Cyber Picks Up in U.S. Foreign Policy

The President yesterday laid out a bigger context for competition between national powers, and mentioned cyber as one of the areas he would give additional emphasis.  At the same time, the White House pointed fingers at North Korea over the Wannacry attacks, which most everyone in security circles knew were launched from there.  It sounded like a warning in the context of the other parts of the speech.

I pointed out last year that Janet Yellen mentioned cyber security in one of her major speeches.  That doesn’t happen very often.  The North Koreans and Chinese have pushed the cyber parts of heir strategy into territory that crosses into commercial interests.  The first attacks by North Korea were on the banking infrastructure of South Korea ( along with some military and government targets at the same time).  That was sure to get the desired effect.  The second atttack was on Sony, a further demonstration of what happens when private emails are given to the press after a damaging attack is completed.  These kinds of attacks haven’t stopped coming, now that they have proven to be effective.  Political interference and manipulation of social media is expanding rapidly.

These are all threats generated from foreign governments, or with their sponsorship.  There is a long series of articles in today’s Wall Street Journal on the national of the nation-state threat, but there is very little new in what is discussed.  Attacks on businesses by foreign governments are out of line and need a response.  That response should use two principles, reciprocity and retaliation.  Attacks on business need a response to businesses, especially those contacted to do this kind of work.  Our government needs to sponsor that response, but not necessarily do it themselves.  Attack them, publish their internal email, and disrupt their computers.  Retaliate against the government directly, which the Obama Administration was said to have done with North Korea.  They don’t mind, but that doesn’t mean it shouldn’t be done.  They have to expect that their attacks are not without consequence.

At the same time, start doing more to defend against cyber attacks.  We have seen very little new cyber defense mechanisms that work.  Sow a little reserach money on this area.  Then, start with new policies that recognize advanced cyber defense.  We continue to struggle along with nothing new, and policies that discourage anything that is.