America’s Digital Achilles’ Heel

For all its tremendous benefits, digital technology carries innumerable downsides. Cellphones enable location tracking that erodes privacy. Data can be manipulated and destroyed. Mechanical systems can be hijacked by a malicious actor who finds chinks in their digital armor. But these technologies have become essential components of day-to-day life and continue to boost economic growth, increase productivity, and allow access to information at an unprecedented scale. Societies must wrestle with the devilish bargain they have struck; they rely on digital capabilities that leave them extremely vulnerable to attacks.

Nowhere are these risks more apparent and more dangerous than in war. Modern armies, including that of the United States, depend on digital capabilities in almost everything they do. The work of navigation, command and control, logistics, intelligence, and targeting is all made possible by data that are collected, stored, and disseminated by a complex system of information technologies—data that, if commandeered and exploited, could wreak havoc on U.S. military operations. As states and organizations develop new digital warfare capabilities, each with more destructive potential than the last, the United States should work to insulate itself from such attacks—or risk inviting an assault that could leave the U.S. military dead in its tracks.

FLIES IN THE DIGITAL OINTMENT

Digital technologies have radically transformed warfare. In the 1970s, the advent of the microchip enabled precision-guided munitions. Two decades later, the Internet made it possible to link such “smart weapons,” creating networks of sensors and shooters that exponentially increased the speed and precision of warfare. This so-called information technology revolution promised to create significant advantages for states that adopted such systems.

The game-changing potential of digital warfare was demonstrated with stunning effect, for instance, by the United States in the 1990–91 Gulf War. The U.S. military’s use of smart weapons and coordinated strikes made possible by advanced communications systems helped it defeat Iraqi forces. Today, digitized warfare—once considered a burgeoning revolution in military capabilities—is how states compete and fight wars. Recent flare-ups between Armenia and Azerbaijan have heavily featured the use of drones; North Korea has engaged in cybertheft to evade sanctions; China has built a large program of digital espionage targeting the United States. And the United States has intensified its efforts to integrate electronic and information warfare with cyberwarfare capabilities on the battlefield.

The United States has no choice but to work to insulate itself from digital attacks.

But the same digital capabilities that have enabled such military advancements are susceptible to various kinds of attacks. Early warning satellites that are essential for any response to a nuclear launch could be duped or hijacked, potentially eroding the stability of nuclear deterrence—such chicanery could even lead countries to launch unprovoked strikes in response to fictitious threats. Preemptive electromagnetic assaults and cyberattacks could temporarily disable air defenses in advance of an actual nuclear strike. The digital technologies that societies and armies depend on can be undone with strikes on infrastructure such as transmitter stations, cables, and database facilities that are sitting targets for precision munitions and sabotage. And the reliance on high-tech components exposes all digital technologies to supply chain risks; states with large arsenals of smart munitions, for instance, depend on access to microchips for their weapons to work, but their militaries can be paralyzed if that supply dries up.

The reliance of countries on digital technology poses especially large risks when it comes to intelligence. Vast troves of sensitive information are stored, processed, and transmitted through digital means, creating valuable advantages for states that have invested in data collection and analysis. The United States showcased the enormous potential of digitally enabled intelligence collection during counterterrorism operations in Afghanistan and Iraq, using large repositories of digital imagery and cellphone and signals data to strike terrorist targets on the battlefield from thousands of miles away. But the 2015 network breach at the Office of Personnel Management—resulting in the theft of over 20 million records relating to the private information of U.S. federal employees, a gargantuan feat unthinkable in the analog spying world—laid bare the peril of poorly secured digital data storage. And these threats are just as much internal as they are external; in 2013, Edward Snowden, a midlevel contractor at a National Security Agency annex, used his privileged access to steal massive amounts of data, damaging the United States’ ability to collect information on certain targets undermining U.S. military and intelligence operations.   

Today, this tension between the necessity of technology and its concurrent risks is on full display in Ukraine, where efforts to gain the upper hand in digital warfare are shaping the physical conflict. Technologies including GPS-guided artillery, small drones, and civilian cellphone videos have given Ukraine an edge against a much larger Russian military force, allowing Kyiv to more accurately strike Russian targets. But Moscow’s assaults have revealed the fragility—and potential unreliability—of such technology: Russian cyberattacks on satellite communications can cut Ukrainian troops off from commanders; attacks that jam GPS systems blunt the effectiveness of smart artillery; and electromagnetic assaults destroy up to 5,000 small drones a month. Ukraine—and other countries that are seeking to transform their armed capabilities in line with the future of digital warfare—must find a way to make these systems less vulnerable.

