Was it Beyonce who knocked out the lights at the Super Bowl, or was it the Chinese?
No, not a crazy question. Chinese hackers can and do invade U.S. companies and secure installations these days, without fear of reprisal or even (often) discovery. Such events have made headlines of late, as numerous news organizations have been attacked, including The New York Times and the Wall Street Journal. In a recent editorial, the Journal made no bones about the Chinese government – and not some free-range geeks—being behind the incursions. If Beijing wanted to embarrass the United States, how better than to disrupt our annual junk food, er, football extravaganza?
China’s e-belligerence is all the more frightening since it was none other than Defense Secretary Leon Panetta who spoke so alarmingly of a possible “cyber-Pearl Harbor” just a few months ago. He warned in October that “an aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches.”
Mr. Panetta’s speech came in response to stepped up attacks on U.S. financial institutions, as well as on the state oil companies of Saudi Arabia and Qatar. He warned that foreign cyber actors are probing our critical infrastructure, creating “tools to attack these systems and cause panic and destruction and even the loss of life.” His comments were also intended to drum up support for a comprehensive bill, like the Cybersecurity Act of 2012, which failed to pass Congress. So urgent was the need to regulate information sharing and establish liability limits, according to Panetta, that the president might issue an executive order if Congress failed to do its job.
Industry insiders say President Obama will indeed unleash that mighty executive sword on cyber crime – soon after the State of the Union address. Only instead of Excalibur, expect something in the way of a pen knife. Mr. Obama will apparently call for several changes in the way we manage and respond to cyber attacks, some of which were embedded in the failed bill.
Sadly, most who have considered the likely proposals – like Lawrence Ponemon, whose eponymous firm consults on and researches cyber security -- say the likely fixes “may make us feel good as a country but they won’t have much impact.” That reasonable skepticism is fed in part by the federal government’s repeated failures to protect even its own operations. (Among other agencies, the CIA, the Department of Defense, the Department of Commerce, the Department of Homeland Security and the National Nuclear Security Administration have been hacked, leading to the theft of secure information and widespread disruptions.)
Larry Clinton, president of the Internet Security Alliance, says that early on the White House issued a thoughtful Cyberspace Policy Review laying out a roadmap for public-private sector cooperation along the lines his trade group advocates. Later, the administration shifted course, imbuing the failed bill with more onerous regulation. The problem with top-down rule-making, as Ponemon points out, is that “standards we come up with today will be obsolete within six months. The bad guys are not controlled by compliance demands.”
Mr. Obama will likely ask executive branch agencies like the Department of Energy to assess their ability to monitor cyber crime in their existing sphere of influence, will ask other federal agencies to encourage the adoption of best practices in their domains, and will demand better information sharing.
Mr. Clinton says that while we do need to strengthen existing authority over executive branch agencies, no new rules are needed. Our electricity grid, for instance, which has long been viewed as vulnerable (think Super Bowl), is already regulated. However, Mr. Clinton says, those in charge are doing a poor job dealing with multi-tiered authority which is further complicated by overlapping federal and state mandates.
Both Clinton and Ponemon insist that ultimately companies will ramp up protections in their own self-interest. Though cost is an impediment, customers will demand greater security. In fact, Ponemon advocates for one new regulation – requiring companies to publicize security breaches – that could hasten the process.
The president’s proposals sound small beans – like using a bb gun to repel a missile barrage. Most Americans are not undone by finding out that their health records have been hacked or credit cards misused; as unpleasant as such events are, they are almost daily fare today. But we are alarmed when our leaders suggest that our gas pipelines or airplanes could be hijacked just for the sport of it; it is scary to realize how vulnerable our systems are.
This is government turf. The U.S.-China Business Council, which represents some 230 companies doing business in China, has just called for the governments of the two countries to jointly address cyber crime. They worry that the growing problem will undermine trade (and their bottom line). In fact, it is that giant trade relation which should be our greatest protection against e-invasions.
U.S. imports from China exceeded $400 billion last year for the first time; our exports to that country were about $110 billion. Beijing, desperate to create growth and jobs necessary to maintain social stability, will protect that revenue source at all costs. Our government has successfully pursued trade violations against China--why don’t we demand that the Chinese crack down on hacking? If Beijing supports the continued theft of intellectual property and classified information, as well as other cyber crimes, they must be told there is a price to pay.
Unfortunately, we have wobbled on this front. Hilary Clinton, remarked during a visit last September, “Both the United States and China are victims of cyber attacks” – an inappropriate equating of the two players that was astonishing and let China off the hook.
In one of his few cogent responses to the Senate Armed Services Committee, Defense nominee Chuck Hagel said, “Cyber represents as big a threat to this country as any significant threat…Cyber is an area I'd focus on as defense secretary." Indeed, it has recently been announced that the military’s Cyber Command is slated for a major expansion – from a workforce of 900 to 4,000. The timetable for the build-up is uncertain, as is the ability of the government to attract and train high-level computer wizards. Nonetheless, the intent is encouraging.
Let us hope that incoming Secretary of State John Kerry also understands the gravity of cyber invasion – and his vital role in disarming that threat.