Turning a Blind Eye to Cyber Attacks
As a member of the House Select Committee on Intelligence, I am reminded every day that we live in a dangerous world. It is violent and chaotic, and it’s becoming more so all the time. But among the many national security threats that we face, in no area are we more vulnerable, and do we face so great a destructive potential, than the cyber realm. Our power grid, banking system, energy pipelines, air traffic control and other critical systems all are at risk. The recent cyberattack on the Office of Personnel Management is a clear demonstration of our vulnerabilities.
It’s no coincidence that our adversaries chose to strike the OPM. Not only did they gain access to the personal information of 22 million current and former federal employees, but they also stole highly sensitive information collected in the security-clearance process. As a former Air Force pilot, I know how extensive and intensely personal these files are. The fact that the attackers were so brazen shows they knew that the benefits of gaining this information far outweighed the risks of getting caught.
Because most cyberattacks do not produce the physical devastation of conventional aggression, it’s easy to ignore the destruction that they cause. With each new attack, we seem to shrug and move on. But the reality is that cybercrime costs the world economy more than $400 billion a year. More important, cyberattacks pose immediate threats to U.S. national security. And with millions of attacks taking place each day, it’s likely that there have been other government breaches that have yet to be discovered. It is beyond time for the United States to develop a plan and the political will to deal with this threat.
Part of the problem in creating a cybersecurity strategy lies in the lack of accountability in government leadership. When a cyberattack happens in the private sector, the consequences are immediate. Target chief executive Gregg Steinhafel was fired last year after a credit card breach that affected more than 40 million customers, and lower level employees at other companies have lost their jobs over other cyber breaches. The private sector is not afraid to hold its leaders accountable for cyber failures. As congressional hearings have clearly demonstrated, however, such a culture doesn’t exist in the federal government. It was three months after the breach was discovered and five long weeks of intense public criticism before OPM Director Katherine Archuleta finally resigned.
There is another consideration beyond simple accountability. The president needs to do the heavy work of implementing a strategy that includes deterrence. Because bullies don’t pick on those who are willing to fight back, we similarly need to offer a credible deterrent to our adversaries. As Adm. Michael S. Rogers, head of the National Security Agency and U.S. Cyber Command, testified at a recent Senate Armed Services hearing: “In the end, a purely defensive, reactive strategy will be both late to need and incredibly resource-intense.”
Deterrence is particularly important when those responsible are not criminal organizations but nation-states. Cybercriminals typically want to steal or damage things. Nations such as China, Russia, Iran and North Korea seek to gain advantage in order to further their own interests. In the OPM attack, those interests very likely included identifying Americans who could be blackmailed, recruited as foreign spies or identified as U.S. intelligence agents. The attack may also have been intended to test how far hackers could go without provoking meaningful punishment. Letting the perpetrators off the hook with nothing but a sternly worded speech will only invite further aggression.
There must be appropriate consequences for those who initiate a cyberattack. The president already has authority to punish state-sponsored attackers through the application of sanctions and other financial restrictions. We should also use the court of public opinion more effectively by naming and shaming the responsible parties. The State Department could begin denying visas to responsible individuals and making cybersecurity a top priority in diplomatic talks.
Finally, and perhaps most important, just as in conventional warfare, we need to make sure the threat of hard retaliation is credible by keeping the option of a cybercounterattack on the table.
Right now, our enemies feel as if they can act with impunity, because, by and large, they can. This dangerous situation will only get worse until we have a deterrence policy in place.
Originially published in the Washington Post on July 24, 2015.