From: Foreign Policy
A five-point plan to cripple foreign cyberattacks on the United States.
BY STEWART BAKER
The Obama-Xi summit in Sunnylands ended without any Chinese concessions on cyber-espionage. This came as no surprise; cyber spying has been an indispensable accelerant for China’s military and economic rise. And though Beijing may someday agree that international law governs cyberspace, that won’t help the victims of espionage, which is not regulated by international law. So if negotiation won’t work, what will? Not a strategy that relies entirely on defense. That’s like trying to end street crime by requiring pedestrians to wear body armor.
The good news is that there has been a revolution in our ability to identify cyberspies. It turns out that the same human flaws that make it nearly impossible to completely secure our networks are at work in our attackers too. And, in the end, those flaws will compromise the anonymity of cyberspies.
Call it Baker’s Law: “Our security sucks. But so does theirs.”
As numerous recent reports show, attackers are only human. They make mistakes when they’re in a hurry or overconfident. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords, email addresses, and physical computers. Their remote access tools are full of vulnerabilities. These are openings that we can exploit to trace cyberattacks first to the command and control computers used to carry them out, then to the homes and offices of the hackers that perpetrate them and then, hopefully someday soon, to the customers that sponsor them.
But attribution is only half the battle if we want to deter cyber-espionage. The other half is retribution. Once we identify the attackers, we need to persuade them to choose another line of work. If we’re serious about stopping cyberespionage, there are plenty of tools at our disposal:
1. Expose and isolate nationsNaming and shaming is a commonly used method of deterring bad conduct by other nations. The U.S. may be reticent about releasing hard won intelligence about the activities of foreign governments. But some of the most explosive — and convincing — recent allegations against foreign governments have in fact been made by private entities. A report released earlier this year by a company called Mandiant offered extensive evidence of the People’s Liberation Army’s role in hacking into U.S. companies over a number of years. The report placed an embarrassing spotlight on state-sponsored hacking in China and sparked bitter but unconvincing denials from the Chinese government.
Of course, it’s not clear that embarrassment alone will stop countries like China or Iran from supporting cyberattacks against U.S. companies and agencies. But it’s a start. It raises the cost of what has been a relatively low-risk, asymmetric strategy. And it sets the stage for further action in the future.
Leave a Reply