal government. U.S. officials describe it as “the most devastating cyberattack in our nation’s history.” Only the PRC knows how many Americans – members of Congress, cabinet officials, congressional aides, contractors – will be targeted, blackmailed or otherwise threatened with the information Beijing know possesses.
Beyond our shores, CSIS notes that China carries out 2.4 million daily attacks against government systems and telecommunications firms in Taiwan. CYBERCOM confirmed earlier this year that PRC malware had infected networks supporting allied militaries in Latin America.
· Russia In 2022, Russian hackers tried to disable a dozen networks that support U.S. electricity and natural-gas providers.
In 2021 Colonial Pipeline, which administers the major fuel arteries serving much of the East Coast, was hit by ransomware from a group called DarkSide. CSIS points out that DarkSide is “a Russia-based entity” and that “no cyber-group operates there without Moscow’s knowledge.” Also in 2021, ransomware attacks targeted U.S. meatpacking giant JBS. The attack idled plants and sent meat prices skyrocketing. Again, a Russian hacking group was behind the operation.
In 2020, hackers working for Russian intelligence used a software update issued by IT management firm SolarWinds to infect 100 U.S. companies and a dozen U.S. government agencies with malware that enabled the hackers to gain access to customer data and network operations. Compromised organizations included Microsoft, Intel, Cisco, and the departments of Defense, Treasury, Justice and Energy.
In 2020 and 2021, cyberattacks targeting hospitals in Oregon, New York and Nevada – all emanating from a group tied to Russian intelligence – crippled their ability to deliver critical care.
In 2019, U.S. intelligence agencies informed Congress that “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”
The Russian military’s Unit 29155 and other elements of the Russian military-intelligence apparatus are using cyberspace to strike NATO allies and partners such as Ukraine. CSIS reports Russia was responsible for 4,315 attacks against Ukrainian critical infrastructure – in 2024 alone.
· North Korea Early this year, North Korean hackers stole critical data from thousands of South Korean devices. In 2020, North Korea launched cyberattacks against U.S. companies conducting COVID-19 research. North Korea’s WannaCry cyberattacks triggered chaos in Britain’s hospital system. And Pyongyang’s DarkSeoul attacks destroyed 32,000 computers at South Korean banks and broadcasting companies.
· Iran In 2024, the U.S. government reported that Iran had hacked into the Trump campaign. In 2018, the United States revealed that Iranian cyberattacks had siphoned intellectual property from 144 U.S. universities and 36 U.S. companies. In 2012, Iran’s Shamoon computer virus destroyed 30,000 computers supporting the Saudi oil industry.
Response The list is, quite literally, never ending, which explains Sutton’s observation about the need “to strengthen our offensive cyber capabilities” in order “to respond to this growing threat.”
We know the United States has vast cyber capabilities, and there are indications the United States has used some of those capabilities to punch back.
Iran was the target of a sophisticated cyberoperation known as Olympic Games that began under the Bush administration and continued under the Obama administration. A key element of Olympic Games was the Stuxnet computer virus – the first cyberattack “used to effect physical destruction,” as former CIA director Gen. Michael Hayden has explained.
Ahead of the U.S. midterm elections in 2018, CYBERCOM blocked a Russia-based hacking army known as the Internet Research Agency from accessing the Internet.
Published reports indicate that U.S. assets have hacked into the operations of Chinese telecom firms Huawei and ZTE.
In 2022, CYBERCOM conducted “offensive” and “defensive” “information operations” in support of Ukraine, as then-CYBERCOM commander Gen. Paul Nakasone cryptically reported.
In 2018, CYBERCOM began forward-deploying its Cyber National Mission Force (CNMF) to assist partner nations under cyberattack, fortify allied networks and expose adversary cyber operations. In 2023, as C4ISRNet reports, these “hunt-forward missions … totaled 22 deployments, with some happening simultaneously across the world.” CNMF assets are known to have partnered with Ukraine, Albania, Latvia, Estonia, Croatia, Lithuania, Montenegro and North Macedonia.
