Since the hacking of the New York Times, the Wall Street Journal, the Washington Post, etc., and the Mandiant revelations about China’s PLA Unit 61398, the media and Internet have exploded with talk of our reaching a “tipping point” in cybersecurity (or not, depending on the point of view). We’re, in fact, long past the “tipping point”: what Mandiant had to say about Chinese hacking was actually old news to those who follow things cyber.
As has been the case in the past, there seem to be three camps on the issue of cybersecurity: “the-sky-is-falling” or “cyber-Pearl-Harbor” camp, the “overblown-threat” camp, and the camp worried about the cyberdefense threat to privacy rights. Well, maybe there’s four. We can’t forget the ridiculous advocacy of international “rules of the game” for cyberspace, which was recently argued by Zbigniew Brzezinski in the Financial Times. All four are running in circles, and there seems to be nothing much new from any of them. President Obama issued his cybersecurity executive order on February 12, but there’s little novelty in it. It has elicited few comments beyond “not enough, too preliminary” and “a worrisome expansion of government right-to-prying-on-citizens.”
Also little commented upon was Eric Holder’s announcement (on February 20) of the administration’s creation of the Trade Secret Protection Strategy to deal with infringement on property rights and theft of commercial secrets. Again, there was too little there to elicit either enthusiastic or unenthusiastic comment.
The problem with all of this chatter is that it remains at the problem stage with regard to cybersecurity and doesn’t do anything to advance solutions, beyond acquiescing, after too long a time, to the notion that the only cyberdefense is cyberoffense (no particulars mentioned). In part, it’s because most commentators think of cybersecurity as almost entirely a technical matter, that cyberspace is unique because it’s nowhere in particular, and that defense ought to be possible given U.S. talents and means. The attitude, generally, is that we haven’t seen anything like this before, the laws of war don’t cover it, etc. Some are even still pondering the motives of the major cyber players, as an almost laughable recent piece in the New York Times suggests. What difference does it make why, say, the Chinese did this or that? That they did it and what can be done about it is the important thing.
However, the latest government expression of cyber threat—a 138-page study by the Defense Science Board—appears to show some progress is occurring somewhere. First, it holds that Pentagon cyberdefenses are “fragmented” and therefore weak. Second, it proposes to “pool” the nation’s cyber defenses to do something about it; and, third, it proposes that we figure out how to commit preemptive cyber attacks and to figure out how “the cyberattacks could be combined with conventional attacks at sea and in space.”
In a way, this is nothing new at first appearance: the Defense Science Board study really just begs for policy parameters for cybersecurity, that is to say, guidelines to cyberoffense. However, it does go part of the way to where we need to be, inasmuch as it relates cybersecurity to action in the real world (even unto nuclear reprisals, incidentally). It implies that the United States has to be able to project the threat of force in the cyberrealm the way it would on the ground, at sea, in the air, and in space. This brings us to the only sensible way to think about cybersecurity, which is in the realm of traditional national defense. Therewith, our thinking needs to be political, which is to say a matter of what our specific international interests and objectives are.
If we don’t know where exactly we want things to come out between, for example, the United States and China in a strategic sense, we’re hamstrung in meeting cyberthreats from China. Chinese cyberespionage is another dimension of our strategic competition with China. That competition is proceeding on multiple real-world fronts: in the production, buying and selling of goods, to be sure, but also in China’s tension with our Asian allies in the South China Sea, growing Chinese influence in Africa and the Caribbean, Chinese accommodation of Iran, Syria, North Korea, etc. On the presumption that we would necessarily want to meet or deter aggression with regard to those things that exist in real space, we need to make clear what actions would be unacceptable and attempt to deter them.
Accordingly, in the cyberespionage realm, we need to let the Chinese know what will happen to their trade with us if cyberespionage has illegally put our commercial sector at a disadvantage. Many fear a trade war between the United States and China, but legal actions and other credible threats on our part need not lead there if properly crafted (or, indeed, if some of them are undertaken secretly). We need to stipulate, as well, that hacking into critical infrastructure (for whatever reason) or Pentagon networks will result in real-world consequences. Tit for tat: you do it to us via cyber, we’ll surely do it to you. And if we can’t, we’ll find a “noncyber” way to do it.
Defense-related cybersecurity is most important because of our military’s dependence on information networks. In seeking technological advantage that is second-to-none, we have created vulnerabilities in overdependence on the role that command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) play in our conduct of war. Although we want to protect the advantage that has given us, the response to any outside interference with it need not be limited to responses in kind (although we have and should use that capability). There are also economic and political responses and—dare we say it?—“kinetic” military responses that can be employed.
As with many “techniques” in prosecuting foreign policy, good cybersecurity can only be as good as general policy. As long as we remain only reactive to political, terrorist, economic, and other threats—and give the appearance of decline and withdrawal from the world—our worry about and timid actions regarding cyberthreats will only be taken as evidence that we mean to do nothing. This is as true in the cyber area as it is in any other realm of national security. No doubt Obama’s executive order on cybersecurity conveyed much aid and comfort to those perpetrating cyberattacks against us.
Our timid response to what’s going on in the rest of the world explains why we are well behind the curve in meeting cyberthreats in general. We were ahead of the curve in introducing the Iranian nuclear program to the affections of Stuxnet. That was a resolute political choice we made. The question to be asked is why have we avoided looking for appropriate political responses to other threats, such as those from Iran to our banking system and Chinese intrusions into our commercial, infrastructural, and defense sectors. Shutting off centrifuges is easier than stopping the theft of intellectual property and trade secrets, to be sure. However, if we continue to look at intellectual property theft, disruptive attacks on our financial markets, and daily hacking into Pentagon bureaus as unworthy of our rapt attention and concerted action, we will never meet the threat.
Ken Jensen is associate director of the American Center for Democracy for its Economic Warfare Institute.