Left: US President Barack Obama is expected to take a firm line on the issue of hacking during Chinese President Xi Jinping’s visit. Photo: AP
Talk about imposing sanctions on Chinese and Russian individuals and a company benefiting from their government’s looting of American trade, military and personnel secrets, is cheap, but futile.
The Obama administration’s threats of sanctions may sound reassuring to largely cyber-ignorant Americans, but it will do little to discourage further attacks. But threatening obviously difficult-to impose sanctions, will do little to deter the Chinese or the Russians. Especially so, since the security of the American government and private sector cyber systems is lacking, thus minimizing the risk of discovery before large quantities of data can be stolen over a long period of time.
Besides, how would the U.S. government prove the companies or individuals knew the information was stolen? And what difference will it make, if meanwhile the difficult to prove stolen intellectual property has been already developed into products sold all over the world? Does the U.S. government expect American companies to publicly admit their failure?
Stealing American military, research and trade secrets by hacking into vulnerable computer systems has been publicly acknowledged in October 1999. Reportedly, the Pentagon, Energy Department’s nuclear weapons and research labs, the National Aeronautics and Space Administration and several university research facilities and defense contractors, have been penetrated for at least one ewer. An FBI investigation, at that time, could not determine the identity of the hackers, but “circumstantial evidence points heavily toward a Russia-based intelligence-gathering operation.” A year later, in 2000, the Defense Department traced the attacks back to Russia, but could not identify the “sponsor” of the attacks. While U.S. officials said that no secrets were stolen, they couldn’t say what and how much data was stolen. The Russian government, with Vladimir Putin, then acting president, denied any involvement. The significant change since then is the huge increase of Russian cyber attacks on U.S. vulnerable government and private sector computers.
When did China begin its cyber attacks on the U.S. is unclear. But the Obama administration’s first public threats to “ take more assertive action against this cyber-threat,” was reported following the news in early February 2013 that Chinese hacked into the New York Times.” However, the huge increase of cyber attacks on U.S. government and private sector shows that appointing cyber czars and spending hundreds of millions on contractors did nothing to prevent a huge increase in cyber attacks, or even contributing to cyber literacy of American office holders and the general public.
Instead of issuing more threats, the administration should consider Former assistant Secretary of Defense Richard Perle’s suggestion, as stated on April 9, 2013, at the American Center for Democracy’s briefing on “New Strategies to Secure the U.S. Economy from Cyber Depredation.” Perle suggested the following:
“Would it make sense for us to approach the Chinese with the following proposition: We know what you are doing and we insist that it stop. If it doesn’t (it’s mostly ours to begin with), you should understand that we can do to you what you are doing to us. We don’t think there is much to be gained by stealing your intellectual property but how would you feel about the publication of your intergovernmental communications made available to your own citizens? In any society governed as the Chinese govern theirs, the threat of disclosure could be a very powerful deterrent.”
At the same forum, George Mason University Law Professor Jeremy Rabkin noted “there’s no good reason why we shouldn’t use cyber attack to damage a lot of property, especially in retaliation for enemies who have already done that to us. He pointed out that, “Cyber [warfare is] more like naval war–where we disrupt the enemy’s trade and communication without exempting commerce just because it’s owned by civilians…. So what is permissible in naval war should be applicable to cyber conflict.”
In the meantime, the U.S. government should use echo-response when it recognizes intrusion (hopefully immediately) to destroy the attacking system and authorize similar measures to the private sector, which would otherwise be illegal.