China wants the capability to inflict a 21st century Pearl Harbor on the United States should conflict ever arise. Beijing knows the best way to do this is to target the technology on which we rely for defense and daily life. While President Obama has cited the risks of inadequate cybersecurity, he has not taken simple steps to defend us.
By now, most Americans are familiar with China’s technology-focused espionage. Throughout the 1990s, Beijing successfully penetrated a number of U.S. national laboratories to purloin defense secrets, including the design for America’s most advanced nuclear warhead.
In the last two decades, almost every major public and private organization involved in national security has detected some form of Chinese-directed cyber surveillance. Chinese hacking has helped put major companies like Nortel out of business.
Beijing is not only interested in putting a modern twist on the age-old practice of espionage to steal an adversary’s security and commercial secrets. It also wants the next-higher capability in this evolutionary chain: cyber sabotage on a mass scale.
The potential damage from this could be immense:
- A successful attack targeting defense systems and public infrastructure could blind the U.S. military and disrupt power generation and electrical networks.
- The lights would literally go out across America.
- Communications would fail.
- Banks and ATMs would be offline.
- Gas stations would sit atop fuel that could not be pumped.
- First responders could not respond.
President Obama has spoken often of the cyber threat facing the United States. Last month, he mentioned cyber attacks in his State of the Union address and issued an executive order on the matter.
Unfortunately, the administration's approach prioritizes regulation. Obama's executive order never mentions the Pentagon’s Cyber Command, which, unlike U.S. companies, can go on the offensive against cyber opponents. Indeed, the order seems primarily concerned with accreting more power to the Department of Homeland Security. That agency is now ordered to devise "standards" for securing infrastructure-related networks.
Congressional hearings planned for April on Obama's new cyber policy should ascertain if these standards really will remain voluntary, as has been promised. After all, provisions of the executive order already contemplate compliance costs and regulatory burdens.
Hearings should also examine when consumer and business technology companies—specifically exempted from the order to allay commercial and privacy concerns—will be sucked in.
Congress should furthermore ask the administration why it turned to Homeland Security, which has few skills in this area, rather than the Energy Department, which at least has some capacity to understand technology and networks.
The biggest problem of all is that Obama’s approach contemplates only defensive steps. But this method may work no better on cyber opponents than it does on terrorists. For both threats, it is impossible to secure adequately every target in our adversaries’ sights, and coming close would require an unacceptable loss of freedom and commercial potential.
A better approach could have these four parts:
First, the U.S. should go on the offense when governments attack us with cyber means. Our adversaries should know there will be a cost to stealing information or launching attacks. During the Cold War, allied and enemy spies arrived at an unwritten code of conduct for what was acceptable behavior and what was overly provocative. The latter could lead to retaliation. Recreating this balance by pushing back today is the necessary precursor of a more civilized cyber order tomorrow.
Second, Washington should use the private sector, not act as its nanny. China’s success at cyber assaults stems in large part from Beijing bringing the old naval concept of the “privateer” into the 21st century: private parties wreaking havoc at the direction of government. To the extent America’s relatively new Cyber Command is still short on staff and capabilities, Washington should emulate this Chinese model.
Third, the U.S. should call a spade a spade. In his speech and executive order, President Obama failed to name the Chinese government as the chief culprit of cyber attacks. This risks repeating one of the early mistakes of the War on Terror: being unclear about the definition of one’s adversary and the scope of the challenge, with resulting chaos as various agencies grope toward an unclear goal.
Fourth, stop handing Beijing easy wins. Many rankings place the world's top ten computer science schools in North America. When Chinese students graduate from them, they should get an automatic visa that encourages them to settle here. Washington should augment steps like this that keep cyber talent in the U.S. with others that impede Beijing's theft. These could include more aggressive government denial of Chinese investment in U.S. companies where technology will be shared—including through joint ventures and minority investments, in addition to outright purchases of U.S. businesses.
A cyber Pearl Harbor need not happen. But preventing Beijing from ever obtaining such a capability or entertaining its use will require more from Washington.