Since the hacking of the New York Times, the Wall Street Journal, the Washington Post, etc., and the Mandiant revelations about China’s PLA Unit 61398, the media and Internet have exploded with talk of our reaching a “tipping point” in cybersecurity (or not, depending on the point of view). We’re, in fact, long past the “tipping point”: what Mandiant had to say about Chinese hacking was actually old news to those who follow things cyber.
As has been the case in the past, there seem to be three camps on the issue of cybersecurity: “the-sky-is-falling” or “cyber-Pearl-Harbor” camp, the “overblown-threat” camp, and the camp worried about the cyberdefense threat to privacy rights. Well, maybe there’s four. We can’t forget the ridiculous advocacy of international “rules of the game” for cyberspace, which was recently argued by Zbigniew Brzezinski in the Financial Times. All four are running in circles, and there seems to be nothing much new from any of them. President Obama issued his cybersecurity executive order on February 12, but there’s little novelty in it. It has elicited few comments beyond “not enough, too preliminary” and “a worrisome expansion of government right-to-prying-on-citizens.”
Also little commented upon was Eric Holder’s announcement (on February 20) of the administration’s creation of the Trade Secret Protection Strategy to deal with infringement on property rights and theft of commercial secrets. Again, there was too little there to elicit either enthusiastic or unenthusiastic comment.
The problem with all of this chatter is that it remains at the problem stage with regard to cybersecurity and doesn’t do anything to advance solutions, beyond acquiescing, after too long a time, to the notion that the only cyberdefense is cyberoffense (no particulars mentioned). In part, it’s because most commentators think of cybersecurity as almost entirely a technical matter, that cyberspace is unique because it’s nowhere in particular, and that defense ought to be possible given U.S. talents and means. The attitude, generally, is that we haven’t seen anything like this before, the laws of war don’t cover it, etc. Some are even still pondering the motives of the major cyber players, as an almost laughable recent piece in the New York Times suggests. What difference does it make why, say, the Chinese did this or that? That they did it and what can be done about it is the important thing.
However, the latest government expression of cyber threat—a 138-page study by the Defense Science Board—appears to show some progress is occurring somewhere. First, it holds that Pentagon cyberdefenses are “fragmented” and therefore weak. Second, it proposes to “pool” the nation’s cyber defenses to do something about it; and, third, it proposes that we figure out how to commit preemptive cyber attacks and to figure out how “the cyberattacks could be combined with conventional attacks at sea and in space.”
In a way, this is nothing new at first appearance: the Defense Science Board study really just begs for policy parameters for cybersecurity, that is to say, guidelines to cyberoffense. However, it does go part of the way to where we need to be, inasmuch as it relates cybersecurity to action in the real world (even unto nuclear reprisals, incidentally). It implies that the United States has to be able to project the threat of force in the cyberrealm the way it would on the ground, at sea, in the air, and in space. This brings us to the only sensible way to think about cybersecurity, which is in the realm of traditional national defense. Therewith, our thinking needs to be political, which is to say a matter of what our specific international interests and objectives are.