Senior Fellow and Director of CSIS’ Technology and Public Policy Program, Dr. Jim Lewis spoke at the Potomac Officers Club event this afternoon. His remarks focused on cybersecurity, and he detailed some of the greatest current threats to industry and national security, as well as some potential solutions.
Much of his speech focused on China, a state that he says “squeezes” foreign technology companies with operations in China. This is a large part of how China has come so far in information technology over the past fifteen years, according to Dr. Lewis. Dr. Lewis said that China chafes under what they call the “Qualcomm Tax,” or the royalties they pay foreign design companies to produce their hardware, and intellectual property theft plays a major part in China’s growth strategy.
He praised Google’s reaction to the cyber attacks, and noted that of the dozens of companies attacked, only Google publicly admitted that they had lost data. This, he said, is an important step, and an unprecedented one. Google realizes, according to Dr. Lewis, that while the Chinese market is huge, it’s only one part of the global market for information technology, and this kind of “pushing back” against China’s routine probing of American hardware is necessary. He told a story about a friend who brought a Blackberry smartphone to Beijing for the 2008 Olympics, “Between exiting the plane and arriving at the gate, [his Blackberry] was probed five times.”
Using Russia, he explained the mode by which states engage in cyber espionage, which constitutes a much greater and more immediate threat than cyber terrorism, according to Dr. Lewis. He said that so long as cyber criminals in Russia provide kickbacks to local police, refrain from attacking Russian businesses and help national authorities carry out large-scale cyber attacks (i.e. attacks against Georgia and Estonia last year); Russian authorities leave them alone.
This gives the state “implausible deniability,” exploiting the problem of attribution in cyberspace to strike at its enemies while profiting from illicit activity. In fact, he used the mafia as an analogy to explain the practical threats from cyberspace. Conflict is unprofitable, Dr. Lewis said, and cyber warriors are likely to stick to attacks that make money.
Hackers, he said, are careful not to “cross the line,” to commit an act of aggression that would provoke a response. “Cyber attacks are just another weapon in a country’s arsenal. It’s not as though Vladimir Putin will wake up one morning and say, ‘I think I’ll knock out power in the Northeastern United States any more than he would launch a missile at it.”
He noted that, generally, terrorists use whatever means at their disposal to attack U.S. targets, and reasoned that if terrorists had the capability to launch cyber attacks against U.S. infrastructure, they would have done so already. “What are they waiting for? Osama’s birthday?” He wondered humorously.
When asked what the United States should do to protect itself from cyber espionage, he said that the U.S. should follow the lead of the French and British governments, who conduct regular, high-level briefings for technology industry executives doing business in China.
But make no mistake, Dr. Lewis does not dismiss cyber terrorism as a threat. In fact, he singles out the Lebanese Shi’a paramilitary and political organization Hezbollah as a potential cyber aggressor. It takes “six to eight years” for a technology or capability developed and deployed by large states to wind up on the black market, so he says it’s only a matter of time before cyber terrorism capabilities find their way into the hands of terrorists.
He says that the “window of time” to deal with cyber espionage and cyber warfare from a policy standpoint is closing rapidly, and that the American government must act soon or risk losing the technological leadership that is the “key to our national security.”