The extensive press coverage regarding alleged Chinese involvement in cyber espionage, as well as Beijing’s high-profile Internet censorship efforts, have underscored a worrying reality for U.S. officials – U.S. cyberspace policies are still at an embryonic stage. Worse – this comes as the U.S. is faced with a dire threat to its own security.
A highly publicized report to Congress by the U.S.-China Economic and Security Review Commission earlier this month observed that China’s “professional state sponsored intelligence collection not only targets a nation’s sensitive national security and policymaking information, it increasingly is being used to collect economic and competitive data to aid foreign businesses competing for market share with their U.S. peers.”
The report also noted that China is aware of gaps in U.S. cyber strategies, and may be exploiting gray areas in “U.S. policymaking and legal frameworks to create delays in U.S. command decision making.” Yet despite the magnitude of the challenge at hand being clear, the next president – whether it’s Barack Obama or Republican frontrunner Mitt Romney who wins the White House in November – will be faced with a frustrating but necessary challenge in tackling U.S.-Chinese cybersecurity engagement.
After the White House published Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure in June 2009, several initiatives were launched or announced by elements of the U.S. defense community.In 2010, declassification of the Comprehensive National Cybersecurity Initiative (CNCI), enabled the timely development of a framework for international partnerships consistent with a common cybersecurity policy. In 2011, the White House released the U.S. International Strategy for Cyberspace. Subtitled, Prosperity, Security, and Openness in a Networked World,the document falls short of providing the solutions necessary to live up to its name. The simple fact is, without security there can be no prosperity or openness. This is where the new strategy is woefully inadequate – it lacks security strategies informed by technology rather than private sector lobbyists.
The sole purpose of cyberspace is to create effects in the real world. The United States’ high-tech sector leads the world in the innovation and development of computers, software and Internet services. These technologies are the backbone of the global information society. U.S. companies provide technologies that allow more and better digital information to flow across borders, thereby enhancing socioeconomic and human development worldwide. When markets and Internet connections are open, U.S. IT companies shape the world and prosper.
But leveraging the benefits of the Internet can’t occur if confidence in networked digital information and communications technologies is lacking. In cyberspace, security is the cornerstone of openness and prosperity. Cyber policies and strategies must therefore focus on promoting trust, network security, authentication, privacy and consumer protection.
In addition to benefits of free flowing communications, utility companies and industry rely on cyberspace to control critical systems. Electricity, water treatment, public health and financial services are at risk from operating specialized industrial control and embedded systems without appropriate security controls.
Today’s White House strategy prevents the federal government and the U.S. military from utilizing its expertise to protect private sector networks over which critical services flow – those that are often responsible for our prosperity.
To date, there hasn’t been a cyber event that has caused the destruction of critical infrastructure, but it would be poor strategy to do so right now anyway. Why? Because once such an attack is launched, defenders will learn from it, fixing weaknesses and preventing the same attack in the future. Thus, an American adversary is wise to avoid such an attack until a broader conflict between the United States and an adversarial nation is imminent.