Daniel Gallington is the senior policy and program adviser at the George C. Marshall Institute in Arlington, Va. He served in senior national security policy positions in the Office of the Secretary of Defense, the Department of Justice, and as bipartisan general counsel for the U.S. Senate Select Committee on Intelligence.
Recent reports of wide-scale and long-term Chinese Army cyberattacks against some of our private sector technology companies should come as no surprise. Not only that, it shows that the Chinese can go against cybersystems and cybertargets of their choice, including whatever of our "critical cyber infrastructure" they select to penetrate—or shut down.
After years of writing about this threat, I'm afraid that we may have to suffer a withering and broad-based cyberattack of some kind before we are motivated to do some very basic and essential re-organization of our thinking and "mission planning" for our defenses against cyber attacks.
Here's why, and the utter simplicity of this "threat matrix" is—or should be—disconcerting to all of us.
Surprisingly, the corrective action needed is very basic, so one must assume that the reason it hasn't already been implemented is the same reason that paralyzes Washington in general—money and politics.
In short, Congress shovels billions of our dollars into the Department of Homeland Security because the money returns to their districts in the form of grants and other pork projects. Recall that the Department of Homeland Security is a huge cash cow that was created by Congress against the wishes of the president. And, when the department is assigned a cybersecurity role or mission (whether by legislation or executive order) their first reaction is to establish a "check writing" office to hand out big money. So, in effect, we have adopted a FEMA-like approach to our critical infrastructure cybersecurity—this should scare us all to death.
So I wonder, do we really have to experience a 9/11-scale attack on, for example, our electrical power grids or our financial sector ("zeroing out" Wall Street), before we take some real, self-revealing, and corrective steps to improve even our basic cybersecurity? Maybe.
What should we do?
Hopefully, this basic structure will be put in place by comprehensive authorizing legislation and implemented with executive orders and agency regulations, issued in coordination with the attorney general. And, Congress can still fling billions to the Department of Homeland Security, and even put them "in charge" of our cybersecurity—just as long as an independent agency is able to see how well they do it.
Until we are able to do this—or something like it—we remain vulnerable to exploitative cyber penetrations and critical system cyberattacks, carried out by foreign-based and state-actor entities. The ironic and potentially tragic part of this vulnerability is that we already have the skills and expertise—located in the various agencies of our government—we need to prevent it. Let's put them to work on it before the Chinese decide to shut off our electricity or manipulate our banking system—just to see if they can do it.