images

WASHINGTON: For the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the FBI, said cyberattacks would soon replace terrorism as the agency’s No.1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property.

It’s not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, who retired last Friday as the executive assistant director of the FBI (and its lead agent on cybercrime), told Congress last week of an American company that had all of its data from a 10-year, $1 billion research program copied by hackers in one night. Gen. Keith B. Alexander, head of the military’s Cyber Command, called the continuing, rampant cybertheft “the greatest transfer of wealth in history.”

Yet the same Congress that has heard all of this disturbing testimony is mired in disagreements about a proposed cybersecurity bill that does little to address the problem of Chinese cyberespionage. The bill, which would establish noncompulsory industry cybersecurity standards, is bogged down in ideological disputes. Sen. John McCain, who dismissed it as a form of unnecessary regulation, has proposed an alternative bill that fails to address the inadequate cyberdefenses of companies running the nation’s critical infrastructure. Since Congress appears unable and unwilling to address the threat, the executive branch must do something to stop it.

In the past, FBI agents parked outside banks they thought were likely to be robbed and then grabbed the robbers and the loot as they left. Catching the robbers in cyberspace is not as easy, but snatching the loot is possible.

Alexander testified last week that his organization saw an inbound attack that aimed to steal sensitive files from an American arms manufacturer. The Pentagon warned the company, which had to act on its own. The government did not directly intervene to stop the attack because no federal agency believes it currently has the authority or mission to do so.

If given the proper authorization, the U.S. government could stop files in the process of being stolen from getting to the Chinese hackers. If government agencies were authorized to create a major program to grab stolen data leaving the country, they could drastically reduce today’s wholesale theft of American corporate secrets.

Many companies do not even know when they have been hacked. According to Congressional testimony last week, 94 percent of companies served by the computer-security firm Mandiant were unaware that they had been victimized. And although the Securities and Exchange Commission has urged companies to reveal when they have been victims of cyberespionage, most do not. Some, including Sony, Citibank, Lockheed, Booz Allen, Google, EMC and the Nasdaq have admitted to being victims. The government-owned National Laboratories and federally funded research centers have also been penetrated.