The Mess that is U.S. Cybersecurity Policy...
After spending the better part of the past two months conducting research on cybersecurity, I am dumbstruck at the headlines that continue to come out on a daily basis.
Let's create a little context. Just in the past few months, the world has been made aware that large American businesses like Google, Microsoft, and the New York Times have been the victims of massive cyberattacks originating in China. This follows on the heels of news that U.S. governmental institutions like the Defense Department have been similarly and continuously attacked as well. Then a report comes out, confirming what U.S. intelligence officials secretly were aware of for years, that an overwhelming number of such cyberattacks can be tracked down to a single building on a single street in Shanghai - which just so happens to be the headquarters of the Chinese government's military cyberunit, named Unit 61398.
So there is pretty damning evidence that the Chinese government - not a random group of hackers, but the military itself - is actively engaged in cyberwarfare against American businesses and American governmental institutions. In response, what have we seen the discussion in the U.S. focus on? How about criticism of American companies being "disturbingly silent" about when they are victims of a cyberattack, and debates over whether companies should tell the public when they get attacked. It seems that some people consider the solution to cyberwarfare to be, simply, better information-sharing.
Granted, the Obama Administration has tried to present itself as taking a harder line on the issue. The President recently went so far as to issue an Executive Order, however it, too, merely encourages the voluntary sharing of information with the private sector. Also, officials have said they plan to tell China’s new president, Xi Jinping, this week that "the volume and sophistication of Chinese cyberattacks have become so intense that they threaten the relationship between Washington and Beijing". Their solution? To get China to agree to "acceptable norms of behavior in cyberspace".
In the meantime, the cyberattacks against U.S. targets continue. Oh yeah, and the proposed Cybersecurity Act of 2012 has just died in the Senate due to partisan bickering and the filibuster.
Let's be constructive, shall we?
First, let us recognize plainly that the ideas of better information-sharing and general coordination between the public and private sectors, and within the private sector, are definitely worthy ideas and ought to be pursued. However, there's nothing new about them. They've been part of the policy discourse at least since the Bush Administration's National Strategy to Secure Cyberspace was developed just after the 9/11 attacks. So it's time officials stop banging that drum as smokescreen for their lack of new ideas.
Second, the challenges of cybersecurity reside on two fronts: prevention and response. Better information-sharing really only targets the response side of the equation, seeking to mitigate the effects of a cyberattack after it has occurred. Such ideas do nothing in terms of prevention.
What steps can be taken to actually try to prevent cyberattacks? There are two main ideas circulating out there...
The first is deterrence in the form of the U.S. engaging in offensive cyberwarfare of its own. As General Keith Alexander, who runs both the National Security Agency and the military's Cyber Command has said, foreign governments need to fear that the U.S. would carry out offensive cyberattacks if America were hit with a major attack. This far more proactive (or aggressive) policy would require an established set of criteria for when an offensive cyberattack was warranted as well as specific rules of engagement. These determinations would be no easy feat in the context of cyberspace.
The second is enabling the government to mandate that the private sector deploy certain cybersecurity measures on its own networks. Thus far, the design of national cybersecurity policy has focused almost exclusively on voluntary public-private partnerships. But at what point do government mandates start to make sense? Anytime there is discussion of not just government regulations, but government mandates, it becomes highly politicized - and rightfully so.
It's not too hard to imagine why both of these solutions fail to gain much traction. In purely political terms, no one wants to come across as either too militaristic or too authoritarian. But in the face of an ongoing cyberwar with China, doesn't something need to change at a fundamental level besides simply improving information-sharing and getting China to sign an agreement on "acceptable norms of behavior"?
Where is the American strategy for actually preventing cyberattacks?