Former White House counterterrorism czar Richard Clarke is right to sound the alarm in the Wall Street Journal about Chinese cyberattacks on U.S. companies and the U.S. government. Chinese hackers are constantly probing our networks for purposes ranging from espionage to potential sabotage. Clarke notes, for example, that “the control systems for the U.S. electric power grid had been hacked and secret openings created so that the attacker could get back in with ease.” Beijing denies any involvement but its claims are hard to take seriously, especially given the prominence cyberwar now enjoys in the official doctrine of the Peoples Liberation Army.
The question is: what do we do about it? The military’s Cyber Command–part of the U.S. Strategic Command–is working on a new doctrine for cyberwar that reportedly calls for treating serious computer attacks as akin to an act of war subject to a kinetic response. That’s fine in theory, but in practice it is hard to imagine bombing Beijing in retaliation for the kinds of activities Chinese hackers are currently undertaking–”successfully stealing research and development, software source code, manufacturing know-how and government plans,” in Clarke’s words.
“Active defense”–i.e. retaliation in kind–is a serious possibility, although we need to be careful about setting off a cyberwar since we are more reliant on computer networks than any other major country and hence have the most to lose. Another necessity is to improve passive defenses. But that’s hard to do now because of the disjointed nature of our response.
Cyber Command and the National Security Agency (the two are headed by the same man, Gen. Keith Alexander) have responsibility for protecting governmental computer networks. But they have limited authority to deal with the vast civilian computer infrastructure. Technically, the Department of Homeland Security is supposed to take the lead here but it lacks Cyber Command’s expertise or resources.
The obvious answer would be to give Cyber Command more power to protect the civilian computer grid. The problem is this will entangle the military in domestic civilian computer interactions, raising fears of “Big Brother” watching what you’re doing. I believe the authorities should nevertheless be granted power–subject to tough punishments for any abuse–but this will require an act of Congress. But as Clarke notes: “Congress hasn’t passed a single piece of significant cybersecurity legislation.” It’s time for the debate to begin on Capitol Hill before Chinese cyberwarriors do any more damage.