In 2015, President Obama held a press conference with Chinese President Xi Jinping. “I indicated that it [cyber theft] has to stop.” Both governments agreed not to engage in or support online theft of intellectual property. In 2016, the Council of Economic Advisers estimated that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion. Altogether over the past decade, via cyber espionage China alone has stolen over $600 billion in US intellectual property. These are conservative estimates. The United States Trade Representative has calculated that Chinese cyber theft of “costs between $225 billion and $600 billion annually.”
So what is the U.S. government doing to stop continuous theft? According to a National Security Agency spokesman, identifying bad actors in cyberspace is the biggest change from the Obama to the Trump administration. Shortly before leaving office, Attorney General Jeff Sessions deplored the persistence of cyber thievery. “The problem has been growing rapidly,” he said. “We’re not going to take it anymore.” The Attorney General triumphantly announced that a grand jury had indicted three Chinese individuals. Of course, none reside in the United States.
What’s going on here? Why does administration after administration tolerate blatant cyber thievery? It is commonly accepted that in a conventional war, the U.S. possesses a huge war-fighting edge over any foe, be it Russia, China, or Iran. In the cyber realm, we are also stronger than our adversaries. According to a cyber expert quoted in a recent article in Forbes: “Because the US controls about 80% of Internet traffic globally, it's in a dominant position on the cyber stage.” While intuitively it sounds plausible that the U.S. is superior at each step in a tit-for-tat cyber exchange with state-sponsored hackers, no senior American official has made that case.
Instead, our government tolerates systemic cyber attacks by our adversaries. These occur because there is no systemic offensive response by our government. According to our Constitution, our military has the means “to provide for the common defense.” However, our government is more adept at “lawfare” than at cyber warfare. Our Department of Justice forbids under penalty of law (U.S. Department of Justice, Criminal Division, Computer Crime and Intellectual Property Section, Prosecuting Computer Crimes, January 14, 2015, p. 180) a corporation from “hacking back” after a cyber attack from a foreign adversary. But the military cannot use its muscle to provide a common defense for our corporations. Indeed, even convening meetings to exchange data between the military and the private sector is highly fraught.
Our government—notably the Defense Department—must take retaliatory actions that inflict severe economic pain upon the states that sponsor cyber attacks against us. President Trump and some in Congress have decided we need a new military service called the Space Force. But no senior official, appointed or elected, is publicly championing an effective “Cyber Force” that can and will strike back. This situation has to change.