By Panayotis A. Yannakogeorgos & Adam Lowther, Special to CNN
Editor’s note: Panayotis Yannakogeorgos is a research professor of Cyber Policy and Global Affairs at the Air Force Research Institute. Adam Lowther is a non-resident senior fellow at the Center for the National Interest in Washington, DC. The views expressed are their own and do not reflect the official position of the U.S. government, Defense Department, the U.S. Air Force or Air University.
China’s hackers have been pretty busy recently, at least if recent media reports are to be believed. In one of the most eye catching revelations, the Washington Post reported that more than two dozen major weapons systems’ designs have been breached by hackers, including “programs critical to U.S. missile defenses and combat aircraft and ships.”
Such claims have become commonplace as China has expanded its cyber espionage and intellectual property theft activities over the past decade. Indeed, billions of dollars worth of intellectual property is reported to have been lost to cyber theft.
Earlier this year, for example, a Defense Science Board report detailing the general level of cyber theft was released around the same time as security consultancy firm Mandiant alleged that the People’s Liberation Army had created a unit focused on penetrating government and corporate networks in the United States and elsewhere, primarily to steal sensitive industrial and military secrets.
So far, such theft has gone unpunished, and many are calling for President Barack Obama to tackle this issue head on at this week’s meeting with Chinese President Xi Jinping. Surely, it is high time for the U.S. government to begin holding nation states responsible for their cyber actions or unwillingness/inability to curtail malicious activity in cyberspace?
Yes, it is – but that’s not the whole story.
Unlike the alleged state sponsored corporate espionage that was highlighted in the Mandiant report, the targets in the latest weapons systems case were in the defense industry. Although national security trade secrets can also be commercial trade secrets, under section (a) of 18 USC § 793 activity targeting this type of intellectual property meets the legal definition of espionage.
But is holding only the malicious actor to account sufficient? The real question should be whether the Defense Department should also hold the defense industry accountable for failing to adequately protect sensitive government information. And should software firms be held accountable for selling products rife with vulnerabilities that PLA hackers are then able to exploit?
As former Boston Scientific Chief Security Officer Lynne Mattice notes in a forthcoming book: “Early on in the evolution of software, hardware, and networks people became accustomed to ‘computer bugs’ and other design flaws that they simply accepted as the norm. Rarely has a single industry benefitted from such a desensitized consumer population which has allowed the producers and manufacturers to skirt responsibility and liability for the flawed products and systems they produce.”
More from GPS: The real cyber threat
Mattice highlights a long-running challenge for the software industry. But it is legendary software engineer Fred P. Brooks who suggests part of the solution: system testing should consume 50 percent of time spent on a complex programming project.
Too often, this is not the case, meaning programs are released to consumers with far too many vulnerabilities in the computer code. Software development processes that incorporate a security development lifecycle do exist, but they are not required by federal law. All this has encouraged designers to rush products to market, leaving consumers unaware of costly flaws that make hacking easier and puts sensitive data at risk. For example, according to the National Vulnerability Database, numerous new vulnerabilities or misconfigurations are discovered virtually every day for major software providers.
Separating a malicious cyber actor’s intent from the issue of why that actor can achieve success is important. Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration. It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight. Yet software and hardware developers are not regulated in the same way as, say, the auto or pharmaceutical industries.
More from GPS: Cyber sharks circling America
The truth is that we should no longer accept a patch/configuration management culture that promotes a laissez-faire approach to cyber security. This is the case for both the public and private sector. Design vulnerabilities have already cost the United States too much in terms of loss of intellectual property and highly classified military secrets. No American would ever purchase a car, home, or washing machine with the expectation that it was in need of repair as soon as it was purchased. Yet as soon as software is loaded onto a computer, consumers expect the software to be broken, requiring patching to eliminate the latest round of vulnerabilities disclosed almost as soon as the program is installed. It is time for application developers to produce software that meets a higher security standard.
And it is also time to hold defense contractors accountable for the protection of sensitive government information. While the exact details remain incomplete, it appears that Chinese hackers were successful in breaching the corporate networks of major defense firms, from whom they then stole design information for the F-22 and F-35 fighters, and other weapons systems.
Current defense contracts impose insufficient penalties on firms for exercising poor cyber security. President Obama’s February 12, 2013 Executive Order, “Improving Critical Infrastructure Cybersecurity,” calling for “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” is certainly a step in the right direction. But more is required. The results of the report required by the Executive Order will be a good indicator of future cybersecurity requirements.
