The media and pundits went wild when Donald Trump expressed his hope that Russian hackers might find those 30,000 emails that Hillary Clinton and the State Department claim are lost forever from her bootleg private server.
Trump later said he was making a joke. Well, it may have been in poor taste but Trump’s “joke” is really not a joke at all.
Regardless of who actually broke into and leaked those DNC files that embarrassed the Clinton campaign on the eve of the Democratic convention and forced the resignation of DNC Chair Debbie Wasserman Shultz, Trump was pointing out a sober reality: as a nation we have become increasingly defenseless in the face of what cyber experts call Advanced Persistent Threats in the cyber sphere, particularly Russia but also China.
Those two countries have in effect declared cyber war on us, and after seven years the Obama administration still has not come up with a serious plan to halt or even slow their attacks.
In fact, President Obama’s Cybersecurity National Action Plan unveiled with great fanfare back in February, never even mentioned Russia or China, let alone ISIS and other terrorist groups who are increasingly looking to the cyber sphere as a way to bring America to its knees—or in ISIS’s case, to recruit its lone wolf killers.
If you can’t admit who poses the principal threat, you can’t deal effectively with the problem.
It’s a problem that goes way beyond cyber security. Trying to stop cyberattacks by safeguarding information systems has become a multi-billion dollar industry. In the private sector alone, it’ll grow to $170 billion by 2020. Over the past decade the federal government itself has spent $100 billion on cyber security, and yet—as we all learned last year with the cyber break-in at the Office of Personnel Management when 22 million Americans had their identities stolen—the government, businesses, banks, even our power grid, remain as vulnerable to attack as ever.
This is a powerful opening for a new president to take a new, more proactive approach to threats in the cyber realm, to start thinking in terms of national cyber deterrence, i.e. making cyber aggressors like Russia and China to think twice before they attack at all.
The commander of U.S. Cyber Command and National Security Agency head Admiral Mike Rogers has called for a national cyber deterrence strategy. Ironically, so has Hillary Clinton’s running mate, Senator Tim Kaine.
What is a cyber deterrence strategy?
First of all, it warns persistent bad actors in the cyber realm that their misdeeds will be met by escalating responses, depending on the seriousness of the attack. That has to include responses outside the cyber realm, up to and including military action—even nuclear action if the attack, e.g. permanently maiming our power grid, is existential enough.
Second of all, it has to include a presumption of guilt regarding national bad actors. Russia in particular has done a good job of covering its cyber tracks—one reason discovering who exactly hacked into the DNC, and whether the Kremlin knew about it, is proving so elusive. Effective cyber deterrence tells Moscow and Beijing in uncertain terms, if we trace a cyber hack attack back to a URL address inside your borders, we will presume it has your knowledge and/or approval (in police states like Russia and China, a reasonable inference) and we will retaliate accordingly.
Above all, an effective deterrence strategy must inspire fear. Herman Kahn, the granddaddy of Cold War nuclear deterrence, used to say that the most important characteristic of a good deterrence strategy is that it’s “frightening.” That’s what our nuclear deterrence did in the Cold War. It’s what the Obama approach to cyber threats doesn’t do now. Instead, he’s left an open invitation to cyber criminals as well as Russia, China, North Korea, and ISIS to keep on hacking—even perhaps to the point of influencing our presidential election.
So don’t shoot the messenger, in this case Donald Trump. Get a new administration that takes cyber threats seriously, and makes our enemies fear us at last.