Editor’s Note: Colonel Cedric Leighton is a CNN military analyst who served 26 years as a US Air Force intelligence officer. His last military assignment was as the National Security Agency’s Deputy Director for Training. VJ Viswanathan is a cybersecurity executive with 20 years of technology & risk management experience. Leighton and Viswanathan are the co-founders of CYFORIX, a national defense and cybersecurity research advisory firm to Fortune 500 companies. The views expressed in this commentary are their own.

(CNN) —  

Ever wonder who might see the data from your Fitbit? It turns out it could be just about anybody – and that has the Pentagon worried. Twenty-year-old Australian college student Nathan Ruser analyzed a heat map produced by data aggregator Strava, and what he found shows just how vulnerable troops deployed to hostile areas could be.

But that vulnerability has much broader implications for the future of warfare. In fact, Russia and China are already acting on strategies that will leverage heat maps and other aspects of what we’re now calling our “digital dust” in order to enhance their military power.

Colonel Cedric Leighton
Colonel Cedric Leighton

VJ Viswanathan
PHOTO: VJ Viswanathan
VJ Viswanathan

So how does it all work? Strava aggregates data from any GPS-enabled device, such as Fitbits, Garmins and cellphones so they can “connect the world’s athletes” on their own social media platform. At first glance, the Strava Labs heat map looks like a nighttime satellite image of Earth. Vibrant light emanates from rich areas like Europe, the United States, Japan and South Korea. Darkness envelops unpopulated or poorer areas like much of Africa, the Canadian Arctic, Tibet and North Korea. Closer inspection, however, reveals that people are transmitting data from even some of the darkest corners of the world.

That might not be a big deal if you’re a solitary tourist in the Amazon, but if you’re a soldier conducting sensitive operations while using these GPS-enabled devices, you have just compromised your mission. Just as Nathan Ruser or Strava can track you, so can hostile intelligence services – and they can do so with great precision, down to specific individuals.

Russia has already done this. According to the Wall Street Journal, they’ve targeted the smartphones of a US battalion commander, his staff and his NATO counterparts while they were deployed to Eastern Poland. They’ve also conducted similar operations in Eastern Ukraine against Ukrainian forces. These operations are the tactical manifestations of a much larger effort by Russia to conduct hybrid warfare against the United States and its allies – melding conventional military power with special operations, economic coercion, political influence operations (like inserting “fake news” into social media feeds and finding compromising material, or Kompromat, on leading political figures) and cyber attacks.

Hybrid warfare is being conducted by both China and Russia on a global scale. While the Chinese are a bit more subtle in their approach, the Russians are going gangbusters. Today one must consider them to be the foremost practitioner of true hybrid warfare.

It is challenges such as these that forced the United States to develop a new national defense strategy. Promoted by Defense Secretary James Mattis earlier this month, this strategy marks an important change in our combat posture – it de-emphasizes the war on terror and highlights the return of high stakes competition between nation-states. Yet we return to the “great game,” as Kipling called it, with a twist: This time, the new defense strategy will have to enlist not just the military and the government, but businesses and everyday citizens in the effort to keep our country safe.

The new strategy correctly recognizes that both China and Russia want to challenge US preeminence around the world. In fact, the National Security Strategy (from which National Defense Strategy is derived) calls these nations “revisionist powers.” While not yet strong enough to challenge the United States using a direct battle, both nations are asserting themselves in innovative ways, developing unique forms of hybrid warfare in the process. Adversaries using data from soldiers’ Fitbits or cellphones is just one example of what could happen in a hybrid warfare scenario.

Like their Chinese counterparts, the Russians are not confining their efforts to military and economic alliances, or to the governments that are a party to them. In fact, they are leveraging new technologies, like artificial intelligence and social media platforms to conduct their hybrid warfare campaigns.

From a macro perspective, the National Defense Strategy recognizes that both Russia and China will do everything they can to level the playing field with the United States. For that reason alone, the United States must out-innovate and out-perform its nearest rivals. This won’t be easy. In Russia, with the support of President Vladimir Putin, efforts are underway to harness the power of AI, not only for legitimate scientific research, but also to create new and destabilizing weapons in both the physical battlespace as well as in cyberspace.

In the cyber realm, we are seeing new and dangerous forms of malware that, when unleashed, could make all previous cyber attacks seem like child’s play. One such attack is being dubbed “Muddy Water.” It sends authentic-looking documents, some purporting to come from US intelligence agencies or cybersecurity firms, to targets, and infects their systems when recipients access the fake documents.

Get our free weekly newsletter

America’s rivals are leveraging malware, binding it to Kompromat and deliberately planting fake news stories in an effort to destabilize the United States, its allies and the alliances that bind them together. While the National Defense Strategy recognizes significant changes in the global dynamic, it does not go far enough to call out these new and persistent threats to our way of life.

For this strategy to work, we must work together to help stem data leaks from Fitbits and other devices. We also must develop a deeper understanding of the threats that bind public sector to private sector, intelligence and law enforcement agency to social media platforms and our citizens to each other.

It’s now two minutes to midnight. Let’s hope it’s not too little, too late, for all our sakes.