I am puzzled by two news reports on USG cyber policy in the last few days. This AP story from Friday surprised me for what it revealed about the lethargic U.S. reaction to the now-many-years-old problem of Chinese cyber exploitations of U.S. public and private computer systems. “We have to begin making it clear to the Chinese that the United States is going to have to take action to protect not only our government’s, but our private sector, from this kind of illegal intrusions” (emphasis added), said former Secretary of State Clinton last Thursday, implying that we have not yet made this point clear. The story says that because talks with the Chinese haven’t worked, “the Obama administration is now considering a range of actions,” including “threats to cancel certain visas or put major purchases of Chinese goods through national security reviews.” The story cites two former officials for the proposition that the USG is preparing a new National Security Estimate (NIE) that will “underscore the administration’s concerns about the threat, and will put greater weight on plans for more pointed diplomatic and trade measures against the Chinese government.” (The AP story sometimes talks of the threat from “cyber attack” but it is pretty clear from the context that the topic of the story is cyber exploitation.)
What is puzzling is the tentativeness and slowness of the USG reaction given what the USG has been telling us – openly, and through leaks – about the enormous scale of the problem. One reason for tentativeness is that, as I once wrote, “the United States itself engages in [cyberexploitations] extensively abroad and  cyber exploitations do not violate international law, and thus would not justify a large-scale military response, kinetic or cyber.” This is a large hurdle, I think, that leaves the United States with only relatively weak diplomatic tools to address the problem – and tools, by the way, that open it up to reciprocal retaliation. Another reason, I think, is that the overall importance of the relationship with the Chinese has led some in the government to counsel caution in raising the temperature on the cyber exploitation problem. Eventually, I believe that the scale of espionage and theft via cyber will require a rethinking of international law’s “hands off” attitude toward the problem – an attitude developed in a different technological universe when the scale of the national security threat from espionage was much smaller. I can imagine a norm developing where certain large-scale cyber exploitations are such a threat or violation of sovereignty and national security that they warrant an attack – kinetic or not – in response. I also believe, as I have long said, that the United States will not be able to clamp down on China’s cyber exploitations by others unless it is willing to consider clamping down on its own cyberexploitations – both directly by the USG, and through its support of hacktivism in China.
The second story that puzzled me is this morning’s NYT story, the lead of which is that “[a] secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad.” I am sure that some legal event inside the government has triggered this story, but we already knew – from Leon Panetta’s speech last year (which I analyzed here), and from the USG’s supposed involvement in cyber attacks on the Iranian nuclear facilities – that the USG had concluded that the President has the power to order preemptive cyberattacks. Perhaps the news in the story is that the government has concluded that this power is a “broad” one and is making it part of its official doctrine (as opposed to an analysis supporting a particular action). That is probably it.
Reading the NYT story aside the AP story, one senses enormous asymmetries in the USG’s responses and planned responses to cyberexploitations and cyberattacks. For cyber exploitations we still seem to be fumbling around for a strategy and for tools to credibly meet the threat. (We have been fumbling for a long time.) For cyber attacks we appear to have many tools, a set of criteria for when they can be deployed, and a developing strategy for deterring cyberattacks against the United States, which the NYT’s breathless announcement of new presidential cyber powers is no doubt meant to serve. There are many dangers lurking in this asymmetry, including a too-weak response to cyber exploitations that are an enormous threat to our national and economic security, and a too militaristic response to the threat of cyber attack, which can spark the very cyber arms race we mean to tamp down. I am sure the government is considering these issues, both of which are, to put it mildly, quite hard.
PS: Thomas Rid has related thoughts at TNR.