Finally, U.S. and British media report that U.S. cyber-forces have scanned the Russian energy grid and implanted code capable of crippling Russia’s energy infrastructure at a time of Washington’s choosing.
Strategy Offensive cyber operations like these have the capacity not only to disrupt cyberattacks that are underway, but also to dissuade future cyberattacks.
Policymakers could strengthen the hand of those charged with defending America’s digital networks, systems and infrastructure – and strengthen the security of all those who depend on cyberspace for our way of life – by pursuing a three-pronged strategy.
First, the civilized world needs to develop, define and defend norms of behavior in cyberspace. Toward that end, the United States could lead an international effort to set rules of the road for this new domain. Signatories to such a compact might agree to forswear cyberattacks against critical infrastructure on which the functions of everyday life depend, including water-pumping and water-treatment facilities, food-processing facilities, and energy-related systems; to police, prevent and punish prohibited cyber activity within their borders; and to pool technological and economic resources to assist in cyber resilience.
Given the actions and capabilities described above, it may seem fanciful that certain governments would agree to such an accord. To be sure, it seems unlikely that cyberwarfare would ever be renounced entirely. But perhaps it can be curtailed or at least contained. Recall that the United States has helped the world draw the line at certain technologies: it halted development of the neutron bomb, agreed to forswear use of chemical weapons, and renounced biological warfare “for the sake of all mankind.”
In other words, American leadership can get the ball rolling in the right direction.
Of course, treaties are only as good as the character of the governments that sign them. That brings us to the second part of the three-pronged strategy: Washington needs to articulate a cyber-defense doctrine that clarifies where America stands, what America won’t tolerate and how America might respond to cyberattacks that violate the rules of the road.
“Our failure to articulate a doctrine, to set out cyber norms … has meant in many ways those near-peer adversaries have felt it has been open season on attacking our country (and) stealing our intellectual property with very little fear of repercussion,” as Sen. Mark Warner, D-Va., has observed.
The template for a cyber-defense doctrine might be Trump’s 2017 warning about attacks on U.S. space assets: “Any harmful interference with, or an attack upon, critical components of our space architecture that directly affects this vital U.S. interest,” he warned, “will be met with a deliberate response at a time, place, manner and domain of our choosing.”
A similar statement about America’s assets and interests in cyberspace would assist warfighters in their deterrence mission. It might sound something like this: “Any use of cyberspace to interfere with, disable or attack U.S. critical infrastructure – including systems that support the delivery, storage or supply of water, food or medical care; systems that support the delivery, storage or supply of energy; systems that support financial or banking activities; and systems that support military operations, military communications, or military command and control – will be considered a hostile act and will be met with a deliberate response in a time, place, manner and domain of America’s choosing.”
Finally, we come to the third element of the strategy: To ensure effective execution of such a doctrine -- and its offensive, defensive, dissuasive and deterrent elements – policymakers should move toward standing up an independent military branch focused on defending America’s swath of cyberspace. Just as the Air Force focuses on defending U.S. interests and assets in the skies, just as the Space Force focuses on defending U.S. interests and assets in space, a Cyber Force could focus on defending U.S. interests and assets in this new domain.
This isn’t some off-the-wall idea. Germany is in the process of creating a military branch for cyberspace. Defense experts here in the United States have outlined how a cyber-focused branch would operate. And military officials and civilian policymakers are exploring the idea.
Standing up a branch wholly dedicated to defending cyberspace and deterring America’s enemies in cyberspace makes sense. After all, our economy depends on cyberspace, just as it depends on the oceans and skies and space. And in each of those domains, the United States has a military branch taking the lead in defending the national interest.
Alan W. Dowd serves as director of the Sagamore Institute Center for America's Purpose. Any opinions expressed in this article are strictly his own.
- Landing Zone