The Director of the National Security Agency said he expects a major cyberattack against the U.S. in the next decade. “It’s only a matter of the ‘when,’ not the ‘if,’” Admiral Michael Rogers said, “that we are going to see something dramatic.”1
Both China and Russia are suspected of having the capability to infiltrate U.S. computer systems that control the electrical grid, nuclear power plants, air traffic control, and subway systems. China routinely employs its hacking prowess.
“There are two kinds of big companies in the United States,” the Director of the FBI, James Comey, said recently. “There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.”2
The government of China is the world’s largest, most successful, and most public thief. Europe’s response? Silence. America’s response? Silence.
“You can just do literally almost anything you want,” Adm. Rogers said, “and there isn’t a price to pay for it.”
On President Obama’s recent visit to China, he triumphantly announced a diplomatic coup: Beginning immediately, he would impose upon American corporations penalties and restrictions to decrease carbon emissions, while China promised to do the same by the year 2030. So fourteen years after he leaves office, Mr. Obama will send a letter to the president of China, reminding him to shut down several thousand coal burning plants and turn out the lights in ten million Chinese homes.
Given this style of bargaining, it is no wonder that Mr. Obama did not insist that China desist from its global and systematic cyber theft. Nor have American and multinational corporations exerted any leverage to prevent the stealing. Perhaps they are terrorized by the prospect that China would retaliate by barring them from its consumer market.
In any event, economic sanctions historically have a poor track record, because they affect the whole population of a nation, while its leaders are less deprived. One exception was the American embargo of its oil exports to Japan. This helped motivate Japan to expand its war in Southeast Asia. The oil embargo imposed in the ‘90s against Iraq did not loosen the grip for Saddam Hussein. The financial strictures applied against Iran in 2011 did cause the regime great consternation, until relaxed when Iran agreed to interminable negotiations about its implacable quest to develop nuclear weapons. Certainly there are some restrictions upon Chinese exports that could be imposed in retaliation for its cyber theft. But so far, the administration has been content to issue arrest warrants for a few Chinese generals quite content to live in Beijing.
On the other side of the world, Russia has on several occasions flexed its cyber muscle to disrupt Internet connectivity in Estonia and Georgia. And as in the case of China, America and NATO Europe had no response. Cyber disruption is, like cyber theft, an economic weapon that affects commerce and routine human interactions. To grasp how ubiquitous Internet connectivity is, simply glance around the boarding area in any airport.
In the event of an actual shooting war, our military is prepared to conduct offensive and defensive cyber warfare. More problematic—and more probable—is a cyber economic conflict that spirals out of control. Suppose in 2017 an executive at an IT company like Google, fed up by China’s theft, launched retaliatory cyber strikes to teach the Chinese a lesson. The Chinese then respond by a broad, disruptive strike. The new American president, less passive than Mr. Obama, orders a calibrated response more severe than the Chinese attack.
What follows? Does China shut down a portion of the U.S. power grid? Do American hackers and various companies launch their own spontaneous attacks? Do firewalls crumble, with unintended consequences? Who yields first, asking for a truce? We don’t know.
In the late ‘50s, a phalanx of brilliant analysts—economists, physicists, engineers, etc.—at the Rand Corporation in California developed deterrent strategies pertaining to nuclear war. Rules of restraint and escalatory ladders affected the calculations of a generation of American and Soviet leaders. Mutual Assured Destruction was surely mad. It was insane for either side to launch nuclear-armed missiles without calculating the devastating consequences of the assured counter strike.
No similar body of work exists about cyber warfare in the military, the civilian, or the corporate world.
“We need to define what would be offensive, what would be an act of war,” Admiral Rogers said. “Being totally on the defensive is a very losing strategy to me.”
We are in a period of experiment by trial and error. So far, China has succeeded in corporate theft. Russia has employed cyber blackmail by disrupting Internet services to small nations adjacent to its border. Unlike Freedom of the Seas that is codified in treaties and United Nations resolutions—and enforced by America’s naval might—freedom of cyber commerce is not codified, much less enforced.
Given that neither China nor Russia has received any punishment or retaliation for their past cyber aggressions, the odds are high that Admiral Rogers will be proven right. There will be a cyber attack that begins to spiral out of the control of any government. This will be managed by an ExComm—an ad hoc Executive Committee—as President Kennedy convened in October of 1962. But a hasty confab of advisers is no substitute for systematic planning and war-gaming. Common sense demands that the U.S. national security community test, establish, and promulgate cyber rules of the road, backed by credible retaliatory measures.
1. Siobahn Gorman, “NSA Director Warns of ‘Dramatic’ Cyberattack in Next Decade,” The Wall Street Journal November 20, 2014.
2. Maria Tadeo, “FBI’s James Comey accuses China of hacking into every major American company,” The Independent October 6, 2014.