Although many details of the massive cyberattack against U.S. government personnel records are still not public, its strategic implications are plain: Washington remains unprepared in cyberspace, floundering and unable to articulate its intentions and capabilities on this new battlefield.
China is the likely culprit, and its cyberwarfare — added to its near-belligerent behavior in the South and East China seas, its expanding military assets and its use of economic clout for political ends — is part of a deeply troubling pattern. Unfortunately, President Barack Obama’s response is also apparently part of a pattern of sustained inaction.
The Pentagon may be working hard to develop offensive and defensive countermeasures, but the administration has done precious little to articulate what America’s strategy should be in response to these challenges. The president’s policy silence is chilling and inexcusable.
To be sure, silence before or after a particular clandestine operation is often necessary to protect operational methods and information sources. For example, Washington did not take direct credit — indeed did not confirm or deny — its probable role in temporarily taking down Pyongyang’s internet after North Korea hacked into Sony Pictures six months ago.
But protecting clandestine methods and sources is one thing; Obama’s policy silence is another. Americans understand how important information technology is, and society’s increasingly computerized complexity and interdependence. But they require leadership to understand how seriously we could be hurt if our IT infrastructure is compromised.
In China’s case, based on a long history amply documented by the Pentagon, the People’s Liberation Army is almost certainly the perpetrator of the federal hacking, which means, to state the obvious, that Beijing sees penetrating U.S. government computers as a military capability.
Right now, our enemies are faced mostly with rhetoric — mere hand-wringing — not clear deterrence. This vacuum must be replaced by a stated strategy, and quickly. Fortunately, once Washington concludes to its satisfaction that Beijing conducted the recent attack, the response can include building blocks for a more comprehensive cyberwarfare strategy.
Firstly, America must create structures of deterrence. Starting now, America’s cyber response should be disproportionate. The justification for such a response is all too clear: Without it we are facing repeated cycles of cyber incursions.
To persuade Beijing and others to desist, they must believe their conduct will result in costs that are unacceptable and unsustainable. Mere tit-for-tat responses indicate an inability or unwillingness to react more strongly and may simply tempt aggressors into more ambitious operations.
The White House considered the sanctions it ordered in response to North Korea “proportional,” but compared with the decades-old U.S. sanctions regime against the Pyongyang government, the incremental new sanctions were trivial. Nor does Obama’s April 1 executive order authorizing sanctions against other cyberattackers augur anything beyond the North Korean example.
Secondly, U.S. retaliation must include political and economic measures beyond the cyber realm. The latest hack was motivated by something more than theoretical curiosity about how to penetrate foreign computer networks. China might intend to use the government personnel files for blackmail, or to understand our security-clearance methods so as to better conceal its own covert agents. Accordingly, Washington’s response must go well beyond simply inflicting pain on China’s computer networks.
Beijing’s ambassador, and other Chinese diplomats in America (especially anyone connected with Chinese intelligence), should be declared persona non grata and sent home. Travel restrictions should be imposed on those remaining, and on personnel at Beijing’s United Nations mission. All military-to-military programs should be terminated or suspended indefinitely.
Economically, the U.S. must retaliate strongly against entities that support or are controlled by the PLA, especially those related to computers and communications. The latest attack exposes a related U.S. vulnerability: the extent to which our cyber infrastructure derives from components manufactured in China. That supply chain must now come under scrutiny, with greater reliance, for example, on companies that keep their production facilities elsewhere.
Obviously, there is risk in any strong response to a cyberattack. But if America is unwilling to defend itself when the costs and risks are relatively low, there is no reason for Beijing and others to think it will do so when the potential consequences are far greater.
North Korea’s attack on Sony Pictures was a wake-up call. China’s apparent capture of U.S. government personnel records is like being upended out of bed to the floor. What else is it going to take?
John Bolton, a former U.S. ambassador to the United Nations, is a fellow at the American Enterprise Institute.