By Michael Chertoff and Michael Hayden - 04/16/13 11:40 PM EDT
The American public is waking up to a reality that many in government have known for some time — the threat of cyber espionage and intrusions, particularly from China. For years, many have identified significant efforts being mounted by Chinese actors to exploit vulnerability in cyber systems developed and deployed in America and the West. But only recently have those efforts emerged publicly.
We have all read recent reports of alleged Chinese intrusions into The New York Times, The Wall Street Journal and The Washington Post. And, more recently, a detailed report by Mandiant provided what appears to be evidence that many of the cyber intrusions were being directed by a heretofore secret Chinese military unit — code-named Unit 61398 — that operated at the direction of China’s military leaders. At this juncture, China no longer has plausible deniability to its actions; it stands accused and, in the minds of most Americans, convicted of the most aggressive and wide-spread cyber espionage program ever conducted.
Perhaps a more important question is, what can we do about it? How can we dissuade China and other nations from pursuing this disruptive course of conduct? In contemporary strategic planning exercises, military and civilian theorists have developed a structured definition for helping to identify possible courses of action. It goes by an acronym that represents various levers of governmental power that can be brought to bear in resolving a problem — military, intelligence, diplomatic, legal, infrastructure, financial and economic (Midlife). Our thus far ineffective national response to China’s cyber offensive reflects our Midlife crisis — we have only just begun to identify the various avenues of American influence to dissuade China from its actions.
What is needed now, urgently, is a strategic planning process for responding to China that involves the whole of government. Perhaps such a process has begun but not yet been made public. We hope so. But as it proceeds, it should consider a wide range of options:
• We can, and should, begin a concerted diplomatic campaign to put the spotlight on China as a bad cyber actor. We might, for example, use the Financial Action Task Force as a model and begin a program of publicly identifying nations who don’t meet international norms of cyber behavior.
• The focus of much of China’s cyber activities can be traced to a relatively small number of Chinese technical universities. Visa issuance for students and professors from those schools should be limited, if not eliminated.
• We should consider a financial reward to Chinese hackers who agree to turn “State’s evidence” and provide forensic evidence of China’s cyber espionage activities.
• We should consider a system of targeted financial and economic sanctions directed at Chinese companies that materially benefit from stolen American intellectual property.
• We need to remind the Chinese at every opportunity that Chinese cyber behavior is eroding the very foundation of any long-term, productive Sino-American relationship, as American business, long an advocate of improved ties, demands a more robust U.S. government response.
These are just notional ideas; we haven’t vetted them for practicality. But they give one the sense of the scope of possible responses, once we broaden the lens and think of the entire Midlife panoply of American options.
Because of the perceived lack of response from the U.S. executive branch, Congress has rushed in with its own solution — an understandable but potentially misguided effort to ban the government’s purchase of Chinese IT products unless the government can certify they pose no significant cyber risk. The prohibition, buried in the recently passed continuing resolution, reflects the depth of Congress’s anger with the Chinese. But they have chosen a blunt tool. The default option for government officials will be not to certify any Chinese products. This could well lead to Chinese retribution against U.S. firms. There could be instances where there is no alternative to a Chinese manufacture for certain parts.
All of which suggests that a more nuanced approach is needed. Congress’s role — and an appropriate one — is oversight. It should oblige the executive branch to develop a strategic plan. Though the planning might start with China, we need to be prepared for the proliferation of cyber espionage and intrusion on a global scale. In short, we need to outgrow our Midlife crisis.
Chertoff served as Homeland Security secretary and Hayden as CIA director during the George W. Bush administration.