Nation Needs More Deterrence, Discussion, Defense to Boost Cybersecurity, Security Experts Say
The threat to U.S. cyber networks will persist, but there are collaborations, practices and other methods that the government can employ to toughen cybersecurity, defense and security experts said late Tuesday at the Center for Strategic & International Studies. Most of the nation’s commerce and financial activities are done in the cyber environment, said General James Cartwright, former vice chairman of the Joint Chiefs of Staff. The threat will persist “and any place you put that much resource and that much intellectual capital is a lucrative target for people who want to do bad things,” he said. The country isn’t adequately prepared for a critical cyber attack, but no one is, said James Lewis, director of the CSIS Technology and Public Policy Program. There are improvements at some agencies, “but basically, we're still about as vulnerable as we can be.” The country must take time to build its defenses, rather than wait for a crisis to occur, he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The nation should focus on making it harder for attackers to benefit from a cyber attack in order to increase deterrence, Cartwright said. Attackers will keep trying until they're successful, he said. The “adversary has to know that there is a price. Otherwise, they're not dissuaded by anything.” The government should look at all the existing tools it has to respond to an attack, he said.
Agencies are starting to coordinate better, said Ellen Nakashima, national security reporter for The Washington Post. The Department of Defense and the Department of Homeland Security agreed to share staff and intelligence to protect networks (WID Oct 14 p1). But “just how that assistance would play out and what the rules are is still evolving,” she said. As the government works on better coherence, it should be careful not to “invent a bunch of new laws,” Cartwright said. A set of declaratory policies is needed, he said. If a server in a country is facilitating an attack on the U.S., “we have the right of self-defense,” but the policy would direct the State Department to let the country know about that server. “If they elect not to stop it then we ought to have the right to go neutralize that server … by some means,” he said.
Trying to engage Russia and China, where many cyber attacks originate, will be difficult, Lewis said. Their views are different and they view information as a weapon, he said. Discussions at the United Nations, with NATO and with other countries, including emerging powers like India and Brazil, must begin taking place, he added. “We've just got to keep trying to build those alliances … but at the same time there’s also a debate about just how far out to go with offense,” Nakashima said. Cartwright cautioned against too much discussion focused on a big cyber disaster: The likelihood is remote, but “you can see a direction in which this threat could move that would look pretty bad.”