During a recent off-the-record meeting, a senior government official warned that cyber attacks on United States in 2013 will be worse than they were in 2012, a year during which they reached a peak. (Participants were free to use what they were told, but not to disclose the names or venue).
Representatives of private corporations in the audience were told that there is not one whose computers have not been hacked. The official appealed to self interest (“you spend scores of millions on brand ‘D’ and someone else brings it to the market at a fraction of the cost, after stealing the fruits of your studies”), communitarian concerns (“don’t let your computers be used as a basis for attacking others”), and patriotism (“our systems are only one-third secure”). He pointed out that beyond stealing trade and defense secrets, computer hackers destroyed the data of the computers of Saudi Aramco, and warned that they could easily bring down our infrastructure, from the electrical grid to banking.
Asked about counterattacks, he allowed that we live in a house of glass, and that it does us little good to throw a rock at someone whose house has a small window. (Translation: there is little to steal in China). He urged people to read The Basics of Hacking and Penetration Testing by Patrick Engebretson and share it with their CEOs.
What struck a chord more than anything the official stated was his tone and approach. It was a long way from a powerful, controlling, overwhelming government; he was requesting, even pleading, for cooperation and mere information. If a corporation would just let us know when it has been attacked, he allowed, it would help a great deal. But the private sector all too often is not playing ball. It fears that if it discloses its vulnerabilities, this would damage its bottom line and may even subject it to liability suits. And major segments of the private sector continue to resist cybersecurity measures on the ground that they entail government interference in and constitute “costly regulation” (in the words of the U.S. Chamber of Commerce) of the private sector.
After a year of study, the House Intelligence Committee recently concluded that the Chinese companies Huawei and ZTE, both major producers of telecommunications equipment that seek to enter the U.S. market, pose a major security threat to the United States. Their tools could be readily used by China to spy on Americans through technological “backdoors,” and even to disrupt many essential services on which the American economy relies. Huawei’s activities have come under particular scrutiny: their activity on the global market has already been inhibited by the governments of Australia and India, who cited similar national-security concerns. In the words of Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, “if you care about your intellectual property, if you care about your consumers' privacy, and you care about the national security of the United States of America,” and if you “are looking at [buying from] Huawei, I would find another vendor.”
The recent inquiry by the House Intelligence Committee found that immigration violations, corruption and the use of pirated software were part of Huawei’s “pattern and practice.” The House committee “received internal Huawei documentation from former Huawei employees showing that Huawei provides special network services to an entity the employee believes to be an elite cyber-warfare unit within the PLA (People’s Liberation Army).”
Deputy Defense Secretary Ashton Carter noted that cybersecurity efforts were being stalled because “companies just aren’t willing to admit vulnerability to themselves, or publicly to shareholders.” It was left to the government to plead with Sprint not to buy the Chinese equipment. Sprint acceded to these requests, but similar pleas were roundly ignored by other companies such as United Wireless, which purchased Huawei equipment and is using it.
Shortly before leaving office, Secretary of Defense Leon Panetta ratcheted up the warnings, pointing to the risk that the nation is facing a “cyber Pearl Harbor.” He explained that “a cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber-terrorist attack could paralyze the nation.” Panetta cited a variety of denial-of-service attacks that hit financial computing networks in New York, and the Shamoon virus, a presumed Iranian product that wreaked unprecedented havoc and disabled thirty thousand Saudi computers. The outgoing secretary demonstrated his sense of urgency when he argued that our current cybersecurity position is in “a pre-9/11 moment.” It seems no one is listening—other than the hackers.
Amitai Etzioni served as a senior advisor to the Carter White House; taught at Columbia University, Harvard and The University of California at Berkeley; and is a university professor and professor of international relations at The George Washington University. His latest book is Hot Spots: American Foreign Policy in a Post-Human-Rights World.