For several weeks, it has been difficult to open a newspaper or watch a Sunday talk show without hearing about the advent of “cyber war.” The media has been filled with an avalanche of cyber threat-related stories: the hacking of leading newspapers, evidence of Chinese government involvement in intellectual property theft, and now, further distributed denial of service attacks against U.S. banks. All these events present real and serious national security challenges. But cyber-espionage, cyber-crime and the malicious disruption of critical infrastructure are not the same as war, and the distinction is important.
The idea that America is in the middle of a “cyber war” isn't just lazy and wrong. It's dangerous. The war analogy implies the requirement for military response to cyber intrusions. America genuinely needs effective civilian government cyber defense organizations with strong relationships with the private sector and the active engagement of an informed general public. Creating and even promoting the fear of “cyber war” makes that more difficult. Here’s why:
First, while the U.S fights its wars using the highly-trained professional within the U.S. Armed Forces, defending against cyber threats does not necessary require military expertise or prowess. True, most private individuals and corporations lack the knowledge and training needed to fight off attacks from elite Chinese, Iranian and Russian cyber “warriors.” As a result, there is and will continue to be a pressing need for highly qualified information security experts to help defend the larger U.S. cyber landscape. Nonetheless, there are relatively simple ways to make it more difficult for the bad guys without escalating to a “war” standing. In 2011, the Australian Defence Signals Directorate (their equivalent of the U.S. National Security Agency) showed that by taking just four key measures--“whitelisting” (i.e., allowing only authorized software to run on a computer or network), very rapid patching of applications and of operating system vulnerabilities, and restricting the number of people with administrator access to a system--85 percent of targeted intrusions can be prevented. These might appear more like prophylactic public health measures than warfare--and that’s the point. The United States does not need to declare “war” and call up the military to fend off cyber threats.
Second, people expect wars to end and when they drag on, often succumb to war fatigue. People want to believe that victory is achievable. Cyber security, however, is a mission without end. As a result, using the language of war may only serve to frustrate and mislead the public. The fight against cyber attacks will never achieve a definitive, all-encompassing, long-term victory. As more and different devices are connected to the Internet, the threat will continually evolve. While technological countermeasures will surely improve, cyber attacks will remain a very attractive means through which to coerce, defraud, and potentially even harm us as our lives grow ever more dependent on the Internet. The problem with ‘war’ terminology is that it may breed frustration and contempt, and eventually complacency and cynicism. The growing use of sensational terms like “electronic Pearl Harbor”--which in particular evokes a horrific event that ended the lives of 2402 sailors, airmen, and civilians--becomes as much a part of the problem as the solution. Better analogies (and public policy) are needed to ensure that the public comes to ‘own’ this cyber security challenge as part of their daily lives.
The United States does not need to declare “war” and call up the military to fend off cyber threats.
The third problem with the war analogy is that it legitimizes expedients, especially institutional ones. This goes to the core of the ongoing cyber legislation debate. An important point of difference between the advocates and opponents of the failed Senate Cybersecurity Act of 2012 was about the role that the National Security Agency (NSA) should play in information exchange with industry. And while the recently relaunched House Intelligence Committee’s Cyber Intelligence Sharing and Protection Act CISPA is carefully worded to acknowledge the centrality of the Department of Homeland Security to its information-sharing process, concerns still remain. Internet advocacy groups like the Center for Democracy and Technology have argued that its provisions could weaken Homeland Security’s role in favor of more engagement between the private sector and the National Security Agency. Whether that is true or not--and CISPA advocates deny it--there are still those in Congress who see “giving the problem” to the Department of Defense as part of the answer.
Now is not the time for expedients, however well intentioned. The NSA certainly has a key role to play; when dealing with overseas threats, it would be self-defeating not to utilize the capabilities of the world’s most impressive signals intelligence organization. Privacy concerns need to be balanced against the potential for extreme privacy loss when your data is spread across the web by cyber criminals or exfiltrated by foreign intelligence operatives. It is also unrealistic, both financially and practically, to create a parallel organization within the Department of Homeland Security. That is why President Obama’s recent Executive Order sensibly includes measures to widen the pool of organizations that can benefit from what the NSA knows. However, none of that means additional responsibility for America’s cybersecurity efforts should be put into military hands. What is required is a more effective DHS, not a more customer-focused NSA.
