The lead to the article on Saturday by David E. Sanger was U.S. Decides to Retaliate Against China’s Hacking [http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html?_r=0] certainly got my attention. We haven’t retaliated for much of anything done to us by the Chinese or anybody else, except possibly the North Koreans who have such a small infrastructure, and such few users, that they probably failed to notice we hit them.
So, the meat of Sanger’s article was that the U.S. has finally had enough of Chinese hacking because of the OPM hacking of 21 million records of people with security clearances, and they are going to retaliate. Maybe, sort of, in some way described this way:
‘One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” said one senior administration official involved in the debate, who spoke on the condition of anonymity to discuss internal White House plans. “We need to disrupt and deter what our adversaries are doing in cyberspace, and that means you need a full range of tools to tailor a response.’ In other words, they can’t figure out what to do, and on top of that, they no longer say China did the hacking. Because Sanger is almost always right about what he says, that means the White House is not sure about what it should do, but wants to do something.’
Cyber deterrence is especially difficult when you don’t have a strategy to make it work, and the White House has not had one since the beginning of computer time. It is difficult to blame this particular White House, when all of them are equally to blame.
I told the U.S. China Economic and Security Committee that had we had a nuclear deterrence as ridiculous as our cyber deterrence, we would all be speaking Russian now and would have lost the cold war. We may not have liked the idea of “mutually assured destruction” [it doesn’t take much analysis to realize that neither side wins] but we had a strategy that was based on certain retaliation for a nuclear strike against the U.S. It is harder today than it was then. There were only a couple of countries that could strike the U.S. with enough weapons to ruin our Sunday morning, and one of them was not North Korea. Having whackos with nuclear weapons and delivery systems is not a good thing, when we know they might decide to use them one day. Iran is included in that number. Those are difficult problems but nothing like cyber.
China has been stealing us blind, but most of that was proprietary information stolen from industries with the intent of establishing their own competition with the U.S. The OPM theft was different. Their lengthy access to those records means we could have all kinds of people with records of clearances who never had one, or we could have some good people with clearances smeared with added information that takes time to verify as inaccurate. The fact that we don’t have good records is more than just an inconvenient truth. OPM is not processing clearances right now and industry is finding it hard to work around that kind of job requirement.
The one thing the OPM theft did was wake up 21 million people who lost records. Theses are Congressmen, high-ranking business leaders and board members, and government employees of all ilk’s. They are not happy that our government allowed the records to be stolen and nobody seemed to do what needed to be done to protect them. The first thing on that list of “to dos” is deterrence.
Iran has already launched a kind of attack against the U.S. banking infrastructure but it was not very successful. What made them think that nothing would be done to them if they did? It wasn’t their lack of success, since attempting something like this is a failure of deterrence. It is a little like firing a missile at the U.S. and having it land in the Pacific Ocean off the coast of Los Angeles. Is the fact of a miss relevant? We know where it came from. We can be reasonably sure it was intended to hit somewhere other than where it did. At least with missiles, we can have a pretty good idea of who did it.
Cyber is not so easy. North Korea attacked South Korea, doing $500 million in damages to their banking system. I said that was a warning from China – North Korea never does anything their brothers to the north don’t know about. It was a destructive attack that erased hard drives and did tremendous damage. China measures the response to the type of incident by what we do to North Korea. The Chinese know what they are doing, and they are not the ones who launched the attack. They say, “Those North Koreans are so hard to keep in line.” They think we are stupid.
The stories of “patriotic hackers” started in the Chinese press the day after we announced OPM was hacked by the Chinese. Patriotic hackers are a service for hire that the government pays for when they need help hacking. These guys claim they don’t work for the government, making attribution harder unless you know for sure that the groups were hired by the government and not some rogue operations of crazies. The Chinese know which is which because they monitor their Internet better than we do. All the hoopla about NSA and our own internal monitoring made me laugh. The rest of the world does far worse than anything NSA did, but they don’t have Edward Snowdens giving away their secrets.
Some incidents are harder to attribute. When someone attacks the root services of the Domain Name System, the heart of the Internet, we might not know who that was. Maybe we can figure it out, but it takes weeks, sometimes longer to do. We forget about it after a few days. We forgot about OPM the first time the Chinese hacked it. That was in 2013, two years ago. Nobody did much of anything about it and the problems that allowed them in were not fixed. That is a stain on the current administration that will not go away.
Attribution takes time and deterrence doesn’t allow for that. They hit us and we hit them. That was a strategy of nuclear deterrence. We weren’t going to wait for weeks or months to figure out who dropped the bombs. Retaliation should be soon after the event for credibility of the deterrence. Two things are noteworthy here. First, our attribution has to be better. We should know who does what in the cyber world. We spend a lot of money on intelligence every year and while our Intelligence services can’t know everything, it would be nice if they know who is attacking us. Our military should too. Second, attribution should be followed by a credible threat to the other side. We don’t seem to have much there either.
Credibility of the threat lies in what we see happen when someone attacks us. When nothing happens, the credibility is zero. Sanger says that part is being address but the government is afraid it will escalate into a larger cyber conflict. What they didn’t add was, “a larger cyber conflict that we are not prepared to fight”. We are sadly unprepared for this kind of war. Our military is supposed to be able to fight it, but certainly couldn’t. It can’t even keep its own networks secured against attacks. Besides, there is a good question about whether our military is the right response force for this kind of deterrence. Nuclear blasts obliterate everything in their path. Cyber attacks can be like a sharp-bladed knife in the hands of a sushi chef. They can carve out a small piece of the banking or credit card system to attack and the military is ill prepared to strike back at anything similar. I’m not even sure it is their job.
One of the most interesting parts of Sanger’s article is the discussion of the potential to respond by opening up some routes around the Great Firewall. I like that one. What China fears most is the opinions of its own people, spread around internally. There is something deep going on in China that indicates they are cracking down on dissents and pushing a renewal of the Communist Party. Anyone who sees that must wonder what is going on. The Party has been in power as long as most of us have been alive. Are they worried about what the Internet might do to it? It’s hard to imagine such a thing.
Now, we need a deterrent but why we needed to wait for a strategy until 21 million people started complaining is just of the new realities of social media governance. We need a lot of things the people don’t need to know about, but this is not one of them. Those strategy sessions could have been held anytime in the eight years of this administration. Now, the longer they wait, the worse the situation becomes.
No comments:
Post a Comment