Cyberwar to Kinetic War: 2020 Election and the Possibility of Cyber-Attack on Critical Infrastructure on the United States
Jonathan F. Lancelot
The current possibility of the United States walking into a trap of a kinetic war is exceptionally likely, given the conditions that will be enumerated here, and the historical pattern of the US reacting to surprise attacks with the force of a giant rudely awakened from a deep slumber is not ahistorical. The Election of 2016 was a sure indicator of one phase of election manipulation. The plan of a full-scale cyber-attack targeting critical infrastructure and other systems that are essential for domestic peace is a real threat. Joseph Marks from the Washington Post states "officials from the FBI, Department of Homeland Security, and US Secret Service are working with police in Arlington, Virginia, to game out how to respond if hackers from Russia or elsewhere in 2020 disrupt electricity at polling place places, shut down streetlights, or hijack radio and TV Stations to suppress voter turnout and raise doubts about election results". The Department of Homeland Security, nonetheless, might not be prepared to mitigate a large-scale cyberwar attack, which would go beyond polling places, streetlights, radio, and TV stations. Regional electrical grids, telecommunications, and waterworks are compelling targets for adversaries wanting to plant discord domestically, and it would also invite the US into a kinetic war, which would be an expected reaction to civilian injuries and death from subsequent cyber-attacks. Ted Koppel, in his book 'Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath' states, "it would be comforting to report that those agencies charged with responding to disaster are adequately prepared to deal with the consequences of a cyberattack on the grid. They are not. The Department of Homeland Security has no plans beyond those designed to deal with the aftermath of natural disasters". The facts do not lend itself to a plan of public safety as a means to aid millions of Americans stranded in cities like New York City or Miami.
Correspondingly, the complications the public would face in the aftermath of a successful attack on one of the electrical grids within the US would go beyond the cities and into small towns. American society's dependence on critical infrastructure is a pain point an adversary would look to create disorder, fear, and violence. It is no secret that with profound political, economic and social divisions, homegrown terrorism, externalities from dysfunctional political parties, and vibrant gun cultures, social collapse is all but guaranteed. Consequently, a lack of a robust cyber-defense policy on the part of the Presidency and Congress is a self-inflicted wound.
The Cybersecurity industry is in a state of chaos, despite an increase in investment into a sector that need workers to fill vacancies. The problem is the shortage is partly caused by companies looking for candidates that don't exist. Companies are looking for people who have a college education and proper certifications, yet both are extremely expensive. Most institutions of higher education are equipping graduates with degrees yet negate certifications, and most cybersecurity companies are not willing to pay for certification of otherwise talented prospects. On top of this disjointed defense, the US Federal Government has not developed an effective accelerated program to get civilians trained and certified en masse to establish a good defense of our critical systems, digital assets, and national security. The Department of Homeland Security has a program to train current cybersecurity professionals within the Cybersecurity and Infrastructure Security Agency (CISA), yet it does not go as far as needed for today’s challenges. The only candidates who are currently qualified to receive job offers from cybersecurity companies are individuals coming out of the military, and there is not enough of them to fill the workforce gap. William Crumpler from the Center of Strategic and International Studies states “the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions”. This is another self-inflicted wound in our collective defense.
The Presidency and the US Congress is currently unable to handle the task of integrating cybersecurity into a holistic US foreign policy strategy, and the political collapse of both the republican and democratic parties are at the center of the failure. As the Trump Administration continues to lose control and credibility, and Congress is trudging into the process of impeachment proceedings, there is little to no chance of developing a national cyber-defense strategy on time for the 2020 Election period. In the age of cyber-realpolitik, where virtual areas of cyberspace are a means to warfare, critical infrastructure is a strategic weak spot for democratic governments. The Global Commission on the Stability of Cyberspace proposed in their final report 'Advancing Cyberstability' international norms prohibiting nation-states from engaging in cyber-attacks on critical infrastructure of another nation-state, including electoral infrastructure. The Global Commission on the Stability of Cyberspace states "a nation-state should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use or operation of critical infrastructure to provide service to the public". Despite efforts to establish a prohibition on critical infrastructure attacks internationally, any weakness in cyberdefense would be a tempting invite.
The best technique in mitigating a surprise cyberattack on critical infrastructure during the 2020 election period is to call it out in the media, during speeches to the public, and as a public diplomacy initiative. Civil servants, educators, and journalists should not be quiet or blind to the possibility, which would result in a general public that would not only be in the dark, they would be in clear danger. Next, for the US to have a robust civilian cyberdefense workforce in place, companies who are in the market for cybersecurity professionals should consider paying for new employee’s certification tests as they are require for employment, and on-the-job training from day one should be implemented to streamline filling requisitions to meet the need. Requiring all civilians to pay for college and certifications independently is not realistic. Lastly, we need a US Senate that will not stop bills that are designed to develop a national cybersecurity policy regarding defending critical infrastructure or stop bills designed to protect our elections from interference from cyberattack, or manipulation from shadowy third parties. If steps are not taken to make the possibility of a cyberattack on our democratic process next year a public conversation, then we have indeed failed the republic we have sworn to protect.