It comes as no surprise that the U.S.–China cybersecurity talks at the Asia–Pacific Economic Cooperation (APEC) largely failed. While Obama was in China The Washington Post reported that the Chinese were the prime suspects in hacks against both the National Oceanic and Atmospheric Administration (NOAA) and the U.S. Postal Service (USPS).
The USPS announced that 800,000 employees had their personal data stolen including names, addresses, and Social Security numbers. NOAA reported that four websites were compromised, but it is unknown if any data was stolen.
There have been constant reminders throughout the past year that the U.S. government’s cybersecurity needs improvements. It’s likely that every federal department has been hacked, Robert Anderson, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI told the Senate Homeland Security Committee in September 2014.
Assistant Secretary for Policy at the Department of Homeland Security Stewart A. Baker noted,
It’s the case that the U.S. and Russia and other countries are much more cautious about getting caught because they think there are going to be consequences. It’s only the Chinese that think there are no consequences to getting caught.
China has been unapologetic about its activities when confronted by U.S. officials. The U.S. government needs to deter China from hacking if there is going to be any positive change. The indictment of five military members of the Chinese People’s Liberation Army for their role in hacking the U.S. was a step in the right direction, but further action is needed. The U.S. should take legal action against Chinese companies known to steal U.S. designs and technology and should consider doing more to weaken China’s grip on its domestic Internet through counter-censorship technologies.
In addition to deterring nation-state hackers, the U.S. must also take better steps to defend itself. Information sharing between the government and the private sector should be a top priority. With the proper policies in place, sharing data on the threats that are evolving will allow others to protect themselves before the attack reaches them. Information sharing can occur across international borders with allies and between federal government departments. This will strengthen privacy and security.
Protecting the supply chain adds another layer of security to cyber infrastructures. As the technology industry has expanded so has outsourcing to different countries. This global supply chain is very important to ensuring that electronics are produced at low cost but it also allows potential vulnerabilities to be inserted into a product by a malicious actor. Companies can address this weakness through private sector–developed cybersecurity supply chain ratings and accreditation. Such an accreditation system will encourage companies to achieve higher ratings through better and safer practices. With companies having different levels of accreditation, consumers will also have more information with which to make risk-based cybersecurity decisions.
Obama’s visit to China only reinforces the fact that this problem cannot be solved by negotiating with the nations that are attacking us—only firm deterrence and agile defensive measures will better protect the U.S. in cyberspace.
Ellen Prichard is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.