How FBI copes with mounting threats

CALAMITY IN A KEYSTROKE

By George Will

Everyone lives in, and enjoys the myriad cultural and commercial benefits of, today’s connected world. Few think about how connectedness, which facilitates the flow of everything from information to bananas, comes with grave vulnerabilities: Computer keystrokes somewhere can cause physical damage and social chaos in distant elsewheres.

World War II’s bomber fleets could not do the instantaneous damage that cyberattacks could do today by, say, opening dams’ floodgates, closing pipelines, crippling power grids or water systems, turning off electricity to hospitals, or paralyzing the financial services industry. Most hospital and airport backup power capacities are designed to suffice for only about 48 hours. Welcome to Christopher A. Wray’s world of worries.

At daily morning meetings, heads of the FBI’s various divisions report on especially urgent developments. Director Wray said, “I can’t remember when the cyber-people said, ‘We’ve got nothing to report today.’” Cyberthreats, which Wray terms “diverse and constantly evolving,” absorb, he estimated, about half his time. And “every day,” FBI cyber-personnel — there are more than 1,000 across the country — respond to cyber-incidents.

Wray said that even if every FBI cyber-agent and intelligence analyst were focused exclusively on China, its hackers would still outnumber the FBI’s cyber-personnel at least 50 to 1. China’s hacking program is larger than those of every major nation — combined.

A plaque on the FBI’s Pennsylvania Avenue headquarters lists the agency’s eight priorities. Thwarting foreign cyberoperations — a threat landscape unimaginable in most of the FBI’s 116-year history — is listed second only to preventing terrorist attacks. Terrorism, however, can be conceptually indistinguishable from cyberattacks, an asymmetric weapon by which a weak nation can do what terrorism does: inflict random damage and sow panic.

Because cyberattacks can cause physical damage and social fraying, they are not easily distinguished from acts of war, although perhaps there are prudential reasons for drawing distinctions. Perhaps.

The blessings of life in the digital age are inseparable from dangerous potentialities. In 1995, a rogue trader at Barings Bank, then London’s oldest merchant bank (founded in 1762), inadvertently demonstrated how fragility can be an aspect of connectedness: He brought about his employer’s collapse with reckless keystrokes. Israel’s audacious ingenuity last month with Hezbollah’s exploding pagers and walkie-talkies demonstrated how connectedness can be weaponized.

Today’s threat to the U.S. economy from a dockworkers’ strike at East Coast and Gulf Coast ports suggests why national security officials worry about the ports’ cranes — most of them made in China — that load and unload container ships. The FBI and other agencies have experience coping with Chinese malware inserted into critical U.S. infrastructure in preparation for destabilizing attacks during a war. Having commerce interrupted by a strike is costly; having logistics for an Indo-Pacific war disrupted by disabled cranes would be catastrophic.

It is said that after a few days or weeks, most wars become tests of logistics. So, if cranes at U.S. ports can be taken offline by an enemy, attention must be paid. Additionally, the U.S. military must worry about “kamikaze” or “kidnapper” satellites, or other weapons that could seize or destroy the U.S. satellites on which many weapons systems depend. Now, add to the possible cascading calamities an attack on undersea cables.

Among state actors (criminal enterprises are another problem), Wray said serious threats come from today’s Axis of Disruption: China, Russia, Iran and even North Korea, which struggles to make butter or bread but has sophisticated hackers. In July, when a botched update from a cybersecurity firm caused the cancellation of about 7,200 flights, and impacted banks and other businesses, Americans got a tiny taste of what a deliberate cyberattack could cause.

Since the brief U.S. monopoly on nuclear weapons ended 75 years ago, strategic deterrence has depended on mutual assured destruction. Today, deterring cyberthreats requires mutual assured disruption. This version of MAD presumes that cyberattacks can be traced to their origins, and that the attacked party has the capacity and demonstrated resolve for proportionate retaliation.

Resolve without capacity is sterile, and vice versa. U.S. universities are producing bumper crops of computer science majors, most of whom are harvested by the private sector. Government salaries are a far cry from Silicon Valley’s. But Wray said the FBI’s national security mission makes the bureau competitive in the talent sweepstakes. His message to potential cyberwarriors is: “To go up against the best, work for the best.” It had better work.

George Will writes a column for the Washington Post. His email address is georgewill@washpost.com.