Counter E-Surgency.

• Author: Porter, Christopher
• Position: On cybersecurity

American and allied cyber policy is mired in antiquated thinking. The trouble starts with which adversarial hacking activity to counter--there is currently a focus on defending a whopping sixteen preset silos "critical infrastructure" industries, as defined in Presidential Policy Directive 21. Under several consecutive U.S. presidents, this strategy has failed to deter or halt the major threats our country faces. Some examples stand out: the Obama administration's decision to "stand down" on planning to respond to Russian active measures in cyberspace; a decade of unchecked intellectual property theft by China; and attacks on the financial sector by Iran and North Korea. For that matter, until the Russian interference in the 2016 U.S. presidential election, voting equipment was not even considered critical infrastructure. Neither are the servers used by individual campaigns and political parties, even in light of relatively recent events.

Despite world-class capabilities, there is no reason to think we are fully prepared to pick which appropriate sectors should be defended in a cyber conflict, especially in a world where a growing array of countries can pose a significant risk to the economic health and freedoms of the ordinary American citizen.

The shortcomings of this approach are clear in the case of the Department of Defense's new "Deliver Uncompromised" security initiative, which since June 2018 has sought to improve the resilience of the military supply chain by adding "security" to the longstanding core acquisitions considerations of price, delivery and performance. Considering America's innovation ecosystem, especially in new developments applicable to eventual military use, one can see how many disruptive and incremental battlefield gains originate from original academic research outside government-controlled labs, and certainly occur long before practical production is begun at a defense contractor.

This "spin-on" from uncleared academics and the private sector has been key to U.S. military success in the twentieth century and is likely to be even more important in the future. Given how research is shifting toward private sector companies, particularly when it comes to developing and funding disruptive technologies such as artificial intelligence, it is necessary to extend state cyber protections to these companies. Otherwise, there is a risk that commercial innovations with military potential will be stolen and used against the United States.

The Chinese hacking group APT40 appears to be ahead of the curve in this regard: though having operated as a military intelligence gathering operation mostly focused on traditional maritime targets since 2013, they have been expanding their operations since at least 2017 and have managed to compromise numerous systems, including those of U.S. universities. APT40 has repeatedly targeted engineering firms...