By holding defense contractors responsible for protecting classified military data, they will be incentivized to undertake more rigorous cyber security efforts. As an example, future National Defense Authorization Acts (NDAA) could go beyond requiring contractors to report cyber intrusions on systems handling national security information. Financial penalties should be written into contracts, while prosecution of accountable parties is necessary to ensure future provisions within NDAA or other legislation are followed.
The net result of these suggested changes will be twofold – there should be less susceptibility to malicious cyber activities, which will in turn improve chances for effective cyber-deterrence by making hacking’s costs greater than its benefits, at least in many cases.
Of course, none of this is to suggest that malicious cyber actors shouldn’t be held accountable. In the end, China’s brazen cyber espionage and cyber crimes must be prevented by holding Beijing accountable for its actions. Recent denials by Hong Lei, spokesman for China’s Ministry of Foreign Affairs, should be rejected for the less than candid statements that they are. And President Obama should clearly articulate during his discussions with Xi the administration’s strategy for mitigating the theft of U.S. trade secrets, including highlighting American plans to prevent and punish future state sponsored cyber espionage and crime.
But U.S. efforts to curb the theft of sensitive corporate and government information should not end with attempts to hold states responsible for malicious cyber activity originating in or transiting through their territory. It is time to create a culture of cybersecurity, along with appropriate legal frameworks, in which designing secure software and configuring secure networks is seen as important as preserving sensitive and valuable government and private data. We’ll all be a safer that way.
We've been hacking into China's military secrets as well as those of every other country under the sun for decades on end, and now the right-wing thugs in Washington are crying WOLF! This is quite ludicrous to say the least!
Frankly, the fact that the Chinese have succeeded in stealing top secret military designs like the F-35 only demonstrates our incompetence. What did we think was going to happen? The compromised programs should be scrapped, the heads and boards of directors of companies developing the F-35 should be executed for treason, and we should start over and do it right.
If this bla-bla-bla of yours is true ImperiumVita, then why don't they have similar aircraft like our F-35? This is just more right-wing propaganda trying to scare the public as usual! This never ends!
What the Chinese did steal is the Victoria Secret's thong that you'd been wearing secretly. The Chinese also spied on you kwok zucking in some dark corner.
You can fix all the bugs and secure all the networks, but it doesn't do a bit of good when Larry from accounting blindly opens the lol-cats.pdf file that just arrived in his email box.
Hah! So true.
Right now we have a hard enough time getting defense contractors to admit information has been compromised. Now, this author proposes that we should add penalties for being hacked? How will we enforce those penalties? We need these contractors to cooperate with the government after an intrusion. A fine will cause them to drag their heels and deny they were hacked.
Not saying that foreign hacking isn't a problem, but let's keep in mind that this hysteria plays directly into the financial interests of the military-industrial complex. As in: "OMG, foreigners now know all the secrets of our best weapons. We need to spend billions more developing even better ones!"
We've been here before: the Pentagon and its industrial allies shamelessly lied about Russia's "lead" in weapons to justify bigger budgets during the Cold War.
In case you don't realize, the U.S. government has been badmouthing China ever since the fall of Soviet Union. At first it was human rights, then it was freedom, Tibet, the Olympics, and now it is hacking.
this site has been blocked!
We as consumers have to demand for better protection against intrusion, not only from the government, also manufacturers.
Snoowdeen exposes the rest of the story. LOL.
The Global Public Square is where you can make sense of the world every day with insights and explanations from CNN's Fareed Zakaria, leading journalists at CNN, and other international thinkers. Join GPS editor Jason Miks and get informed about global issues, exposed to unique stories, and engaged with diverse and original perspectives.
Every week we bring you in-depth interviews with world leaders, newsmakers and analysts who break down the world's toughest problems.
CNN U.S.: Sundays 10 a.m. & 1 p.m ET | CNN International: Find local times
Buy the GPS mug | Books| Transcripts | Audio
Connect on Facebook | Twitter | GPS@cnn.com
Buy past episodes on iTunes! | Download the audio podcast
Check out all of Fareed's Washington Post columns here:
Obama as a foreign policy president?
Why Snowden should stand trial in U.S.
Hillary Clinton's truly hard choice
China's trapped transition
Obama should rethink Syria strategy
Enter your email address to follow this blog and receive notifications of new posts by email.
RSS - Posts
Get every new post delivered to your Inbox.
Join 4,863 other followers