The United States gains tremendous economic, social, and military advantages from cyberspace. However, our pursuit of these advantages has created extensive dependencies on highly vulnerable information technologies and industrial control systems. As a result, U.S. national security is at unacceptable and growing risk.

Over the past several years, the United States has been subjected to cyber attacks and costly cyber intrusions by various actors, including the four most cyber-capable adversary states identified by the Director of National Intelligence (DNI) in 2016.1 For example:

During 2012–2013, Iran conducted distributed denial of services attacks on Wall Street firms, disrupting operations and imposing tens of millions of dollars in remediation and cyber hardening costs.

In 2014, North Korea hacked Sony Pictures in an effort to suppress the release of a movie depicting a plot to assassinate North Korean leader Kim Jong Un, causing direct and indirect financial damage in the process.

For at least 10 years, China conducted a massive cyber theft of U.S. firms’ intellectual property (IP); since President Xi Jingping committed in September 2015 that China would not undertake such theft, reportedly Chinese cyber IP theft has reduced but not stopped.

In 2016, Russia hacked into several U.S. institutions and used the resulting stolen information to attempt to undermine voter confidence and affect the outcome of the U.S. presidential election.

Non-state actors, though generally less capable than nation-states, also have conducted cyber attacks. A recent example is the October 2016 distributed denial of service attacks on the internet domain name system (DNS) provider Dyn, for which the hacker groups Anonymous and New World Hackers claimed responsibility.

Each of the above examples stands out from the constant barrage of cyber intrusions that occur in the United States and globally on a daily basis, including those conducted by nations as part of their cyber espionage programs. Such actions qualify as cyber “attacks” (Iran’s Distributed Denial-of-Service Attack (DDoS) and North Korea’s Sony hack) or costly cyber intrusions (China’s intellectual property (IP) theft and Russia’s hack of political parties to facilitate information operations) because their impact goes beyond data collection, to impose some form of harm on the United States.

Of critical importance, known cyber attacks on the United States to date do not represent the “high end” threats that could be conducted by U.S. adversaries today – let alone the much more daunting threats of cyber attack that the Nation will face in coming years as adversary capabilities continue to grow rapidly. A large-scale cyber attack on civilian critical infrastructure could cause chaos by disrupting the flow of electricity, money, communications, fuel, and water. Thus far, we have only seen the virtual tip of the cyber attack iceberg.

DSB Report on Cyber Deterrence (PDF Report)