The past several weeks have seen an explosion of news about United States cybersecurity. First, stories about Chinese cyberattacks. Next, the president’s historic reference to cybersecurity in the State of the Union address. Finally, more stories about Chinese cyberespionage. If one is in the business of national security, these and other stories represent identifiable parts of a larger, cohesive story. But for the lay reader, discerning that larger story is more challenging. What is old news? What is new? And what lies ahead?
The old news: the scale, types, and sources of the attacks
According to a recent Washington Post article, a new U.S. government intelligence assessment describes the massive scale of cyberattacks by nation states (most notably, by China), criminal organizations, and individuals. Although it is fair to say that the scale, scope, and sophistication of such attacks have increased over the past several years, the basics have largely remained the same. The U.S. government and affected commercial sectors have been well aware of these threats. All too many industries — information technology, defense, energy, advanced manufacturing, healthcare, agriculture, law, non-governmental organizations, and the media, to name a few — have been attacked, and in the most sophisticated cases the perpetrators have been traced back to China. Even the most technologically able of companies, such as Google and defense contractors, have found Chinese cyberattackers resident in their networks. Intruders have been able to steal enormous amounts of sensitive and valuable information. The combined result of this U.S.-to-China illicit exfiltration is what one official has called “the greatest transfer of wealth in history.”
Also in the “old news” category is that not all attacks are about stealing. In less common but more immediately disruptive cases, state-sponsored cyberattackers — most notably from Iran — have caused significant harm to computer networks. Specifically, last fall attackers disrupted U.S. financial institutions’ networks, making some websites temporarily inaccessible. Even more destructively, Iranian cyberattackers rendered inoperable 30,000 computers at the world’s largest oil company, Saudi Aramco. These attacks illustrate what cyber professionals have long known: cyberattacks — especially against critical infrastructure — can easily turn from silent burgling to serious disruptions or destruction.
The new news: exactly who is attacking us, and presidential action
The past several weeks have also highlighted new developments in cyberwarfare, most significantly exactly who the attackers are and more forceful executive branch efforts to combat cyberattacks.
On the first, a report this week by the network security company Mandiant concluded that a significant number of sophisticated attacks originated not just from China, but likely were perpetrated by the Chinese military. Although this may not be new to many “on the inside,” the public attribution to the People’s Liberation Army (PLA) with a highly detailed description of their modus operandi as well as individuals involved is something we have not seen publicly before. There are real risks to this disclosure, as it will undoubtedly drive the PLA to pursue new tactics to avoid detection, but Mandiant (and many others) clearly believe that those risks are outweighed by the value of highlighting China’s efforts.
On the second point, there has indeed been a flurry of presidential activity over the past two weeks. Most significantly, the president’s executive order sought to maximize what federal departments could do absent legislation. The executive order specifically seeks to improve classified and unclassified information-sharing between the government and private sector, prioritize the protection of critical infrastructure (e.g., our electrical grid), and develop voluntary private sector standards for cyberdefense. The administration has also announced a government-wide effort to combat the theft of trade secrets from U.S. companies. This is significant in that it is the first high-profile and consolidated public statement — quite clearly focused on China — that contemplates more forceful legal and trade action against China should it not alter its behavior.
What lies ahead: legislation, confrontation, destruction?
Where then does this leave us? I expect major developments on at least three fronts.
First, legislation. Although the executive order is a first step, most recognize that legislation is necessary to enhance our cyberdefenses. Specifically, only legislation can provide companies immunity for providing cybersecurity-related information to the government. In addition, only legislation can clarify who in the government — the Departments of Defense, Justice, Homeland Security, and Intelligence Community, among others — should or must have access to the private sector information that is provided to officials. There are, of course, difficult questions embedded in these high-level issues: Will such information sharing affect the privacy of ordinary citizens? How will the federal bureaucracy (and federal workforce) keep pace with rapid technological change? More broadly, will the focus on information-sharing provide enough defense against a smart, determined adversary for whom economic espionage is a national imperative?
Second, confrontation. Assuming — and I think it is a very solid assumption — that cyberdefense can never do enough to protect networks, to what degree will the U.S. (and other nations) confront China (and other large-scale cyberattackers) to convince them to limit their use of cybertheft? Although the new administration strategy suggests greater forcefulness, the proof will be in the pudding. Neither the United States nor other nations can afford to view China through a singular cyberlens given our deep economic ties and reliance on their support for global hotspots like North Korea. In addition, to what degree will private companies who look to China as a massive emerging market be willing to proclaim publicly that their secrets have been stolen by China or others? I expect to see continued confrontation with China over these matters, but I’m less sanguine that we will be able to seriously alter its current cybercalculus.
Third, destruction. While the present focus has been largely on economic loss, we must not lose sight of the very real risk of destructive cyberattacks. As already noted, Iranian-sponsored cyberattacks effectively destroyed computers in Saudi Arabia, as well as computers at RasGas in Qatar. Using cybertools, determined adversaries can disrupt industrial control systems that govern our critical infrastructure, to include electrical, water, telecommunications, and air traffic control systems. In an armed conflict with a country like Iran, we will have to be prepared for such attacks; if Iran is willing to disrupt U.S. banking institutions today, then we would be foolish to think they would not be willing to do more in the midst of a hot war. And although Iran may not possess sufficiently skilled cyberwarriors to cause serious harm, we must remember that other, non-state actors might well be willing to assist in the fight if the price is right. Warning of a “cyber Pearl Harbor” is in my view a bit too alarmist, but we must nevertheless recognize — and mitigate — what is a clear, nationwide vulnerability today.
Michael Leiter was director of the United States National Counterterrorism Center under Presidents George W. Bush and Barack Obama, serving from 2007 through 2011. He is a counterterrorism, cybersecurity and national security analyst for NBC News.