Corporations Undermine Cybersecurity

At first, it may seem obvious that the private sector should be keen to protect its computers from cyber-attacks. After all, hacking has caused considerable losses of trade secrets and other proprietary information. Actually, the private sector is opposing most new cybersecurity measures. Despite major implications of this opposition for homeland security, little has been done to make corporations defend their customers and the nation.

Significant segments of the private sector consider proposed requirements to introduce cybersecurity measures to be an additional form of government regulation. The Business Software Alliance opposes placing "undue regulatory burdens on industry," and the Heritage Foundation opposes security measures because they would "create a cumbersome regulatory process." Corporate leaders and economically conservative commentators adhere to libertarian principles, and hold that private enterprise has a right to be let alone by the government and that the private sector is capable of independently determining how much and what kind of cybersecurity it needs.

Furthermore, "businesses consider it unfair and inappropriate for the government to impose on private industries security requirements that businesses consider a public-sector responsibility. Such requirements are viewed as 'unfunded mandates.'" That is, corporate leaders argue that the provision of security is the job of the government; thus, they hold that if the government requires others to do part of the job by adding security measures above and beyond those they would already independently introduce, the corporations should be compensated for the related costs.

Finally, corporations complain that regulations that mandate them to report cybersecurity breaches to the federal government and to share news of cyber threats with their industry peers would cause them damaging publicity or lead to lawsuits alleging liability for damages to private citizens.

In the face of strong private-sector opposition, the federal government has largely resorted to cajoling the private sector to implement cybersecurity measures and has eschewed mandatory regulation. President Obama, in a 2009 address regarding cybersecurity policy, explicitly stated, "My administration will not dictate security standards for private companies." Now he again is hitting the road, trying to sell cyber security -- to those who should rush to introduce it.

One might hold that if the private sector fails to protect itself from cyber attacks, it will suffer the consequences and eventually mend its ways. This is, in effect, the position that the Bush and Obama administrations have followed. However, this approach ignores that considerable amounts of defense and homeland security work are carried out by the private sector.

For fiscal year 2013, the federal government awarded a total of $460 billion in contracts, much of which seems to have gone to defense contractors. In 2010, the Department of Defense spent about $400 billion of its $700 billion annual budget on private contractors that provided vehicles, armor, weapons, transportation, logistical support, and many other goods and services, which ranged from aircraft carriers and nuclear submarines to hand grenades and MREs. The federal government also outsources much of the work of intelligence collection and analysis to private sector contractors. And private security firms such as Blackwater -- which has since been renamed Xe Services and, later, Academi -- were contracted to protect diplomats, offer counterterrorism training, and supplement United States military forces in Iraq and elsewhere.

Thus, inadequate cybersecurity at private firms allows adversarial governments and nongovernmental actors to acquire information that could greatly harm United States defense and homeland security. To cite a recent example, on May 19, 2014, Attorney General Eric Holder Jr. announced charges against five members of the People's Liberation Army's Shanghai cyberunit and alleged that the hackers infiltrated the computer networks of several American corporations. General Dynamics, Boeing, Lockheed Martin, Raytheon, and Northrop Grumman -- the United States' leading defense contractors -- have all fallen victim to hackers. And a cyber-espionage operation against Lockheed Martin in 2007 made it possible for China to steal design details of the F-35 Lightning II, which were subsequently used to develop China's J-20 stealth fighter plane.

Second, the private sector is responsible for supplying and maintaining much of the technology, which includes information technology, used by the government. The computers and software used by the Department of Defense -- and other federal agencies -- are themselves designed, manufactured, and often serviced by the private sector. Prior to the 1990s, the Pentagon used in-house programmers to design secure software tailored to the military's needs. However, the military has since increasingly shifted to off-the-shelf commercial software as a means of cutting costs and satisfying Congress, which seems to be influenced by private sector lobbying. These technologies are vulnerable not only because they are produced in the private sector, but also because the private sector often sources its equipment and components overseas--which includes China.

In short, the difference between the public and private sectors is much smaller than is often assumed in public discourse. There can be no reliable cybersecurity in the public realm unless there is also heightened cybersecurity in the private realm. The security chain is only as strong as its weakest link -- and the private sector's link is simultaneously poorly forged and critically important to United States defense and security.

Amitai Etzioni is a University Professor at The George Washington University. He is the author most recently of The New Normal: Finding a Balance between Individual Rights and the Common Good.