Daniel Gallington is the senior policy and program adviser at the George C. Marshall Institute in Arlington, Va. He served in senior national security policy positions in the Office of the Secretary of Defense, the Department of Justice, and as bipartisan general counsel for the U.S. Senate Select Committee on Intelligence.
Recent reports of wide-scale and long-term Chinese Army cyberattacks against some of our private sector technology companies should come as no surprise. Not only that, it shows that the Chinese can go against cybersystems and cybertargets of their choice, including whatever of our "critical cyber infrastructure" they select to penetrate—or shut down.
After years of writing about this threat, I'm afraid that we may have to suffer a withering and broad-based cyberattack of some kind before we are motivated to do some very basic and essential re-organization of our thinking and "mission planning" for our defenses against cyber attacks.
Here's why, and the utter simplicity of this "threat matrix" is—or should be—disconcerting to all of us.
- Most of our critical cyber infrastructure is in the private sector, unlike similar kinds of infrastructures in the rest of the world, which are owned—or controlled—by governments.
- Our Congress's preferred approach to our private sector cybersecurity—so far—is to fling huge amounts of money at the Department of Homeland Security, who then passes it on to the private sector—this after allowing them to "certify" that they have improved their cybersecurity according to the standards they have established for themselves! Talk about the wolf guarding the sheep.
- We seem unable to admit the fundamental and most dangerous reality of the basic cyberthreat against us: The reason our critical private cyber infrastructures have not been shut down is because they are more far more valuable to the Chinese when penetrated and robbed of their information. This is indeed a sad state of affairs.
Surprisingly, the corrective action needed is very basic, so one must assume that the reason it hasn't already been implemented is the same reason that paralyzes Washington in general—money and politics.
In short, Congress shovels billions of our dollars into the Department of Homeland Security because the money returns to their districts in the form of grants and other pork projects. Recall that the Department of Homeland Security is a huge cash cow that was created by Congress against the wishes of the president. And, when the department is assigned a cybersecurity role or mission (whether by legislation or executive order) their first reaction is to establish a "check writing" office to hand out big money. So, in effect, we have adopted a FEMA-like approach to our critical infrastructure cybersecurity—this should scare us all to death.
So I wonder, do we really have to experience a 9/11-scale attack on, for example, our electrical power grids or our financial sector ("zeroing out" Wall Street), before we take some real, self-revealing, and corrective steps to improve even our basic cybersecurity? Maybe.
What should we do?
- Most important: We must be able to "stress test" our own critical infrastructure cybersystems, public and private; the stress testing should be done by the National Security Agency, FBI, and Department of Homeland Security, with National Security Agency acting as the "technical lead". When weaknesses are found, they must be fixed—and fixed fast—because if we can find them so can the Chinese.
- As important: The stress testing of our critical cybersystems must be carried out pursuant to very strict operational and privacy guidelines approved by the attorney general, and with regular oversight reporting to the relevant committees of Congress.
Hopefully, this basic structure will be put in place by comprehensive authorizing legislation and implemented with executive orders and agency regulations, issued in coordination with the attorney general. And, Congress can still fling billions to the Department of Homeland Security, and even put them "in charge" of our cybersecurity—just as long as an independent agency is able to see how well they do it.
Until we are able to do this—or something like it—we remain vulnerable to exploitative cyber penetrations and critical system cyberattacks, carried out by foreign-based and state-actor entities. The ironic and potentially tragic part of this vulnerability is that we already have the skills and expertise—located in the various agencies of our government—we need to prevent it. Let's put them to work on it before the Chinese decide to shut off our electricity or manipulate our banking system—just to see if they can do it.
- Read Jason Healey: Fighting Chinese Cyberespionage: Obama's Next Move
- Read Michael Noonan: The Limits of a Smaller U.S. Military
- Check out U.S. News Weekly, now available on iPad.