Wrong Answer to the Wrong Problem

In his final flail to establish his legacy President Obama has belatedly reacted to Russian hacking and possible interference with the 2016 Presidential election. Other than annoying the Russians with no practical effect, it creates yet another mess that the incoming Trump administration will need to clean up and is not focused on the actual cybersecurity issue. More importantly, it is the wrong answer to what is really the problem -- a fundamental failure on the part of the Obama administration to deal effectively with the problem of cybersecurity for eight years.

With respect to the actual issue of election interference Obama has taken a holier-than-thou stance that the claimed Russian hacking went beyond all diplomatic norms. Giving Obama any benefit of the doubt, all the Russians have been accused of doing is making available documents taken from the DNC and a large number of e-mails written by various Democrats tied to the Clinton campaign. The Russians didn't make this stuff up -- the Democrats did it to themselves. Big deal -- isn't this the same Obama administration that spent some $350,000 in U.S. taxpayer money interfering in an Israeli election to try and oust Prime Minister Netanyahu? So much for diplomatic norms. At least Netanyahu didn't oust U.S. diplomats from Israel over it.

Why single out Russia? In recent years, China, Iran, North Korea and others have all hacked U.S. government agencies, businesses and citizens with relative impunity. China is responsible for the hack of OPM computers and the theft of millions of personal records. They have also stolen billions of dollars' worth of intellectual property, technology, and research from American firms and institutions, costing tens of thousands of U.S. jobs. Obama's reaction to China has been to do nothing. Clearly this has not been as important to Obama as the Democrats' e-mail and his personal feud with Putin.

Iran has disabled the online banking system with denial-of-service attacks repeatedly over two consecutive years, and has even broken into a hydroelectric dam in New York State. North Korean hacking of emails and intimidation shut down a Sony Pictures film release. In addition to nation-state threats, terrorists and other non-state groups, such as ISIS, are committed to leveraging and developing capabilities in the cyber domain. The Obama administration response in each of these cases has been to do nothing, at least in diplomatic terms.

A serious question is what should the U.S. do in each of these circumstances? The Russian hacking of the DNC, as well as the other incidents are not cyberwarfare. They are acts of cyber espionage, and in some cases cybercrime. This is a most critical legal and strategic distinction. As Harvard's Jack Goldsmith rightly points out, there is no international law of espionage, and never will be. The U.S. itself has been engaged in the espionage, and indeed cyber espionage business for a long time, presumably with Russia, Iran, China and North Korea as possible targets.

An appropriate response here is not to escalate any particular incident of espionage or spying such as the Russian hacking of DNC email to the level of cyber warfare without good reason -- and there isn't one here. If the U.S. were to launch a major cyber weapon at Russia, it is highly likely that Russia would likely respond in kind, and the resultant damage to a highly vulnerable infrastructure would be truly massive. Does the U.S. want to risk a collapse of the Internet and all connected systems -- power, communications, the financial sector and many others just because some of the Democrats email became public? Probably not, and that is what cyber warfare entails.

The fundamental problem is not so much foreign hacking, but that almost all of these systems remain highly vulnerable. Continued failure in the area of cybersecurity will have ongoing and potentially disastrous consequences. Kicking a few Russians out of the country won't solve this problem. Cyber espionage will continue while threats of major cyberwarfare are dramatically increasing. American companies cannot compete on a fair playing field internationally, or even domestically, when their operational data and intellectual property are stolen and vital power, water, and communications systems are held hostage to foreign cyber armies. Just as America failed to heed advanced warning of terrorist attacks on the U.S., the nation has also failed to adequately protect its vital cyber interests.

Cybersecurity is one of the greatest challenges facing America today, and yet for eight years the Obama White House failed to provide effective executive branch leadership here. The cyber domain is a vital component -- and generally a vulnerability -- of all sixteen critical infrastructure sectors in the U.S. The Obama policy has been based on misperceptions of cyber threats and assigns responsibility to agencies incapable of meeting the challenges. As a direct consequence of these failures, Americans' privacy and security have been repeatedly violated; national security threatened; and commerce disrupted.

Some well-intentioned critics of the recent Obama actions against Russia in reaction to the hacking see this as being "too little, too late." They are doubtless correct in the "too late" part -- in that the Obama administration was well-aware of this months ago, and even had the FBI call the DNC about it -- only to be ignored. It is incorrect in thinking that doing more would be a useful strategy. Expelling more Russians who had nothing to do with the hacking and stronger sanctions are not what is needed in response to an act of espionage, particularly when any actual impact on the 2016 Presidential election remains a matter of debate.

Thus far President-elect Trump and his national security team have been exceedingly cautious and measured in their statements on this matter. Trump is scheduled for briefing by intelligence officials on the matter later this week and has correctly not joined with those calling for Russia getting greater punishment over this incident. Indeed, his recent tweet that it was time to move on with more important matters in the relationship with Russia demonstrates real strategic perspective -- something the liberal media is unlikely to give him credit for.

For some months Trump has been consistent and positive in his call for cybersecurity efforts that meet the challenge facing America today. This has been one of the less controversial areas and one where there is good bi-partisan support. Recently President-elect Trump has called for moving the cyber defense mission to the Department of Defense, where it can not only be integrated with the cyber offense mission, but a place where the technical and management resources exist to deal effectively with the problems.

It can also be expected that the incoming Trump team will take a number of needed steps, including the replacement of ineffective Executive Orders, management changes, and increased funding for essential cybersecurity initiatives that are long overdue. This is the right answer to what is the problem facing America today in cybersecurity. As Trump has suggested, it's time to stop hand-wringing about who may have dumped the Democrats e-mails and get on to a serious solution to a most serious problem.