Wednesday, April 24, 2013

5 ways to fight back against Chinese cyber attacks

APRIL 24, 2013, AT 8:28 AM

The debate over the Cyber Intelligence Sharing and Protection Act is largely a debate about how Congress will allocate authorities and powers to fight against Chinese cyber-espionage, which siphons off from the U.S. economy as much as $100 billion a year in intellectual property and proprietary information. 

CISPA is controversial because it vaguely defines what a "cyber threat" actually is, immunizes U.S. companies who share personal information with the government, lacks oversight mechanisms to prevent abuse by the government, and militarizes what is, in essence, a law enforcement function — an FBI and Department of Homeland Security function.

That latter objection is based on the Obama administration's intention to fight Chinese crime using a variety of different mechanisms. Importantly, it wants to determine how to fight— it does not want Congress to tell them how and when cyber information must be shared between private companies, the FBI, the CIA or the National Security Agency. 

Still, the White House has not explicitly said that President Obama won't allow some version of 
CIPSA to reach his desk. It has said that personal privacy is not well-protected by CIPSA, but traditionally, the executive branch has used this excuse as a fig-leaf to cover their opposition for other reasons.



So what can the U.S. do to reduce the cyber threat from China?  

1. It can build an electronic wall around the country, forcing all Internet traffic to be 
subject to deep packet inspection; and then, to compare those packets against known 
signatures from China; segregate them; eradicate the malware from them, and then 
let them through. 

As I've written before, this is something the National Security Agency believes it CAN do but 
something that virtually every stakeholder except those inside the government believe would be an awfully hard sell to the American people. 

2. It can require, or encourage, major technology companies that serve as 
Internet gateways for most Americans to boost their own cyber defenses
and then share, with immunity, suspected cyber threats with the government in 
real-time, allowing the NSA to swoop in and solve the problem. This is, incidentally, 
the CISPA approach. 

3. It can secretly share with the big Internet companies the cyber techniques 
and tactics used by Chinese corporations and the military, giving U.S. companies a 
chance to develop cyber counter-measures. It can work in secret with companies to lure 
hackers from China into systems, and then manipulate those hackers into divulging 
attack patterns, which can be reverse-engineered to fortify defenses. Publicly, it can 
enforce its own laws against hacking and set an example for the world to follow. 

4. It can fight back, engaging in tit-for-tat  brinksmanship, hoping to convince 
the Chinese to back off by demonstrating the capacity of U.S. computer network 
operations. Though there is a body of secret law authorizing offensive cyber exploitation 
against China, the Obama administration doesn't want to engage in "war," as 
commonly understood. Less kinetic means include sanctions, property seizures and 
military deception/information operations campaigns.

5. It can provide significant incentives for individuals and corporations to 
protect themselves, allowing free market mechanisms to determine the structure and 
rules of economy-wide computer network defense. For this approach to be effective, 
there has to be a broad understanding of what the threat is, what can and can't be done 
about it, and informal "rules" to shame/encourage those who don't and do participate. 

It can also work with companies that do major business with China to influence Chinese 

policies; it can propose a global treaty that would set clear guidelines and an enforcement 
mechanism. It can, can, can, but there are so many ifs, ands and buts to deal with it that 
they — we — probably won't, not for awhile anyway.

Some combination of all of these approaches is going to be the de facto law of the land, 
even though the community of smart people who debate cyber security still haven't 
agreed on a set of basic propositions, like whether it is possible to determine 
precisely where an attack emanated and what its motive actually was and who can be blamed for it.

But the U.S. is not powerless. And that's the point.

No comments:

Post a Comment

Comments always welcome!