The quicker the country builds up the civilian institutional capacity it needs for long-term cyber security, the better. It would be unfortunate indeed if the specter of “cyber war” gave succor to those who favor further boosting the Pentagon’s and the Intelligence Community’s responsibilities at the expense (in practice, if not in theory) of a non-military security agency such as DHS. This is would be particularly true if the short-term effect was a continued block on the passage of much-needed cyber legislation.
However, this is not just a Congressional problem. The Obama administration has also internalized the lessons from the last decade: in a time of “war,” it is relatively easy to get funding for the military to take on and complete a mission as opposed to building new civilian capacity to handle the job. Just as it was with nation building in Iraq, so it is with cyber defense. The reported plan to establish national mission forces under the military’s U.S. Cyber Command (which is tasked with protecting critical infrastructure) is an understandable bureaucratic response to a perceived need to “defend the nation.” The problem comes if nothing more happens. The challenge then becomes ensuring that the necessary cyber defense architecture and robust civilian government support shifts over to the private sector. That will be difficult enough; the banging of war-drums will make it even harder to accomplish.
Not that the Defense Department and U.S. military should stay out of the cyber security business--quite the opposite. The fourth and final reason why we should be cautious in talking about cyber warfare is the risk that such imprecision leaves us ill-prepared to deal with the cyber elements of war when we do have to confront them. Director of the NSA and Commander of U.S. Cyber Command General Keith Alexander not only has to continue to supply U.S. leaders with top quality strategic intelligence, he must also ensure the United States is prepared to exploit cyber opportunities when the country does go to war. At the same time, General Alexander will need to ensure that U.S. forces’ extraordinary technological capabilities retain their edge in the face of the cyber attacks that will very likely target them whenever they next go into the field. While General Alexander and his organizations will remain major contributors to any government effort to fend off serious national threats, we should also be mindful of the opportunity cost of making the NSA and the Cyber Command the “super Geek Squad” for the private sector and the nation more generally. These organizations must stay focused on their primary missions--defending U.S. national security.
Rejecting the application of the war metaphor to cybersecurity should not diminish the current challenges faced by governments, the public, and cyber security professionals. However, when a real cyber war is declared, it will be messy and dangerous, and we need to be prepared, especially on the home front. That planning is best done deliberately, dispassionately and holistically. Declaring “war” too early will undermine our efforts and likelihood of success.
Ian Wallace is a visiting fellow in cybersecurity at Brookings’ Center on 21st Century Security and Intelligence in Washington, DC. He was previously a senior official at the British Ministry of Defence where he helped develop UK cyber strategy as well as the UK’s cyber relationship with the United States.
China 2, U.S. Zero
The American response to Chinese cyberespionage is going to backfire.
Homeland Security Secretary Janet Napolitano testifying on cybersecurity
Photo by Win McNamee/Getty Images
This week saw a concerted effort by top government officials to call out China as a major threat actor in cyberspace. On Monday, March 11, Obama’s national security adviser Tom Donilon said in remarks before the Asia Society in New York City: “Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyberintrusions emanating from China on an unprecedented scale. The international community cannot tolerate such activity from any country.”
The next day, Director of National Intelligence James Clapper delivered his Worldwide Threat Assessment to the Senate Select Committee on Intelligence and said: “China is supplementing its more advanced military capabilities by bolstering maritime law enforcement to support its claims in the South and East China Seas. It continues its military buildup and its aggressive information-stealing campaigns.”
That same day, Gen. Keith Alexander, the commander of U.S. Cyber Command and director of the National Security Agency, announced in testimony before Congress that CYBERCOM is creating 13 offensive teams “to help defend the nation against major computer attacks from abroad” while “twenty-seven other teams would support commands such as the Pacific Command and the Central Command as they plan offensive cyber capabilities.” The specific mention of Pacific Command was clearly intended as a message for the Chinese government.
These are just the latest attempts by the Obama administration, Congress, and the Defense Department to portray China as the primary villain in the rampant theft of America’s intellectual property. This message, which they have been pushing for the last few years, has been supplemented and fueled in part by information security firms like Mandiant, whose ex–Air Force founders have built their business on countering the APT (Advanced Persistent Threat)—an Air Force code word for China that Mandiant adopted as a way to describe who is behind the massive theft of U.S. trade secrets and IP. Mandiant’s credentials have been bolstered recently by the New York Times: First, the paper hired the firm to respond to attacks on its website that apparently came from China. Then, last month, the Times highlighted a report from Mandiant that named a People’s Liberation Army unit as the culprit behind years of attacks against 141 companies.
