FRESH ALARMS are being sounded about the dangers of cyberattack, and they are serious enough to give pause. Evidence suggests an unprecedented wave of cyber-espionage, and theft is underway. A cyber-arms race is gathering steam. Unfortunately, the policy response is lagging.
Gen. Keith B. Alexander, who heads the National Security Agency and U.S. Cyber Command, recently described the theft of intellectual property in cyberspace as “the greatest transfer of wealth in history.” He estimated that hundreds of billions of dollars have been lost by U.S. companies and institutions, “our future disappearing in front of us.” He warned of a coming shift in cyberattacks from “disruptive to destructive,” that is, from annoying Web site interruptions to damaging takedowns of financial systems or power grids.
Mr. Alexander also said that, while the world’s population will be 7.3 billion by 2016, the world’s mobile device population will be 10 billion. “Our companies use these, our kids use these, we use these devices,” he said. “They’re not secure.”
On July 10, cybersecurity experts James Mulvenon and Gregory Rattray unveiled a study that concludes “the current strategic cyber environment is fundamentally unstable.” Their message: Security concepts the United States has relied upon for decades, such as deterrence, may be weak or useless in the face of cyber-conflict, where offense dominates, preemption is impossible and assaults come at network speed. This instability is “highly dangerous” for the United States, which has “so much to lose” because it is heavily dependent on networks.
If we have so much to lose, why is the response so tepid? The private sector stands at the front lines of the assault on intellectual property, especially the attacks on critical infrastructure, yet corporations are often loath to acknowledge that they have been looted, so they remain silent. This contributes to complacency. There is an urgent need for legislation to improve cooperation between the private sector and the U.S. government, which possesses valuable tools for fighting cyber-intrusions and malware. The House has acted, and compromise legislation proposed in the Senate would set voluntary security standards for companies that run critical infrastructure. The bill, though not optimal, would be a worthwhile start and should be passed.
The global cyber-arms race is a reality. By deploying a computer worm known as Stuxnet in a covert operation intended to damage Iran’s equipment for enriching uranium, the United States crossed a line. Stuxnet was designed to do physical harm. What if other nations do the same — and do it to us?
The U.S. government has revealed little about its offensive activities in this sphere. We think this is shortsighted. Two years ago, the National Research Council found that the government’s policy and legal framework for offensive cyber-programs was “ill-formed, undeveloped and highly uncertain.” Is it any different today? An open, vigorous debate is needed about the threat of cyberwar and the potential response. We had a decades-long debate about nuclear weapons, and it was healthy for the country and the world. We ought to bring the discussion about offensive cyber-conflict out of the shadows.