Less than a month ago, Alexandria-based threat detection company Mandiant released a report that framed China’s military as the perpetrator of extensive cyber attacks on American companies. Whether or not China is behind such incursions, there is little doubt that the report has brought the threat of online attacks to the fore of national policy debates in a way that even the general election failed to do.
A new and prominent debate over the nature of the cyber threat to the United States could prompt the administration to act on cyber issues in the near future. Moreover, unpacking what “cyber” means and describing actual threat scenarios will be useful for developing a government-industry dialogue on issues related to private-sector assets, including power grid systems.
The technical and structural challenges of addressing these emerging threats are mostly surmountable. More difficult to overcome, in the long run, will be the reality that broad vulnerabilities to cyber infiltration hamper economic prosperity—and can significantly alter the relative balance of power between nations around the world. Yet today there remain significant and complex issues involved with strengthening America’s ability to see off cyber incursions in the foreseeable future.
One complex area is the multitude of different systems across industries and military organizations. Technological diversity among systems such as those that control the country’s power and utility networks makes it difficult for the government to implement or even suggest standardized security measures.
There are also major legal issues facing both lawmakers and those impacted by cyber attacks—government agencies, military units and private firms—in years to come. Sovereign territory is not as explicitly linked to the launching of cyber attacks as it is to more traditional threats. Tracing a hack to its source, for example, usually presents governments with severe jurisdictional challenges, not least because it’s difficult to pursue justice in countries that refuse to accept responsibility for specific incursions.
Comprehensive cyber treaties, as hard as they will be to negotiate, would by no means guarantee a nation the ability to obtain retaliatory justice. Tracing activity to an IP address usually provides little information on the origins of a hacker and leaves responsible organizations able to obscure their involvement.
And there will be significant challenges involved in defining and legally justifying mechanisms for actively defending against cyber incursions. Does a company have the right to trace a hack to its source if that means violating the networks of organizations in other countries? And can an organization “hack back” against cyber attackers, on either side of a firewall, to do something like delete stolen information?
Innovation and National Power
Policymakers must be careful going forward to frame cybersecurity issues in the context of larger threats to national interests. After all, the primary nature of threats from cyber incursions is not, at least directly, technological, militaristic or even infrastructural. It is economic.
In a world where the beneficiaries of hacking profit from U.S. investments in innovation, adopting half measures and non-standardized protocols for protecting online assets could diminish the latent power of the United States. Penetration of the innovative sector could significantly alter the U.S. ability to project influence around the world.
A state’s geopolitical power and influence comes from its ability to channel economic activity toward addressing national concerns. Thus, a country’s competitive edge in economic and security affairs is in large part derived from the cultivation of an edge in innovative capabilities. History bears this out: many nations have maintained the ability to wield superior relative power in the world by investing in new technologies.
Moreover, new and innovative market inputs are of great importance to fueling economic growth. Moses Abramovitz, in his ground-breaking postwar study of U.S. market performance, pegged new inputs to the economy as responsible for almost 85 percent of total national growth. That figure may not be as high today as it was before the era of globalization, but it still holds that states that cultivate and harness innovation end up more influential in world affairs.
At the most basic level, access to national security secrets can diminish the effectiveness of military capabilities, and knowledge of new commercial innovations can reduce the competitiveness of U.S. companies. A commonly cited example of this is the report, put before Congress in late 2012, that F-22A blueprints stolen by hackers may have contributed to the unusually rapid development of a Chinese stealth fighter. If this is true, China saved billions on the intensive research required to develop next-generation military systems.
China would also have been spared exposure to investment uncertainties. After all, procuring access to new capabilities through cyber intrusion allows a country to gauge the productive value of a targeted process or product. Thus, a country can be both buoyed by innovation that doesn’t require investment and saved from the potential for capital loss that can come from failed development attempts.
For sponsors of hacking, there is likely to be a considerable benefit to economic welfare and security capabilities. In China’s case, this could insulate the rising power from the increasing costs of caring for an aging population and protect of national-security projects that might otherwise be prioritized below domestic spending concerns. In short, the spoils of hacking could disproportionately sustain the ability of states, including potentially revisionist ones, to devote resources to projecting military might abroad.
The Worst Case Scenario
Long-term cyber threats to United States have far-reaching consequences for the country’s national security interests and capabilities. It’s true that the country will not lose its ability to innovate and compete. But much as happened when Google allegedly appropriated the results of billions of dollars worth of Apple’s research on smartphone technologies, access to the nation’s innovative capacity could force the United States to compete with products of stolen knowledge.
Foreign companies, buoyed by the efforts of subversive governments, could retool their playbooks to beat out U.S. companies in new market ventures around the world, while U.S. military units could lose a measure of the added effectiveness that comes from tactics adapted to new technological capabilities.
In the past year, political conversations have focused on the need to spark economic growth and balance governmental expenditures in a way that reduces the national debt while making the right investments for years to come. Future conversations, while already turning towards cybersecurity, need to realize that protection from online threats is central to long-term economic well being.
A consolidated and unified cyber policy directive must be formulated and adopted with conviction. Picking off low-hanging fruit—such as increasing the security capabilities of individual systems—is certainly necessary. But linking these issues to the national interest will allow the government and other concerned parties to coordinate a nationwide set of solutions that address the evolving cyber threat.
Christopher Whyte is a program assistant at Center for the National Interest and a WSD-Handa Fellow at CSIS Pacific Forum. He is an analyst for the geostrategic analytic firm Wikistrat, Ltd.
Image: Wikimedia Commons/Gani01. CC BY-SA 3.0.