Although the word China doesn’t appear in the title of the “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets,” the plan the White House introduced on Feb. 20, it’s written between the lines in bold type. And that’s a good thing: The recent escalation in Chinese cyberattacks against U.S. targets is a threat to American businesses and to the stability of diplomatic relations. It illustrates why the rules of cyberwarfare must evolve from their current state of dangerous ambiguity into something approaching international norms. The Obama administration’s newly assertive stance is a welcome start.
Congress should now pass mandatory cybersecurity standards for companies that operate critical infrastructure, to be overseen by the Department of Homeland Security. These standards should be applied in ways that maximize flexibility and harness competitive energy. Many are commonsense, such as requiring employees to change their passwords frequently, restricting new applications, and keeping up with security updates and software patches. Companies in critical fields must continually upgrade their ability to detect intrusions and disclose them to customers when they happen.
An executive order signed by President Obama on Feb. 12 takes steps in the right direction by expanding information sharing between the government and the private sector, bolstering privacy provisions, and ordering the creation of a cybersecurity framework for addressing such risks. The five-pronged program rolled out on Feb. 20 builds on that effort. It starts with turning U.S. diplomacy up to 11 on cybertheft with China and other trading partners, including through the use of “trade policy tools”—a veiled reference that could encompass sanctions. And it seeks to promote voluntary best practices by private industry, boost domestic law enforcement, strengthen domestic legislation, and increase public awareness.
As the line blurs between espionage, militant hostility, and outright warfare on the Web, the U.S. also needs to answer hard questions about what actions by potential adversaries it can and cannot tolerate, and work toward creating international norms of acceptable behavior.
A path forward might start with more cooperation on stopping cyberactivities that virtually all states agree are harmful (child pornography and human trafficking, for example). It could move toward a greater exchange of information about threats emanating from criminal groups and terrorists, and eventually arrive at sharing national cyberwar doctrines.
Ultimately, as cyberexpert James Lewis has argued, the goal should be to fully apply international law to cyberspace. Countries such as China and Russia must accept real-world responsibility for any virtual activity, state-sponsored or not, that originates within their borders.