Update: A Citadel Trojan virus, which is used for banking fraud and cyber-espionage, was reported on the NBC.com site on Thursday, as well as a range of other NBC sites. This is the latest media company to report a cyber attack.
With news that some of the nation’s largest media companies, including the New York Times and the Washington Post, have been hit by cyber attacks in recent weeks — and fresh on the heels of the announcement that Apple has joined Facebook and Twitter as a recent victim of serious breaches by sophisticated hackers" — comes a report that a secretive branch of the Chinese military is behind many of the most recent attacks.
Mandiant, a Virginia-based U.S. cyber security firm that tracks hundreds of cyber spying cases around the world, has said that a secretive branch of China’s military, Unit 61398, is suspected in a significant number of breaches and may have already “systematically stolen hundreds of terabytes of data” from at least 141 organizations around the world.
The Chinese government has vigorously denied such allegations, but recent cyber attacks by the world’s “most prolific cyber espionage” groups, including Unit 61398, are already raising the question of whether we are already at war with China. In light of these attacks, perhaps a more important goal is establishing a realistic assessment of what the U.S. can actually do to ensure the security of American cyber interests going forward. As Deutsche Telekom CEO René Obermann recently wrote, "Transparency about cyber attacks has only just begun and we need to accelerate our efforts."
President Obama mentioned cyber threats in his State of the Union, but the speech was thin on what the U.S. can actually do to send a clear signal to countries like China that harbor cyber spies and systematically turn a blind eye to organizations, both private and government-sanctioned, that are already stealing design secrets from Western corporations on a massive scale.
The president mentioned the severity of the situation, listing the ability of high-profile cyber attackers to “sabotage our power grid, our financial institutions, our air traffic control systems,” but it’s too soon to tell whether the defensive measures present in the executive order released on the night of Obama’s speech — to encourage information-sharing about cyber threats between the government and private companies — will actually succeed as a viable plan to oversee the country’s most critical infrastructure.
The president’s speech, while significant because it was the first serious new framework for addressing cyber security in a long while, ultimately pays lip service to the issue, rather than actually promoting a bold plan of action in a legal and legislative climate already inclined to passivity on even the most pressing technological issues. For now, such a plan seems even more implausible given the recent budgetary and political distractions wrought by forthcoming sequestration.
Similarly, Congress has not acted briskly enough on legislation setting minimum requirements for how vulnerable infrastructure should be protected. CISPA, a strong bill offered in the senate last summer has been stymied by objections from some legislators that it’s too intrusive, and a recent re-introduction of that bill, so far the only reasonable legislative attempt to address the issue of transparency and cooperation, appears to be fizzling in Congress.
So far, political leaders have moved with caution on the issue of cyber security, especially as the multivariate intellectual property concerns that underpin the legal debates concerning the merits of CISPA-like legislation come to the fore. But as the rhetoric accelerates, President Obama seems keen to avoid a public collision course with China and others who harbor hackers. Patience can wear thin for only so long, as attacks have grown increasingly more sophisticated, not to mention commonplace. When will the administration pursue a more aggressive response?
There is much that can still be done given this current state of affairs, but as the chorus of experts becomes more vocal, it’s clear — time is of the essence. As Greg Austin, director of policy innovation at the EastWest Institute wrote in a New York Times op-ed, “The United States has a good and urgent cause to argue for: strategic stability in cyberspace.” The U.S. must begin to work multilaterally toward that goal, while China and others will have to become unavoidable partners, as “bilateral cooperation on cyber espionage against each other by the U.S. and China more or less exhausts itself at this rather unsatisfactory point,” Austin writes. “The United States will need to make arguments about cyber spying that fit more sensibly than they have so far into a vision of the interconnected, interdependent digital world.”
Perhaps that means working with the very thought-leaders and technological innovators who’ve recently been hacked to come up with creative public-private partnerships that yield wide-ranging solutions on the issue. But in today’s sequester-rattled economic climate of Chicken-Littleism, such hopes may be just a bit too ephemeral. Let’s hope for the sake of our shared cyber future that they’re not.