Time to take a stand against state-sponsored cyber attacks
Earlier this week, the Pentagon issued a report accusing the Chinese government and military of conducting cyber attacks against the U.S. in an effort to gather intelligence on diplomatic, economic and defense programs. This follows a report released earlier this year by cybersecurity firm Mandiant, which also accused the Chinese military of carrying out cyber attacks against more than 140 companies, the majority of them American. Neither of these reports, however, came as shock to those who have worked in or followed the information security industry for any length of time as China has frequently been accused, either directly or indirectly, of perpetrating such attacks for years.
According to retired Navy Rear Adm. James Barnett, who formerly served as chief of public safety and homeland security at the Federal Communications Commission, one of the problems historically with accusing China of these cyber intrusions is being able to directly link them to the crime.
"The major problem in dealing with state-sponsored cyber theft or cyber espionage directed against our defense industry is attribution," says Barnett, who currently heads the cybersecurity practice at Washington law firm Venable LLP. "The Chinese government has always said 'hey, we have not done criminal activity, you’re pointing the finger the wrong way because we’re not for cyber crime.' The Mandiant report was significant. It is circumstantial evidence, but it is strong circumstantial evidence that (a Chinese military unit) was involved in cyber crime. They linked it to direct things they have been doing."
Barnett says what is interesting is the timing behind the releases of these two reports, which could indicate the building of a case by the U.S. against China where they can no longer use "plausible deniability" as an excuse.
"I think what we’re seeing is the laying of groundwork for a more diplomatic approach to suppressing this," explained Barnett. "Will that be effective? Perhaps not, but it is certainly something that has been lacking in the past. Things that you may see come after that is probably behind the scenes discussions about this and perhaps, in the future, we’re going to see some type of sanctions that may come about as a result of this."
Another variable in this cyber game of cat and mouse is the role of private industry and the responsibility they have in securing their network infrastructure. This was a major impetus behind the cybersecurity executive order issued earlier this year by President Barack Obama, which gives government agencies a year to devise a "baseline framework" for cybersecurity that incorporates industry best practices and also requires the intelligence community to share possible threats that could impact businesses considered to be part of the nation’s critical infrastructure.
"I think one of the things we’re going to see this year with the executive order is a raising of the bar and everyone recognizing that you’re not going to be able to keep everyone out completely, but we’re not going to be in the situation of our defense industry where you’re unaware, for a significant amount of time, that you’ve got somebody in your system," Barnett says. "I think one of the principles that is going to have to be recognized is that this is a domain where the frontline is and always will be held by privately operated industries, not the government," Barnett says.
However, Barnett believes that the federal government will have to go beyond just intelligence sharing and actually provide private industry with incentives to bolster their cybersecurity posture. "The government can play the role of providing a security market. In other words, basically saying 'industry, the dollar that you spend on securing your networks, securing your information is going to be incentivized by tax breaks or tax credits,'" Barnett says. Another way to possibly incentivize private industry, according to Barnett, is to limit their liability when it comes to intrusions if they take proper security precautions. However, he says none of these things will be possible with the partisan gridlock that has taken hold in Washington.
While many have characterized these alleged breaches by the Chinese as "cyber warfare," Barnett believes that the situation is much more analogous to sea piracy.
"Back in the 1400s there were great improvements in navigation and there was a lot more commerce at sea. Immediately after that, you saw piracy spring up and piracy was a major aspect of sea commerce for about 300 years until nations developed tools and laws to fight it," Barnett explained. "Today, we hear about piracy, but it is generally a front page story because it is so unusual. There are different places in the world where it exists, but no one would say it’s a major factor in commerce at sea. Right now, the Internet is a domain that’s like a new ocean… but there’s piracy and we have to develop the organization, laws and the tools to be able to coordinate among the nations to fight it. But we’re really at the beginning of that."
Despite the severity of this issue and the increasing frequency with which our networks – both public and private – are being intruded upon, many people still don’t take it that seriously. Barnett pointed out that after every major disruption we’ve had as a country, the government has been reorganized after the fact to better respond to it such as the creation of the Department of Homeland Security after the Sept. 11 terror attacks. If we don’t wake up to the current dangers posed by state-sponsored cyber attacks, be it from China or some other nation, we will likely be reorganizing the government again and creating another bureaucracy to deal with the threat.