As the Senate reconvenes to debate the cybersecurity bill, President Obama himself has set the stakes in terms of preventing a future catastrophic attack. But some say the real and present danger is what’s happening under our noses right now, in an online theft of intellectual property that Cyber Command chief Gen. Keith Alexander called “the greatest transfer of wealth in history.”
“Don’t wait for something to go boom. It’s happening and it’s happening quietly right now,” said David Smith, director of the Potomac Institute’s Cyber Security Center, in an interview with Breaking Defense. “I don’t think they’re nibbling around the edges; I think the rat’s eating your sandwich.”
While Chinese threats have gotten the most attention, the rat in the kitchen is just as likely to be Russian, said Smith, a former ambassador who worked on arms control negotiations with the then-Soviet Union and who now spends about half his time in the former Soviet republic of Georgia, which suffered a Russian cyberattack alongside a conventional invasion in 2008. The Russians have a well-educated population with computer skills and a thriving underworld with government contacts, so the Kremlin can mobilize legions of online scammers as “a vast cyber reserve force” for online campaigns, Smith said, pointing to the attacks on Georgia and on Estonia in 2007.
“The difference is the Russians don’t get caught” as often as the Chinese, Smith said. But hackers from both countries are going after American intellectual property on a grand scale that goes beyond individual larceny to a national strategy.
“What you have underway right now is systematic espionage against the United States,” said Smith. “This is not intelligence agencies stealing this or that secret, this is not industrial espionage where some company in another country wants to get the process for something or other. We’re talking about a systematic effort to equalize the technology edge that the United States enjoys over every other country in the world by stealing US intellectual property…. This is strategic.”
It’s not that the President’s catastrophic scenario of a “cyber Pearl Harbor” is impossible, said Smith. We’re not likely to see a real-life version of the movie Live Free or Die Hard, “where we have buses hitting something and flying up in the air and hitting helicopters — that’s a little far fetched,” Smith said. “[But] clearly there are possibilities for attacks on industrial control systems that could wreak a lot of havoc.”
The nightmare scenario that hackers might derail trains, erase bank accounts, or shut down the power grid is a lot easier to visualize — and a lot easier to mobilize people to take action about — than the subtler threat of mass theft of intellectual property. But like the proverbial frog that won’t jump out of water slowly coming to a boil, a threat you don’t notice can still kill you.
The conceptual problem is that the cyber threat turns centuries of assumptions about public and private roles in national security upside down, Smith said. Historically, if foreign adversaries wanted to steal something from your home or place of business, they had to fight through your country’s armies and navies, or at least break down your city wall, before they could pillage civilians. In our brave new world of interconnection, a cyber attacker can access civilian systems directly — and once he’s in one company’s network, he can use it to attack the next.
“It’s not only your business” that’s at stake in how well you secure your company’s network, Smith said. “There’s a national security issue…. The United States of America might be attacked through you.”
So when a business makes decisions about cybersecurity, there’s far more than its own balance sheet potentially at stake. But both business and government always struggled to handle such “externalities” — witness all the attempts to regulate pollution. When the Lieberman-Collins bill first came out, said Smith, “that was kind of the reaction of the business community, here we go again”: more regulation imposing more costs on private companies for public ends. That bill has been heavily revised, in large part thanks to the behind-the-scenes efforts of the conservative Sen. Jon Kyl and the liberal Sen. Sheldon Whitehouse, and Smith thinks it now represents a major step forward towards a solution — if it becomes law. “A bill going to the floor of the Senate has many steps to go,” Smith noted, “[and] there’s really not a conferenceable bill on the House side.”
Whatever the final balance between mandates and incentives to get businesses to act, Smith said, it’s clear that private industry, not the government, must play the leading role in cybersecurity. “I don’t think you want the government interposing itself [and] monitoring your networks,” he said — even if it could: “I don’t think it would work even if it were a good idea, and it’s not a good idea,” he said. “We’re not talking about inspecting meat packing plants here,” or any other circumscribed regulatory problem, he said, but literally millions of systems that interconnect and penetrate into every area of civilian life. To defend that vast web, said Smith, “we’ve got to pull together in a new way.”