Damian Paletta asked when the one becomes the other in a Saturday piece for The Wall Street Journal. Then he conflated two different things with the question of when a cyber attack becomes an act of war in his answer. The backdrop is the People’s Republic of China’s invasion of our government’s personnel computer systems to steal a “tremendous number of personnel records—including some quite personal records.”
If the White House finds out who stole the information, what will President Barack Obama do about it?
This has nothing to do with whether the PRC’s invasion was an act of war. The question of what Obama—or any President—will or would do is strictly about what a response might be or should be. The act of war has occurred, or it has not, being merely a criminal act that wants a response.
The more serious conflation, though, is this:
But cyberattacks by nation-states are a relatively new phenomenon, in which there isn’t a road map of deterrents and responses.
That we don’t know how to respond, or that we’re presently utterly helpless and unable to respond in the face of the PRC’s actions, is wholly irrelevant to the question of whether the PRC’s actions constitute an act of war.
For the record, it’s clear to me that the PRC’s invasion is a clear, deliberate act of war, and while not as devastating (maybe, we’ve yet to learn the full range of outcomes from the invasion) as Pearl Harbor, it’s no less an act. It’s also plainly intended to intimidate a feckless and internationally weak administration, to send a signal of what’s in store if we don’t become more cooperative on a number of things of interest to the PRC (its South and East China Sea seizures come to mind), to flex PRC muscles, simply to show the school how helpless the little boy is in the face of the bully, or some combination of those.
For the record, too, a couple of things are necessary in response. One is for this (or more likely the next—and isn’t the delay a frightening thought) administration to get off the dime and get serious about cyber security. There are plenty of private and government security experts available and more than equal to the task. The biggest thing this (or the next) administration can do, then, has to do with personnel: it needs to start firing folks and disbanding agencies that don’t move fast enough to button up, including passive-aggressive resistors who won’t like the change in “corporate culture” required, and it needs to decertify unions that get in the way of such reforms.
The other thing needed is for this administration (or the next) to put together a broad-ranging response that will include cyber attacks against the CCP’s communications and data-handling computer networks with a view to erasing the hard drives, against the PRC’s port city government communications and data-handling networks with a similar goal, and the USN sailing into and around the island groups the PRC has physically seized and raising an ECM curtain around them that isolates those islands and any PRC shipping in the area from the mainland. This response need not occur in immediate response to a particular PRC attack on us, and it need not occur today, maybe not tomorrow, but soon and for a very long time.
We cannot shy away from this fight; the longer we let our enemies camp in our networks, the harder it will become finally to root them out. If we can find the will at all.