CSIS fellow Jim Lewis says we need to bring a full range of diplomatic and intelligence resources to bear against Chinese incursions into U.S. systems, not just beef up cybersecurity.
The Internet has created “a golden age for intelligence collection,” says James Lewis, a fellow at the Center for Strategic and International Studies. In fact, he writes in a new paper on conflict in cyberspace, “The primary challenge for sophisticated intelligence agencies is not the collection of data, so porous are Internet-based systems, but the ability to store, process and analyze the data they have acquired.”
This is not much of a surprise in the wake of recent reports such as that from Mandiant detailing the incursion efforts by the Chinese People’s Liberation Army, believed responsible for penetrating the systems of more than 140 companies, many of them in the United States. The Mandiant study itself builds on earlier work by other security researchers. The clear message is that the Chinese are in U.S. systems, have been for some time, and are not likely to leave any time soon.
All of which raises the question: How do we protect ourselves against these attacks? Better security awareness would help. Organizations, both government and private, need to know what resources must be protected and then focus their efforts on those. Even organizations that are not targets can become vulnerable links in a chain of complex attacks and they need to protect themselves accordingly.
But relying on technology alone is not enough, Lewis says. The stakes are too high and the systems being targeted are too complex for that.
“Any analysis of cybersecurity needs to accept the fact that cyber espionage will continue,” he writes. Improving system security can discourage amateurs and criminals looking for easy money, “but advanced services, with their resources and their combined technical means, will retain an advantage. The task of cyber espionage will become more difficult, and a sophisticated opponent will still be able to achieve success.”
Government must bring to bear its intelligence, diplomatic and political resources, treating espionage as an IP and trade issue rather than a cybersecurity issue, Lewis writes. “Vigorous response is the key to managing cyber espionage.”
One roadblock to this approach has been the lack of attribution — the ability to identify the ultimate source of attacks with a high degree of confidence.
But Lewis says this is a false barrier, for two reasons. First, everybody knows China is doing this; and second, this is a matter of diplomacy, not a court of law, and proof doesn’t need to be established beyond a reasonable doubt. Diplomatic pressure and economic sanctions backed by intelligence could make it politically difficult for China to continue this behavior.
What is needed is an accepted set of international norms concerning behavior in cyberspace — the kinds of norms that helped the United States survive the Cold War. The Cold War “worked,” in that the United States and the Soviet Union were able to confront each other without nuclear war because there were more or less clearly defined roles and conventions with an understanding of what could be done and how. Currently, that is missing from cyberspace.
None of this means that firewalls and vulnerability patching are not important. They are. But while system administrators raise the technical bars, the policy wonks also will have to raise the political bars.
NEXT STORY: Curb spear phishing? Separate bots from browsers