NECESSARY TRADEOFFS

The United States has no choice but to work to insulate itself from digital attacks. Rejecting digital technologies wholesale in favor of analog ones is unrealistic and expensive. At the same time, no level of investment will guarantee absolute security; governments must accept that trying to strengthen digital capabilities could expose new vulnerabilities. Countries are currently making such tradeoffs with little guidance about how to manage and mitigate risks. 

For over a decade, the United States military has been engaged in a long-standing debate about how to build resilience in the face of digital threats. Some policymakers see investing in redundancy, especially for critical military capabilities, as the best way to achieve resilience. Others call for reducing risk through limiting or even banning foreign technology companies—especially ones from rival countries such as China—from the defense information and communications technology supply chain. Despite these high-profile pushes, however, Washington has made little progress in building resilient systems. The Government Accountability Office, a nonpartisan auditing agency, routinely publishes reports that document significant and persistent deficiencies in the military’s attention to digital vulnerabilities throughout the technology acquisitions process. Policymakers worry about the cybersecurity of critical weapons systems such as nuclear command and control or advanced fighter aircraft, for example, often after the system has been designed rather than at the outset of its development. But given that the United States and its partners have come to rely so heavily on technologies replete with vulnerabilities, it is past time for Washington to prioritize digital resilience.

The Defense Department is stuck in a digital no man’s land.

As policymakers—and particularly those in the U.S. Department of Defense—seek to build more resilient systems capable of withstanding digital attacks, they could learn something from those sectors that have already made significant advancements in digital security: those in highly regulated industries, such as financial services. The global financial sector, which is completely dependent on digital technology, would risk collapse if it were not resilient to digital attacks. In order to shore up their security, financial organizations have invested in insulating themselves from these threats while preparing for potentially catastrophic disruptive events, such as significant state-sponsored cyberattacks. Other forces in the private sector have encouraged such efforts: insurance companies have incentivized investments in security and resilience capabilities, and regulatory entities have threatened penalties for noncompliance with leading practices and requirements (exemplified, for instance, by the $80 million fine Capital One was forced to pay to a bank and regulator as the result of an extensive breach in 2019). As a result, the financial sector tends to have a strong track record of anticipating digital threats, evaluating vulnerabilities, and creating the means to respond and restore operations in the event of a disruption.  

Such work is difficult; even the most established firms in the financial services sector are just now reaching a point where they can effectively manage their digital assets and understand the weaknesses inherent in their digital infrastructure. The Department of Defense faces a steeper uphill battle. Its information technology modernization efforts lag far behind those of the most mature entities in the private sector. Its combination of old and new technology platforms interact in ways that can create unexpected vulnerabilities, with outdated software reliant on old Internet browsers, for instance, and a nuclear command and control reliant on floppy disks. And officials do not always have a complete window into the defense supply chain that underpins critical services, making it difficult to be sure of where their software and hardware may come from. The Defense Department, in short, is stuck in a digital no man’s land, as it relies on outdated digital technologies whose disadvantages far outweigh their advantages in terms of both effectiveness and resilience. The time to fix that discrepancy is now.

NO MORE LAGGING BEHIND

As great powers around the world invest more in their digital arsenals, modern militaries need to approach the protection of these new systems on a case-by-case basis. In some instances, the Defense Department will have to invest in expensive, potentially redundant technologies because the United States simply cannot afford for these systems to fail in a contingency. One clear area is the U.S. nuclear arsenal, which is undergoing a massive modernization effort. As policymakers upgrade aging systems, they must ensure that digital safety is a top priority—perhaps even by seriously considering the use of legacy technologies such as floppy disks that may be inefficient but are inherently secure because they are not widely produced and are therefore difficult for an adversary to sabotage or hack. There may be cases, on the other hand, in which digital capabilities are the resilient option; some cloud architectures, for instance, allow one cloud network to fail without causing major operational disruptions.

The task of building such resilience extends far beyond the battlefield. Disruptive global events—be they pandemics, climate disasters, or threats to democratic institutions—increasingly seem to be the norm rather than the exception. Policymakers can and should look beyond technology for ways to better defend the country against new, unexpected threats. Militaries, for instance, can improve their ability to withstand attacks by practicing, conducting stress tests, and incorporating lessons learned into future plans. Moreover, some disruptive events may prove too difficult, costly, or simply impossible to deter or defend against; these are the challenges in which resilience will be essential. Given these rising stakes, the United States must be prepared to accept some measure of risk—specifically, accepting that some disruptions are inevitable and that failures may occur in the short term. As new kinds of digital threats and warfare capabilities emerge, it is critical that the United States take resilience seriously—or it will find itself floored by attacks that its friends and rivals will be able to withstand.