Cyber Insecurity

China’s celebrations of the New Year of the Snake was preceded by countless successful performances of Chinese cyber-snakes slithering out of their holes to attack U.S. government, public and private entities.

Incredibly, the Obama Administration has yet to curtail, never mind deter, such attacks.

Instead, Obama’s lame executive order on cybersecurity, to be released on Wednesday, will call on critical private-sector industries to voluntarily and publicly report on hacking incidents. In turn, the U.S. government will share information with companies to help them protect their computers from hacking.

Chinese cyber attacks have been noticeably escalating since 2008, with little or no response from the government. Last July, the Justice Department initiated training of hundreds of prosecutors in an effort to increase the department’s ability toidentify and respond to criminals engaging in cyber espionage and cyber terrorism. However, this administration classifies terrorism — actions carried out by foreign elements against our national interests — merely as criminal offenses, not as acts of war.

Indeed, a prevailing view in Washington is that state-sponsored cyber attacks “fall below the thresholds of justifiable force in self-defense.” Therefore, goes the argument, a military reaction is “largely irrelevant.”

James Andrew Lewis, director of the CSIS’s technology and public policy program, states in a recent paper thatcyberattacks could become an “existential threat to the U.S.”

To mitigate this threat, Lewis proposes that the U.S. could make a “carefully managed diplomatic effort” that would inform the Chinese government that it would “take appropriate countermeasures against Chinese firms.” Such warning, he reasons, would help deter the Chinese. In addition, Lewis proposes that the U.S. notify the World Trade Organization “that it would exercise force majeure to stop honoring WTO commitments on the grounds that other signatories — China — have failed to honor them.”

Lewis proposes the WTO, admitting that the “WTO itself is not the right forum for dealing with national security issues.” Moreover, he notes that “compliance has led to a situation where the United States, which adheres more closely to the rules than its opponents, is at a disadvantage in responding to cyber espionage.” He seems to imply that compliance with WTO process takes precedence over U.S. economic and national security.

He goes on to recommend “balancing the costs and benefits of different actions” and creating “a stable international environment.” In the meantime, the U.S. economy has suffered an estimated loss of about $1 trillion.

Recent Iranian attacks on U.S. banks (Bank of America, Citibank, PNC, and others) were reported as distributed denial of service (DDoS) to online services. No retaliation is likely to spur the next wave of attacks, targeting banks’ infrastructure to steal their customers’ money.

Interviewed by the Economist, Cambridge University professor of security engineering Ross Anderson hypothesized that “If 20,000 machines [i.e., hackers’ computers] started hammering British payment gateways on the last weekend before Christmas people wouldn’t be able to shop except with cash.” In Britain, as in the U.S., this could generate a nation-wide panic, a run on the banks and the breakdown of law and order.

Chinese and Iranian cyber attacks aim to influence U.S. decision makers, both civilian and military, opined Arthur Herman in the New York Post. “As one Chinese cyber expert has put it, it’s possible to ‘make enemy commanders make wrong decisions or even stop fighting,’ or ignore an order to stop.”

Adhering to Sun-Tzu’s Art of War, cyber-war guru Wang Xiadong reasons: “‘Since thousands of personal computers can be linked up to perform a common operation … an Information Warfare victory will very likely be determined by which side can mobilize the most computer experts and part-time fans’ — meaning civilians trained in the art of hacking.'”

Indeed, “Chinese cyber experts at the Academy of Military Science know all you need to wage cyber-war is a computer, an Internet connection, time and patience — and the Chinese have plenty of all four.”

Nonetheless, the reluctance to acknowledge hacking as an act of war — economic war — prevails, thus precluding the best defense the U.S. could mount: cyber offense.

Our chief deficiency has been failure to engage on the question of who is responsible for protecting the country’s private sector businesses. The Obama administration’s sole concern has been private-sector-managed public infrastructure. Businesses, because they have no alternative, have been taking that responsibility to the extent that they are able, which is not great given legal prohibitions against cyber reprisal. However, the government has been all but mute on its responsibilities for the broader private sector.

It’s not surprising to learn that 2013 will see a “fierce” lobbying effort on the part of property and casualty insurance trade groups to extend the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA), which is set to expire in December 2014. The insurance industry wants the Act extended to cyberterrorism:

“As currently written, it is unclear whether the law provides the same federal backing to insurers hit with catastrophic cyber-terror claims that they would receive after more conventional terrorist attacks. … If a terrorist or group of terrorists launch a severe cyber-terror attack on the United States or businesses in the U.S., there are serious questions about what impact that would have on the market. Right now, there is no specific reference to cyber-security in the law, so there is uncertainty about what the federal government’s role would be in that kind of situation,” said Robert Gordon, senior vice president of policy development and research for the Property Casualty Insurers Association of America.”

While the U.S. lags behind, Europe is pushing forward with new regulations and initiatives, setting requirements that, according to Stewart Baker, may well affect the U.S. economy. The European Commission apparently understands that the state of the European economy is a security matter. New regulations will require companies operating in Europe (not simply European companies: hence the impact on the U.S.) to report cyber security breaches. The banking and energy sectors are included.

The proposed cybersecurity strategy “would also require EU member countries to set up national authorities charged with defending against online attacks, sharing information with each other, law enforcement agencies and data protection authorities, and issuing public warnings about impending online threats.”

Thanks to Estonia, Europe doesn’t have to depend on the U.S for cybersecurty. In 2007, Estonia became the first country in the world to be targeted by a large-scale co-ordinated international cyberattack (from Russia). Its responses to that attack have been a model widely emulated, especially with regard to public-private partnership in protecting the national economy. In 2008, the Estonian capital Tallinn became the home of the new NATO Cooperative Cyber Defence Centre of Excellence and, in December last year, the EU’s newly founded IT Agency also set up shop in the city. Internationally, the current bible on cybersecurity is “The Tallin Manual on Cyberware”

Have you read about U.S. functional cooperation with Europe on general cybersecurity? We haven’t.

FYI—