In last night’s State of the Union address, President Obama vowed to bolster cybersecurity, which should come as no surprise. After all, the administration began the new year by doubling down on its punishment of North Korea for hacking Sony Pictures last November, even as some cyber security experts remain skeptical about whether North Korea was actually responsible. FBI Director James Comey just a few weeks ago said, “I know that some serious folks have suggested we have it wrong. They don’t have the facts that I have. I have very high confidence about this attribution.”
Meanwhile, in early January, the White House, as part of a “proportionally” appropriate response, placed sanctions on three North Korean agencies—including its primary intelligence arm—involved in its cyber program as well as ten elites connected to the government. The sanctions were the administration’s first public response, although the US may have also been behind a 9.5-hour Internet outage in North Korea in late December. (At the very least, the US took the blame for it.) Both activities appear to be intended to punish North Korea, and deter it from conducting future attacks in cyberspace.
But are these the kinds of steps that will improve the US’s cybersecurity? Maybe, but the White House and Congress will need to take further far-reaching steps.
Computer networks in the US are constantly under attack by shadowy cyber criminals and other countries, potentially costing the American economy as many as 200,000 jobs a year—although cost estimates are barely better than guesses. The Sony attack was notable because it was one of the most high-profile attacks on a company in memory by a politically–motivated state actor. The US economy’s reliance on the Internet makes the costs of a large-scale disruption in cyberspace potentially enormously harmful to American commerce.
Traditional deterrence measures—for example, a variation of the Cold War doctrine of mutually assured destruction—might have some effect on deterring other wealthy countries, although cyberspace still lacks the “fear factor” of putting tens of millions of lives at stake. Most of the perpetrators of cybercrime are small networks or individuals with a different risk/gain calculation than a nation-state, so even if the US retains the best offensive cyber capability in the world, it will never deter all—or even most—threats.
Yet defensive measures are poorly coordinated between private and government entities. Firms who have invested significant resources in their cybersecurity will probably be disinclined to share their intellectual property with both their competitors and the government, especially with the much-maligned Department of Homeland Security. Firms that share data on cybercrimes with the government risk falling afoul of privacy laws, and much of the federal government’s cyber capabilities are classified. The end result is a deeply inefficient and stove-piped system that does little to protect the country or our privacy, considering 40 million Americans had their personal information stolen in 2013.
Our ability to defend ourselves is further hampered in part by of a lack of clarity by obsolete US legal code governing cyber crimes. Congress has dawdled for more than three years on passing a bill to update statutory authorities on defending against cyber crime, primarily because of concerns by a coalition of privacy advocates and libertarian groups. While some of these groups have offered ideas to amend the Cyber Intelligence Sharing and Protection Act (CISPA) to better protect civil liberties, the bill continues to languish. Amending it so that it is acceptable to both the national security and civil liberties communities, as well as both political parties, should be a priority for the incoming Congress.
A final avenue the US can take to improve its cybersecurity is through non-technical engagement. Countering cyber crime will require persistent diplomacy at all levels so that countries understand the value of having an open, free, and safe internet for individuals and businesses to engage in lawful activity.
China especially should be pressured to crack down on hackers in its own country if it wants to move its economy to the first world. To wit, FBI Director Comey claimed the costs of Chinese hacks, included those linked to China’s People’s Liberation Army, costs the US “billions” every year. US intelligence agencies and law enforcement also will need to work with foreign counterparts to counter criminal activity that ignores borders.
President Obama’s sanctions on North Korea were the first step to help the US defend itself against cyber crime. Hopefully this won’t be the last. Our government must update its laws and strategy to better prepare our country. The American people and the American economy depend on it.
Photo: A network administrator with the U.S. Air Force’s 97th Communications Squadron inserts a hard drive into the network control center retina server at Altus Air Force Base, Okla., Jan. 24, 2014, in preparation for a command cyber readiness inspection. (DoD photo by Senior Airman Franklin R. Ramos, U.S. Air Force/Released)