After tiptoeing around the obvious for years, the Obama administration finally did something about corporate espionage when it indicted five Chinese military officers this week. The good news, says one of our country's top cybersecurity experts, is that the United States is not at (cyber) war with China. The bad news is that nothing we are doing is working or will work, the long-term prospects are even worse, and China has a lot of retaliatory options.
Other than that, the Justice Department's tough stance on China was a great move.
"A military attack is not a proper response to espionage, and everything else we were doing wasn't working all that well," said Jake Olcott, a principal at Good Harbor Security Risk Management. "And by the way, this probably won't work that well either. Diplomacy is a long, tough road."
Olcott first got pulled onto cybersecurity as a young lawyer working for the House Homeland Security Committee a decade ago. From there he became counsel to Senate Commerce Committee Chair John D. Rockefeller, IV. His work led to the groundbreaking Securities and Exchange Commission rules issued in 2011. (Full disclosure: Olcott long ago worked for my political consulting firm, and he and I are both members of the Truman National Security Project.)
Now he advises private and public sector clients how to defend themselves against cyber attacks because, he says, "There's actually very little that governments can do to stop or slow this stuff down."
Our cyber conflict with China is a next-generation example of how online freedoms create new security issues that were hard to imagine. The anonymity of the Internet—and the inability of nations to defend their 'Internet borders'—means that attacks can be launched from anywhere in the world with limited fear of punishment.
Making matters worse, the unique relationship our government has with the private sector allows for economic growth but paradoxically makes us vulnerable. Private companies supply our electricity and build components for military hardware, for example. An unintended consequence of this is that those private companies then become responsible for our cybersecurity.
"Most of our critical infrastructure is owned by the private sector.
People think the NSA is defending us from everything, and that's not happening. In the US, companies are on their own to defend themselves from threats," said Olcott.
Conversely, China is perfectly structured to exploit our weakness. "The Chinese have long discussed their interest in using their military and intelligence arms to steal from other businesses to reward Chinese business," said Olcott.
It's not all bad news. Some of it is awful, and the rest is downright horrible.
"These guys are part of the Chinese Military. They probably won't be brought to justice," said Olcott. "Without a strong deterrent, people will still be doing it. There aren't any real deterrents today."
Right now, we hold the indictments, but China holds all the cards. Olcott says China has several options, none of them appealing to the US. They can redouble their cyber espionage. China could also counterattack with charges of corruption as happened last week when Chinese police accused a GlaxoSmithKline executive of orchestrating a "massive bribery network" to boost pharmaceutical prices. Or China could start an old-fashioned trade war by making it hard for American businesses to break into their market—all of which are reasons why the US never did anything like this in the past.
Olcott said short of Congress passing comprehensive cybersecurity legislation along the lines of what he negotiated for Sen. Rockefeller the only realistic thing for businesses to do is learn self-defense.
"It's not going to get any easier. Executives need to recognize that their entire business can be undermined by a cyber incident. When somebody walks out with your trade secrets, that's a really bad day."
Whether we have more bad days to look forward to depends largely on whether the American business community rises to their own defense. But Olcott's been sounding the alarm for a decade now, and the rush to the barricades has been slow. In the end, creating a sense of urgency in corporate America might be the only good thing to come out of Obama's legal counterattack against China's espionage.