The nation-state hackers breaching our government and private information systems are the same enemies we face in the physical world. They are the same countries that demonstrate no respect for human life, and certainly none for privacy. Although our laws give the military and law enforcement a monopoly on fighting back against cybercriminals, the weakness of that defense seems to encourage more attacks. Indeed, 44% of adults have been victims of cybercrimes in the last year and cybercrimes cost us 700,000 jobs each year.
China is a cybercrime juggernaut, that fancies theft of US engineering details from high tech development companies, especially those helping the US military. It has been actively hacking in South-East Asia since 2005. Lately, through tools like Great Cannon, China has been working to prevent its own citizens’ access to information sources it doesn’t control.
Iran has enjoyed demonstrating its ability to penetrate US banks security. Of course, this is sinister in light of the banking system sanctions imposed on Iran to suppress its nuclear bomb lust.
Russia is less choosy. It is behind attacks on banks, eavesdropping on official communications in Ukraine, and recently on some of the White House’s non-classified systems.
So far, it appears nation states limit the damage they do to penetrated systems. Instead they report back on data found nearby and watch for our technical reaction. Each successful attack can hone their skills for more ambitious attacks when needed. More disturbing, it is unclear what proportion of attacks we have already found. A substantial number of Trojan Horses are likely awaiting further orders from their masters.
In the case of SCADA networks (electricity, gas, water, and other infrastructure), attacks could devastate large swaths of our economy. Indeed, SCADA attacks have doubled in the latest year and our government believes that China and a few other nation states could shut down the US power grid. If another nation did noticeable physical damage or if they caused infrastructure systems to malfunction, there is a slim risk that we might retaliate. But, “slim risk” probably overstates it.
Our government leaders seem reluctant to fight back with more aggression than a nuanced stare. Our leaders seem to ignore as many attacks as they can, and when they can no longer pretend all is well, they mumble about how they will not tolerate crime, as if verbal pomposity were a show of strength. Our leaders’ submissive posture must reassure the cybercriminals that they are free to have their way with us. Recently, the White House issued an executive order allowing the imposition of financial sanctions against those who perpetrate cyberattacks on the US. Presumably that was aimed at China because Russia, Iran and North Korea are already under sanction, and that has not halted the offending behaviors.
Commercial cybercriminals seem to have free-rein across vast stretches of US internet assets. Many hide out in countries that don’t care about or that profit from cybercrimes (think Eastern Europe). Serving a US court summons on a Russian Mafioso would be a fool’s errand – mere press release twaddle.
Domestically, we have laws condemning hackers for theft of personal information and financial assets, but since the odds of being caught or of being sentenced to meaningful punishment are so remote, neither is a deterrent. In one rare instance of conviction, the criminals were sentenced to 3 years for stealing $3 million. In this job market many would regard $1 million per year as a winner. The FBI has upgraded its cyber capabilities, but the headcount of perpetrators convicted is alarmingly small.
If an armed intruder entered your home, you could be justified in using extreme force to repel the attack. But in the cyber world, the right to an aggressive defense is limited to our political leaders and to law enforcement. Unfortunately, our leaders lack the will and law enforcement possibly lacks the tools and knowledge to be very effective.
American consumers and businesses suffer the cyber-shakedown while politicians are busy attending to “important matters of state.” A few corporations might have the capability to locate cyber-criminals and put them out of business, but any favor they do for our nation would be repaid with prison time for these corporations.
It is time for politicians to accomplish three steps. First, get smart on cybersecurity. Second, get agreement between government and business on adequately hardening our information systems. Third, forge treaties with our trading partners on fair but swift justice with mandatory extradition available to any well-documented cybercriminal. Sharing cyber-information between companies and the government, as the recently passed House bill addresses, can be helpful, but it not enough.
Our Internet has behaved like a Wild West re-enactment for too long. It is not being adequately civilized by firewalls and anti-virus software. We need a modern day Texas Ranger worthy of the “one riot, one ranger” reputation. Unfortunately, a leader who can focus the right actions onto our cyber problems is not yet on the horizon.
Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research