N AT I O N A L
In 2012, then Defense Secretary Leon Panetta warned of a cyberattack that could kill by compromising water supplies, public transportation, and power grids. “An aggressive nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” said Panetta. “[The worst-case scenario would be] cyber-actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack…a cyber-Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”
budget allocations for cyber programs from Congress, developing a plan for coordinating cyber activities across agencies when responding to a large cyberattack, and constructing an automated capability to share incident information in near real-time. Finally, Congress can take action. The House this year passed the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act of 2015. These bills would greatly increase the amount of information shared between the public and private sectors and mandate heads of agencies conduct periodic reviews of their agencies’ cyber performance. The Senate has yet to vote on any cyber legislation this session. Cyberattacks against the United States have grown in volume and scale. Already, the United States has bled corporate secrets, patented information, and personnel records. With these vulnerabilities comes the risk of a cyberattack capable of taking lives. As in Pearl Harbor, if the United States fails to prepare for the attack, it can only respond to the damage. ◼
These hacks are alarming and illustrate the vulnerability of the U.S. cyber infrastructure.
01
This gloomy portent is already showing signs of coming true. Russian hackers have breached most of the United States’ critical infrastructure in an attempt to “poke and prod U.S. networks for vulnerabilities,” according to The Hill. Darien Kindlund, director of threat research at cyber intelligence firm FireEye, said the Russian hack could have been a “staging tactic for something larger.”
0
1110011
001
0
0 0 1
0 00
01
1100 0 0 1
11011110
111
00
10
Prepare for Attack
In response to the OPM data breach, the Obama administration launched a 30 day “Cybersecurity Sprint.” This initiative mainly increased the amount of two-factor verification used to access certain networks and investigated each agency’s particular vulnerabilities. However, some senior cybersecurity officials and technology experts told The New York Times that this effort gave the United States’ cyber-defenses “the software version of Bubble Wrap.” If that is the case, then what must be done to make the United States substantially cyber secure? First, U.S. policymakers should attempt to codify international ground rules for cyber conflict. Obama tried to do this during Chinese President Xi Jinping’s visit to his country. The result was what Obama called a “common understanding” that neither government would knowingly support the theft of corporate secrets. That “understanding” is nonbinding, includes no other countries, establishes no international norms of conduct, limits itself to corporate espionage, and allows ample room for plausible deniability. When Director of National Intelligence James Clapper was asked if he was optimistic that this agreement would eliminate Chinese cyberattacks, he simply answered, “No.” The type of rules the U.S. government needs to promote is a Geneva-Conventions-style framework that applies to all state actors. Not only would this establish rules of conduct that should be adhered to, but it would define ways in which states can retaliate. With rules like this in place, the next time the United States discovers a hack coming from China, Russia, or another state actor, it could retaliate in a predefined way. This would also enable the United States to make a deterrent threat against a cyberattack. There is a range of short-term options that U.S. policy makers could choose as well. The Department of Homeland Security outlined many of them in an audit this year. The audit advised instituting a cyber training program for analysts and investigators, ensuring long-term
0 10
11
01
1010 100
110
0001
011100100
Georgia Political Review | 15
1 1 1 1
0
01 0
0