One major reason the United States is subject to damaging cyber raids is that significant segments of the business community refuse to erect much-needed cyber defenses. Such defenses cannot be limited to the public sector because much of our security draws on work carried out in the private sector. Yet business representatives argue that they should not have to absorb the costs and object in principle to the government imposing yet another regulation, this one on how to protect their plants, computers and communication systems from Chinese and Russian cyber marauders.
Cyber raids caused significant security breaches in recent years, including at major defense contractors such as General Dynamics, Boeing, Raytheon and Northrop Grumman. Top-secret plans for the F-35 Joint Strike Fighter were stolen by hackers, presumed to be Chinese. According to the Select Committee on U.S. National Security and Military/Commercial Concerns with the People’s Republic of China, commonly known as the Cox Commission, China “has stolen classified information on all of the United States’ most advanced thermonuclear warheads, and several of the associated reentry vehicles.”
Richard Clarke, who served as special adviser to the White House on cyber security during the early 2000s, reports in his book Cyber War that Chinese hackers targeting U.S. corporations have stolen “secrets behind everything from pharmaceutical formulas to bioengineering designs, to nanotechnology, to weapons systems, to everyday industrial products.”
The United States draws heavily on private corporations for ensuring national security. Corporations manufacture most of the nation’s arms. They produce most of the software and hardware for the computers the government uses. And corporations, under contract with the government, carry out many other security functions, including the collection and processing of intelligence and the conduct of covert operations.
Providing cyber security via regulations, however, has encountered resistance by private-sector representatives who hold that forcing companies to comply will harm their flexibility and ability to innovate. Further, businesses consider it unfair and inappropriate to demand a task of private industry—securing critical national assets—that is essentially a public-sector responsibility. Some in the private sector regard security requirements imposed by the government as unfunded mandates—as a form of taking—and demand that the government cover the costs involved.
Thus, according to Lieberman Software’s 2009 survey of information-technology executives in the corporate world, the limited cyber-security measures that businesses have introduced have been largely motivated by cost savings, with minimal concern for the protection of information. James Lewis, a cyber-security expert at the Center for Strategic & International Studies, flatly concluded that “the market has failed to secure cyberspace. A ten-year experiment in faith-based cyber security has proven this beyond question.”
During his tenure at the White House, Clarke attempted to institute an ambitious regulatory regime, but he says his plan was largely blocked by anti-regulation forces within the administration of George W. Bush. Stewart A. Baker, who served as the first assistant secretary of homeland security for policy at the time, writes that the proposed strategy “sidled up toward new mandates for industry,” would have required formation of a security research fund that would draw on contributions from technology companies, and would have increased pressure on Internet companies to provide security technology with their products. These requirements were viewed as too onerous for businesses, Baker notes, by many within the administration, and ultimately “anything that could offend industry, anything that hinted at government mandates, was stripped out.”
Some business people sense that the government was exaggerating the cyber-security threats. Terry Zink, program manager for Microsoft Forefront Online Security, commented ironically: “And let’s face it, government doesn’t have to have a profit motive to support something. The government supports lots of programs that otherwise lose money in the name of the public good.” Far from taking on the business community on this issue, President Obama stated in 2009 when unveiling his administration’s cyber-security policy: “Let me be very clear: My administration will not dictate security standards for private companies.”
A recent proposal features a new national data-breach reporting policy that would require private institutions to report security breaches to the affected individuals and the Federal Trade Commission within sixty days. The idea is that this would create an incentive to fix security lapses.
The proposal has encountered some resistance. Larry Clinton, president of the Internet Security Alliance, told a House homeland-security panel studying the plan that it creates “counter-incentives” by requiring businesses to publicly disclose their security status. Clinton argued that if corporations feel they may be “named and shamed for finding [security breaches], we’ve created exactly the wrong incentives.” It amounts to “regulation for regulation’s sake,” according to Representative Bob Goodlatte (R-Va).
On October 13th, the Securities and Exchange Commission issued a new order requiring corporations to disclose to what extent cyber attacks against them constitute a “material” risk. Presumably corporations will have to act to limit such risk or fall out of favor with investors. Possibly we have turned a corner—although given the SEC’s mixed record of enforcement, one should not take it for granted that cyber defenses in the private sector will be shored up to the level essential for national security.