On October 25, 2012, The New York Times published an eye-opening report on an extensive, billion-dollar business empire constructed by relatives of China’s prime minister, Wen Jiabao. Three months later, the Times revealed it had been undergoing intense cyber attacks even before the report was publicly released. Cooperating with AT&T, the FBI, and a leading cybersecurity firm, the Times pinned the digital break-ins on Chinese hackers, adding that the Chinese military was likely involved.
The case of the Times is certainly not unique in today’s world. The Center for Strategic and International Studies (CSIS) has compiled a list of 113 “significant cyber incidents” since 2006, spanning attacks on universities, government agencies, financial institutions, and other organizations. One of the victims of those attacks was Aramco, a major Saudi oil firm. In August 2012 Aramco was forced to shut down its computer network to control a data-wiping virus believed to have originated in Iran. Interestingly, experts called the attack relatively unsophisticated. “There are lots of targets in the U.S. where they could do the same thing,” a former counterterrorism official said. Defense Secretary Leon Panetta warned in October 2012 that “foreign cyber actors are probing America’s critical infrastructure networks.” He acknowledged that such attacks could contaminate water supplies, paralyze the power grid, and shut down communications systems. “The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country,” he said.
Some analysts downplay cyber attacks because they do not technically constitute acts of war, at least by traditional measures. Pragmatically speaking, however, it is possible to interpret cyber attacks as such. In May 2006, the Department of Defense was hacked and large amounts of information were stolen. CSIS notes that if foreign agents had physically entered the Pentagon and stolen the information, “it would be an act of war, but when it happens in cyberspace we barely notice.” This is why cyber warfare is so appealing; governments can initiate attacks on other states or institutions while essentially bypassing the risk of starting hot wars. Any group—including terrorists—with significant cyber capabilities could enter America’s back door, so to speak, and inflict real damage.
As countries have developed new means of warfare, cyber attacks have become a key ingredient in most strategies. With regard to U.S.-Chinese relations, for example, “there is little doubt . . . that cyber [attacks] will be part of any political, military, or economic conflict in the future.” These attacks would be effective preludes to more conventional forms of war (as Mr. Panetta described), or could accompany conventional actions simultaneously. The United States’ ability to guard against—or even wage—cyber attacks is fundamental to its national interests.
Even in the wake of heavy defense spending cuts, Washington needs to maintain a strong commitment to cybersecurity. If Senator Chuck Hagel replaces Mr. Panetta as Secretary, he will likely elevate the issue to a new position of priority. A recent move to expand the Department of Defense’s Cyber Command from 900 to 4000 employees is a step in the right direction. The Cybersecurity Act of 2012 would have established voluntary protection standards for much of the private industry, but it failed in Congress. Now, as companies see organizations like the Times faced with relentless cyber attacks, many are calling for those voluntary standards. Tighter security can only be achieved if the public and private sectors work together to shore up points of national weakness. America needs to close the back door to its enemies.