What to Do About Cybersecurity?
9:07 AM, Mar 8, 2013 • By KEN JENSEN
If we don’t know where exactly we want things to come out between, for example, the United States and China in a strategic sense, we’re hamstrung in meeting cyberthreats from China. Chinese cyberespionage is another dimension of our strategic competition with China. That competition is proceeding on multiple real-world fronts: in the production, buying and selling of goods, to be sure, but also in China’s tension with our Asian allies in the South China Sea, growing Chinese influence in Africa and the Caribbean, Chinese accommodation of Iran, Syria, North Korea, etc. On the presumption that we would necessarily want to meet or deter aggression with regard to those things that exist in real space, we need to make clear what actions would be unacceptable and attempt to deter them.
Accordingly, in the cyberespionage realm, we need to let the Chinese know what will happen to their trade with us if cyberespionage has illegally put our commercial sector at a disadvantage. Many fear a trade war between the United States and China, but legal actions and other credible threats on our part need not lead there if properly crafted (or, indeed, if some of them are undertaken secretly). We need to stipulate, as well, that hacking into critical infrastructure (for whatever reason) or Pentagon networks will result in real-world consequences. Tit for tat: you do it to us via cyber, we’ll surely do it to you. And if we can’t, we’ll find a “noncyber” way to do it.
Defense-related cybersecurity is most important because of our military’s dependence on information networks. In seeking technological advantage that is second-to-none, we have created vulnerabilities in overdependence on the role that command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) play in our conduct of war. Although we want to protect the advantage that has given us, the response to any outside interference with it need not be limited to responses in kind (although we have and should use that capability). There are also economic and political responses and—dare we say it?—“kinetic” military responses that can be employed.
As with many “techniques” in prosecuting foreign policy, good cybersecurity can only be as good as general policy. As long as we remain only reactive to political, terrorist, economic, and other threats—and give the appearance of decline and withdrawal from the world—our worry about and timid actions regarding cyberthreats will only be taken as evidence that we mean to do nothing. This is as true in the cyber area as it is in any other realm of national security. No doubt Obama’s executive order on cybersecurity conveyed much aid and comfort to those perpetrating cyberattacks against us.
Our timid response to what’s going on in the rest of the world explains why we are well behind the curve in meeting cyberthreats in general. We were ahead of the curve in introducing the Iranian nuclear program to the affections of Stuxnet. That was a resolute political choice we made. The question to be asked is why have we avoided looking for appropriate political responses to other threats, such as those from Iran to our banking system and Chinese intrusions into our commercial, infrastructural, and defense sectors. Shutting off centrifuges is easier than stopping the theft of intellectual property and trade secrets, to be sure. However, if we continue to look at intellectual property theft, disruptive attacks on our financial markets, and daily hacking into Pentagon bureaus as unworthy of our rapt attention and concerted action, we will never meet the threat.
Ken Jensen is associate director of the American Center for Democracy for its Economic Warfare Institute.
Recent Blog Posts