Less than a month ago, Alexandria-based threat detection company Mandiant released a report that framed China’s military as the perpetrator of extensive cyber attacks on American companies. Whether or not China is behind such incursions, there is little doubt that the report has brought the threat of online attacks to the fore of national policy debates in a way that even the general election failed to do.
A new and prominent debate over the nature of the cyber threat to the United States could prompt the administration to act on cyber issues in the near future. Moreover, unpacking what “cyber” means and describing actual threat scenarios will be useful for developing a government-industry dialogue on issues related to private-sector assets, including power grid systems.
The technical and structural challenges of addressing these emerging threats are mostly surmountable. More difficult to overcome, in the long run, will be the reality that broad vulnerabilities to cyber infiltration hamper economic prosperity—and can significantly alter the relative balance of power between nations around the world. Yet today there remain significant and complex issues involved with strengthening America’s ability to see off cyber incursions in the foreseeable future.
One complex area is the multitude of different systems across industries and military organizations. Technological diversity among systems such as those that control the country’s power and utility networks makes it difficult for the government to implement or even suggest standardized security measures.
There are also major legal issues facing both lawmakers and those impacted by cyber attacks—government agencies, military units and private firms—in years to come. Sovereign territory is not as explicitly linked to the launching of cyber attacks as it is to more traditional threats. Tracing a hack to its source, for example, usually presents governments with severe jurisdictional challenges, not least because it’s difficult to pursue justice in countries that refuse to accept responsibility for specific incursions.
Comprehensive cyber treaties, as hard as they will be to negotiate, would by no means guarantee a nation the ability to obtain retaliatory justice. Tracing activity to an IP address usually provides little information on the origins of a hacker and leaves responsible organizations able to obscure their involvement.
And there will be significant challenges involved in defining and legally justifying mechanisms for actively defending against cyber incursions. Does a company have the right to trace a hack to its source if that means violating the networks of organizations in other countries? And can an organization “hack back” against cyber attackers, on either side of a firewall, to do something like delete stolen information?
Innovation and National Power
Policymakers must be careful going forward to frame cybersecurity issues in the context of larger threats to national interests. After all, the primary nature of threats from cyber incursions is not, at least directly, technological, militaristic or even infrastructural. It is economic.
In a world where the beneficiaries of hacking profit from U.S. investments in innovation, adopting half measures and non-standardized protocols for protecting online assets could diminish the latent power of the United States. Penetration of the innovative sector could significantly alter the U.S. ability to project influence around the world.
A state’s geopolitical power and influence comes from its ability to channel economic activity toward addressing national concerns. Thus, a country’s competitive edge in economic and security affairs is in large part derived from the cultivation of an edge in innovative capabilities. History bears this out: many nations have maintained the ability to wield superior relative power in the world by investing in new technologies.
Moreover, new and innovative market inputs are of great importance to fueling economic growth. Moses Abramovitz, in his ground-breaking postwar study of U.S. market performance, pegged new inputs to the economy as responsible for almost 85 percent of total national growth. That figure may not be as high today as it was before the era of globalization, but it still holds that states that cultivate and harness innovation end up more influential in world affairs.
At the most basic level, access to national security secrets can diminish the effectiveness of military capabilities, and knowledge of new commercial innovations can reduce the competitiveness of U.S. companies. A commonly cited example of this is the report, put before Congress in late 2012, that F-22A blueprints stolen by hackers may have contributed to the unusually rapid development of a Chinese stealth fighter. If this is true, China saved billions on the intensive research required to develop next-generation military systems.
China would also have been spared exposure to investment uncertainties. After all, procuring access to new capabilities through cyber intrusion allows a country to gauge the productive value of a targeted process or product. Thus, a country can be both buoyed by innovation that doesn’t require investment and saved from the potential for capital loss that can come from failed development attempts.