The momentum generated by this singular focus on China has been exploited by senators and members of Congress with their own reasons for pushing cybersecurity legislation. At one point, more than 60 separate bills were being floated, and all of them used Chinese cyberattacks as a lever to gain support. None have passed both houses yet, so the president signed his own executive order on cybersecurity back on Feb. 12, 2013, which called for more information sharing between the public and private sector and the intention to collaborate on the development of risk-based standards, a good first effort but not sufficient to make a difference in helping U.S. companies’ stem the tide of attacks.
Unfortunately, this cascade of enmity directed against China doesn’t stand up under scrutiny. Yes, China does engage in these activities. But a) so do many other nations including Russia, France, and Israel and b) we still haven’t solved the attribution problem—that is, determined who is actually attacking us. Any foreign intelligence service worth its salt would conceal their cyberespionage operations by making it look like they came from Chinese IP addresses since China is everyone’s first guess anyway and since Chinese-based servers are so easy to gain access to.
Furthermore, the anti-China rhetoric clashes with the current practices of many U.S. businesses. For example, the U.S. government rails against Huawei as a security threat, but it has purchased thousands of Huawei-made products under the brand name Huawei-Symantec that are in use today across the federal government, including Department of Defense and the Department of Justice. If Huawei is such a threat, why are we buying their products under the Huawei-Symantec brand? They’re still made in China by the same company that the U.S. government has blocked purchases from.
While Mandiant builds its business on defending companies against Chinese hackers who reportedly work for the People’s Liberation Army, GE (for whom Mandiant does data forensics and incident response) continues to expand its presence in China, including R&D on the smart grid—an essential part of U.S. critical infrastructure. This is one of the most surprising and troubling examples of this anti-China direction. The PLA has contingency plans to attack U.S. critical infrastructure if they believe a military strike by the United States is imminent. Yet here’s GE building a key component of our critical infrastructure in China, using Chinese engineers who have trusted access to GE’s network. Who needs hackers when you work for the target company?
Dell, Intel, and HP have also made major investments in China, and both have acquired information security firms—SecureWorks, McAfee, and Fortify, respectively. So these U.S. multinationals not only see China as a required region of the world to do business in; they also have intimate knowledge of the security risks, thanks to their acquisitions of SecureWorks, McAfee, and Fortify.* Yet neither is leaving China—both have indicated their commitment to expand their presence there, which includes operating their R&D labs. In fact, more than 1,200 foreign R&D firms operate inside China, which means that they hire Chinese engineers; use China Telecom, China Unicom, and China Mobile for all of their communications (which the state supervises and monitors); use Chinese vendors to clean their offices, shred their documents and provide other services, which grant them trusted access; and essentially lay bare their intellectual property and trade secrets for the taking.
Business interests generally dictate government policies, thanks to political fundraising and the virtually unlimited bank accounts of lobbyists. The effectiveness of the U.S. Chamber of Commerce stands witness to that, and even though it’s also been a victim of a China-attributed hacking attack, it continues to engage with China. The anti-China sentiment on the Hill, in the Pentagon, and at the White House clashes with the pro-China business policies of major U.S. companies, including those with very active in-house security operation centers. Beijing surely knows about this disconnect—and that makes the U.S. strategy look weak or inferior.
China and Russia have long advocated for a treaty that would establish an international code of conduct for information security—something that the United States has always opposed. Now, in light of increased U.S. accusations that China is engaging in massive amounts of cyberespionage, China has offered to “have constructive dialogue and cooperation on this issue with the international community including the United States to maintain the security, openness and peace of the Internet.” If accepted by the United States—and it’s hard to imagine that after all this saber-rattling, America would say no to the offer—China will have finally gotten what it has wanted for several years: an international code of conduct that would really be used to control dissent under the guise of attacking illegal activities (like hacking) in cyberspace.
A better approach might be for the federal government to quietly encourage U.S. companies to take steps to harden their networks against low-level attacks (which will shrink the attack surface); identify, segregate, and monitor their crown jewels (which will make it harder for any adversary, including China, to steal them); and engage with China and Russia against a mutual enemy (mercenary hacker crews). This eliminates the rhetoric and focuses on collaboration—a requirement, since the U.S. is never going to make good on threats against the single biggest holder of U.S. debt and a vital market for U.S. multinationals.
This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.
Correction, March 15, 2013: This article originally stated incorrectly that HP had acquired McAfee. Intel purchased McAfee, while HP has acquired Fortify Software. (Return.)