Earlier this week, the Pentagon issued a report accusing the Chinese government and military of conducting cyber attacks against the U.S. in an effort to gather intelligence on diplomatic, economic and defense programs. This follows a report released earlier this year by cybersecurity firm Mandiant, which also accused the Chinese military of carrying out cyber attacks against more than 140 companies, the majority of them American. Neither of these reports, however, came as shock to those who have worked in or followed the information security industry for any length of time as China has frequently been accused, either directly or indirectly, of perpetrating such attacks for years.
According to retired Navy Rear Adm. James Barnett, who formerly served as chief of public safety and homeland security at the Federal Communications Commission, one of the problems historically with accusing China of these cyber intrusions is being able to directly link them to the crime.
"The major problem in dealing with state-sponsored cyber theft or cyber espionage directed against our defense industry is attribution," says Barnett, who currently heads the cybersecurity practice at Washington law firm Venable LLP. "The Chinese government has always said 'hey, we have not done criminal activity, you’re pointing the finger the wrong way because we’re not for cyber crime.' The Mandiant report was significant. It is circumstantial evidence, but it is strong circumstantial evidence that (a Chinese military unit) was involved in cyber crime. They linked it to direct things they have been doing."
Barnett says what is interesting is the timing behind the releases of these two reports, which could indicate the building of a case by the U.S. against China where they can no longer use "plausible deniability" as an excuse.
"I think what we’re seeing is the laying of groundwork for a more diplomatic approach to suppressing this," explained Barnett. "Will that be effective? Perhaps not, but it is certainly something that has been lacking in the past. Things that you may see come after that is probably behind the scenes discussions about this and perhaps, in the future, we’re going to see some type of sanctions that may come about as a result of this."
Another variable in this cyber game of cat and mouse is the role of private industry and the responsibility they have in securing their network infrastructure. This was a major impetus behind the cybersecurity executive order issued earlier this year by President Barack Obama, which gives government agencies a year to devise a "baseline framework" for cybersecurity that incorporates industry best practices and also requires the intelligence community to share possible threats that could impact businesses considered to be part of the nation’s critical infrastructure.
"I think one of the things we’re going to see this year with the executive order is a raising of the bar and everyone recognizing that you’re not going to be able to keep everyone out completely, but we’re not going to be in the situation of our defense industry where you’re unaware, for a significant amount of time, that you’ve got somebody in your system," Barnett says. "I think one of the principles that is going to have to be recognized is that this is a domain where the frontline is and always will be held by privately operated industries, not the government," Barnett says.
However, Barnett believes that the federal government will have to go beyond just intelligence sharing and actually provide private industry with incentives to bolster their cybersecurity posture. "The government can play the role of providing a security market. In other words, basically saying 'industry, the dollar that you spend on securing your networks, securing your information is going to be incentivized by tax breaks or tax credits,'" Barnett says. Another way to possibly incentivize private industry, according to Barnett, is to limit their liability when it comes to intrusions if they take proper security precautions. However, he says none of these things will be possible with the partisan gridlock that has taken hold in Washington.