COMMENTARY: How much more do we have to study the threat China poses from its policy of using cyber as a weapon to conduct industrial espionage?
FBI Director Christopher Wray, NSA Director Gen. Paul Nakasone and other top cyber officials told the House Select Committee on U.S.-China Competition about the threat in January. And Director Wray gave a Senate Appropriations Subcommittee a full briefing on the topic in June.
Past columns I have penned have also pointed out how the Chinese aim to degrade our industrial base and disrupt daily life here in the U.S. in preparation for war. It’s really hard to believe that anybody in the federal government or running a major private sector company doesn't understand the potential danger.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
So why do we need this latest Republican-led bill recently introduced by the House Homeland Security Committee that calls for a task force to address the cyber threat posed by China and advanced persistent groups such as Volt Typhoon?
While it may sound like I am against another piece of legislation to address China and its threats, I’m more concerned about the strategic allocation of our scarce resources. We need action now, not 540 days after the bill finally passes when the first task force report is due.
Here’s what we face and why we can’t wait several years to take action: China has an overwhelming capability to resource an offensive cyber campaign, with more people on cyber than the FBI has in total special agents. In the book Emerging Cyber Threats and Cognitive Vulnerabilities, authors Vladlena Benson and John McAlney estimated that in 2017 China had more people actively involved in cyber than the United States, United Kingdom, Russia, Germany, and North Korea combined.
So the issue isn’t about whether China is a threat--they are. Do we need to pass another piece of legislation to do what we are already doing? If it’s a matter of additional resources, increase the budget. If it’s a matter of coordination, use the existing frameworks. When we continue to divide our resources and attention, we only play into the hands of our adversaries--China included.
We don’t have an overwhelming legion of fighters or the luxury of picking and choosing our battles. The best deterrent to China’s aggressive actions is to increase our spending on defensive measures and make them pay a high price for any attack launched.
Cybersecurity still functions as an issue of resources—time, money, and people. The more we can drain our attackers of any of those resources, the better off we are.
The other argument against waiting for a bill to become law: time. We can’t replace or create more time. The clock ticks while we hold hearings and engage in a lengthy legislative process that could take years. In the meantime, China continues to press attacks and prepare for war. That’s not to say there isn’t a time when legislative remedies are needed.
Sarbanes-Oxley was a much-needed solution to the pervasive and unrelenting fraud that saw billions of dollars disappear in massive accounting scandals at the end of the internet boom more than two decades ago. When was the last time a CEO was escorted to jail for misstating financials? Something like 15 or 20 years ago? The law filled a gap and mostly accomplished its intended purpose.
Finding a gap in our current strategies involves delivering the necessary resources to fight the adversary now. Let our actions help us figure out where the gaps are and then fill them. We need to take advantage of what we have in place right now and slow China’s assault.
Let’s make additional investments in AI, increase career opportunities in cyber for people willing to do the work, and hold leaders and the government accountable for results. Kicking the can down the road and claiming the lack of action is because a task force report isn’t finished represents a flawed strategy.
Our adversaries aren’t waiting -- and neither should we.
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Morgan Wright, chief security advisor, SentinelOne