By Panayotis A. Yannakogeorgos & Adam Lowther, Special to CNN
Editor’s note: Panayotis Yannakogeorgos is a research professor of Cyber Policy and Global Affairs at the Air Force Research Institute. Adam Lowther is a non-resident senior fellow at the Center for the National Interest in Washington, DC. The views expressed are their own and do not reflect the official position of the U.S. government, Defense Department, the U.S. Air Force or Air University.
China’s hackers have been pretty busy recently, at least if recent media reports are to be believed. In one of the most eye catching revelations, the Washington Post reported that more than two dozen major weapons systems’ designs have been breached by hackers, including “programs critical to U.S. missile defenses and combat aircraft and ships.”
Such claims have become commonplace as China has expanded its cyber espionage and intellectual property theft activities over the past decade. Indeed, billions of dollars worth of intellectual property is reported to have been lost to cyber theft.
Earlier this year, for example, a Defense Science Board report detailing the general level of cyber theft was released around the same time as security consultancy firm Mandiant alleged that the People’s Liberation Army had created a unit focused on penetrating government and corporate networks in the United States and elsewhere, primarily to steal sensitive industrial and military secrets.
So far, such theft has gone unpunished, and many are calling for President Barack Obama to tackle this issue head on at this week’s meeting with Chinese President Xi Jinping. Surely, it is high time for the U.S. government to begin holding nation states responsible for their cyber actions or unwillingness/inability to curtail malicious activity in cyberspace?
Yes, it is – but that’s not the whole story.
Unlike the alleged state sponsored corporate espionage that was highlighted in the Mandiant report, the targets in the latest weapons systems case were in the defense industry. Although national security trade secrets can also be commercial trade secrets, under section (a) of 18 USC § 793 activity targeting this type of intellectual property meets the legal definition of espionage.
But is holding only the malicious actor to account sufficient? The real question should be whether the Defense Department should also hold the defense industry accountable for failing to adequately protect sensitive government information. And should software firms be held accountable for selling products rife with vulnerabilities that PLA hackers are then able to exploit?
As former Boston Scientific Chief Security Officer Lynne Mattice notes in a forthcoming book: “Early on in the evolution of software, hardware, and networks people became accustomed to ‘computer bugs’ and other design flaws that they simply accepted as the norm. Rarely has a single industry benefitted from such a desensitized consumer population which has allowed the producers and manufacturers to skirt responsibility and liability for the flawed products and systems they produce.”
Mattice highlights a long-running challenge for the software industry. But it is legendary software engineer Fred P. Brooks who suggests part of the solution: system testing should consume 50 percent of time spent on a complex programming project.
Too often, this is not the case, meaning programs are released to consumers with far too many vulnerabilities in the computer code. Software development processes that incorporate a security development lifecycle do exist, but they are not required by federal law. All this has encouraged designers to rush products to market, leaving consumers unaware of costly flaws that make hacking easier and puts sensitive data at risk. For example, according to the National Vulnerability Database, numerous new vulnerabilities or misconfigurations are discovered virtually every day for major software providers.
Separating a malicious cyber actor’s intent from the issue of why that actor can achieve success is important. Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration. It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight. Yet software and hardware developers are not regulated in the same way as, say, the auto or pharmaceutical industries.
The truth is that we should no longer accept a patch/configuration management culture that promotes a laissez-faire approach to cyber security. This is the case for both the public and private sector. Design vulnerabilities have already cost the United States too much in terms of loss of intellectual property and highly classified military secrets. No American would ever purchase a car, home, or washing machine with the expectation that it was in need of repair as soon as it was purchased. Yet as soon as software is loaded onto a computer, consumers expect the software to be broken, requiring patching to eliminate the latest round of vulnerabilities disclosed almost as soon as the program is installed. It is time for application developers to produce software that meets a higher security standard.
And it is also time to hold defense contractors accountable for the protection of sensitive government information. While the exact details remain incomplete, it appears that Chinese hackers were successful in breaching the corporate networks of major defense firms, from whom they then stole design information for the F-22 and F-35 fighters, and other weapons systems.
Current defense contracts impose insufficient penalties on firms for exercising poor cyber security. President Obama’s February 12, 2013 Executive Order, “Improving Critical Infrastructure Cybersecurity,” calling for “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” is certainly a step in the right direction. But more is required. The results of the report required by the Executive Order will be a good indicator of future cybersecurity requirements.
By holding defense contractors responsible for protecting classified military data, they will be incentivized to undertake more rigorous cyber security efforts. As an example, future National Defense Authorization Acts (NDAA) could go beyond requiring contractors to report cyber intrusions on systems handling national security information. Financial penalties should be written into contracts, while prosecution of accountable parties is necessary to ensure future provisions within NDAA or other legislation are followed.
The net result of these suggested changes will be twofold – there should be less susceptibility to malicious cyber activities, which will in turn improve chances for effective cyber-deterrence by making hacking’s costs greater than its benefits, at least in many cases.
Of course, none of this is to suggest that malicious cyber actors shouldn’t be held accountable. In the end, China’s brazen cyber espionage and cyber crimes must be prevented by holding Beijing accountable for its actions. Recent denials by Hong Lei, spokesman for China’s Ministry of Foreign Affairs, should be rejected for the less than candid statements that they are. And President Obama should clearly articulate during his discussions with Xi the administration’s strategy for mitigating the theft of U.S. trade secrets, including highlighting American plans to prevent and punish future state sponsored cyber espionage and crime.
But U.S. efforts to curb the theft of sensitive corporate and government information should not end with attempts to hold states responsible for malicious cyber activity originating in or transiting through their territory. It is time to create a culture of cybersecurity, along with appropriate legal frameworks, in which designing secure software and configuring secure networks is seen as important as preserving sensitive and valuable government and private data. We’ll all be a safer that way.