Cybersecurity is a hot topic this month. President Obama highlighted the issue during his State of the Union address, saying,
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
In response to this threat, Obama further indicated that he signed an executive order, designed to “strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy,” but emphasized that Congress still needs to do more to “give our government a greater capacity to secure our networks and deter attacks” (NYT).
A recent Bloomberg article offers a better understanding of the executive order, while addressing the political barriers blocking effective cybersecurity legislation. Essentially, it requires federal government to “develop voluntary cybersecurity standards for companies operating the nation’s vital infrastructure.” As mentioned in his address, “information sharing” also plays an important role in combating emerging cyber threats. According to Bloomberg, “the order expands a government program for sharing classified threat data with defense contractors and Internet-service providers to include infrastructure owners and the companies that provide them with network security.” With regards to cyber legislation pushed by both the House and Senate, the political objections are predictable – conservatives consider strict compliance standards as “burdensome regulation,” while the left expresses unease with companies potentially sharing customers’ personal data with the government.
The executive order’s focus on protecting critical infrastructure comes as companies reported a significant increase in attacks on their computer systems, up 52 percent in 2012, according to the US Department of Homeland Security. At the forefront of this aggressive campaign is China. The New York Times article, “Chinese Army Unit Is Seen as Tied to Hacking Against US,” reviews the findings of Mandiant, an American computer security firm responsible for linking a series of cyberattacks to one group based in Shanghai, known as “Comment Crew.” Based on Mandiant’s analysis, as well as the recent National Intelligence Estimate’s findings, Comment Crew is likely a state-sponsored group whose aim is to not only steal sensitive information for economic gain, but to obtain access to critical infrastructure in the US, as well. As The New York Times reveals, one company targeted by the group had “remote access to more than 60 percent of oil and gas pipelines in North America.”
China’s increased focus on American infrastructure raises the question – why? Greg Austin, director of policy innovation at the EastWest Institute, suggests that if a war broke out between China and Taiwan, and the US intervened, then the Chinese could retaliate by targeting American infrastructure (NYT).
Richard Andres explores this concept of state-sponsored cyber-militias in “Cyber-Gang Warfare”. These autonomous militias, Andres argues, allow states to “deflect responsibility for attacks originating directly or indirectly from the state sponsor,” essentially complicating the victim’s ability to attribute an attack to a specific entity. He notes that states also benefit tremendously from stealing intellectual property, and, as evidence, cites the theft of American F-35 design plans, which eventually led to the development of the Chinese J-31 stealth fighter, a replica of the American model.
Andres also emphasizes how cyberwarfare places states on an equal playing field. Referencing the recent Iranian attacks on US banks, he notes that they have the “potential to inflict much greater costs than the Iranian military could extract in a conventional war.” Furthermore, Andres warns that these attacks send a worrisome message to other states, because they demonstrate how to inflict damage without fear of reprisal.
Aside from threats posed by states and the cyber-militias they support, NPR recently featured a story on the dangers of flawed computer software. To a hacker, the glitch acts as a “potential back door into the computer network”; unfortunately, demand for this information is on the rise, and researchers frequently sell secrets no questions asked, reports NPR. One “vulnerability seller” explained, “I don’t see bad guys or good guys, it’s just business.” This mentality grants states or cyber criminals a chance to inflict significant damage, especially given the absence of regulation on the vulnerability market.
In combatting cyber threats, experts offer a range of options. Most often, companies are encouraged to improve their cyber defense capabilities, but some in the private sector are adopting offensive tactics in hopes of deterring and disrupting criminal activity. Former top FBI cyber-attorney Steven Chabinsky advocates this approach, saying, “There is no way we are going to win the cybersecurity effort on defense. We have to go on the offensive.” This approach, however, is met with some skepticism, prompting concerns that this tactic amounts to vigilante justice.
Richard Clarke, chairman of Good Harbor Security Risk Management and former special advisor for cybersecurity during the George W. Bush administration, highlights significant gaps in international cyberdefense policy, and presents a variety of remedies in his op-ed for The Washington Post. For Clarke, international cooperation is a vital component in combating transnational threats; in the cyber realm, he advocates creating an international cybercrime center capable of deploying “fly-away teams” to conduct investigations and help countries suffering from cyberattacks. He also encourages norm-building, focusing first on areas of joint concern. Since nations worldwide have an economic stake in secure global markets and financial institutions, Clarke recommends that cooperation begin on this front. Similarly, he advocates protecting the infrastructure that supports cyberspace.
Cyber threats won’t dissipate anytime soon, especially as states and non-state actors view cyberspace as an arena placing them on par with global superpowers. For the US, effectively confronting threats should start at home – first by pushing Congress to pass legislation with teeth. It’s also important this legislation be timely and flexible, written in such a way to keep pace with rapidly changing technologies. Though politically sensitive, requiring private companies to improve their cyber defense capabilities in order to better safeguard data, intellectual property, and customers’ private information is critical. As Obama’s new executive order establishes, the private sector won’t manage risks alone, but work closely with the federal government to pinpoint vulnerabilities, identify perpetrators, and eliminate threats altogether. Time is critical, though, and another day wasted on political bickering is yet another opportunity for states to steal valuable secrets, or even target critical American infrastructure.
Please note that the views expressed in this piece do not represent the official policy or position of the National Defense University, the Department of Defense, or the U.S. government.