National Security

The Great Cyberscare

Why the Pentagon is razzmatazzing you about those big bad Chinese hackers.

The White House likes a bit of threat. In his State of the Union address, Barack Obama wanted to nudge Congress yet again into passing meaningful legislation. The president emphasized that America's enemies are "seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems." After two failed attempts to pass a cybersecurity act in the past two years, he added swiftly: "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." Fair enough. A bit of threat to prompt needed action is one thing. Fear-mongering is something else: counterproductive. Yet too many a participant in the cybersecurity debate reckons that puffery pays off.

The Pentagon, no doubt, is the master of razzmatazz. Leon Panetta set the tone by warning again and again of an impending "cyber Pearl Harbor." Just before he left the Pentagon, the Defense Science Board delivered a remarkable report, Resilient Military Systems and the Advanced Cyber Threat. The paper seemed obsessed with making yet more drastic historical comparisons: "The cyber threat is serious," the task force wrote, "with potential consequences similar to the nuclear threat of the Cold War." The manifestations of an all-out nuclear war would be different from cyberattack, the Pentagon scientists helpfully acknowledged. But then they added, gravely, that "in the end, the existential impact on the United States is the same."

A reminder is in order: The world has yet to witness a single casualty, let alone fatality, as a result of a computer attack. Such statements are a plain insult to survivors of Hiroshima. Some sections of the Pentagon document offer such eye-wateringly shoddy analysis that they would not have passed as an MA dissertation in a self-respecting political science department. But in the current debate it seemed to make sense. After all a bit of fear helps to claim -- or keep -- scarce resources when austerity and cutting seems out-of-control. The report recommended allocating the stout sum of $2.5 billion for its top two priorities alone, protecting nuclear weapons against cyberattacks and determining the mix of weapons necessary to punish all-out cyber-aggressors.

Then there are private computer security companies. Such firms, naturally, are keen to pocket some of the government's money earmarked for cybersecurity. And hype is the means to that end. Mandiant's much-noted report linking a coordinated and coherent campaign of espionage attacks dubbed Advanced Persistent Threat 1, or "APT1," to a unit of the Chinese military is a case in point: The firm offered far more details on attributing attacks to the Chinese than the intelligence community has ever done, and the company should be commended for making the report public. But instead of using cocky and over-confident language, Mandiant's analysts should have used Words of Estimative Probability, as professional intelligence analysts would have done.

An example is the report's conclusion, which describes APT1's work: "Although they control systems in dozens of countries, their attacks originate from four large networks in Shanghai -- two of which are allocated directly to the Pudong New Area," the report found. Unit 61398 of the People's Liberation Army is also in Pudong. Therefore, Mandiant's computer security specialists concluded, the two were identical: "Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1." But the report conspicuously does not mention that Pudong is not a small neighborhood ("right outside of Unit 61398's gates") but in fact a vast city landscape twice the size of Chicago. Mandiant's report was useful and many attacks indeed originate in China. But the company should have been more careful in its overall assessment of the available evidence, as the computer security expert Jeffrey Carr and others have pointed out. The firm made it too easy for Beijing to dismiss the report. My class in cybersecurity at King's College London started poking holes into the report after 15 minutes of red-teaming it -- the New York Times didn't.

Which leads to the next point: The media want to sell copy through threat inflation. "In Cyberspace, New Cold War," the headline writers at the Times intoned in late February. "The U.S. is not ready for a cyberwar," shrieked the Washington Post earlier this week. Instead of calling out the above-mentioned Pentagon report, the paper actually published two supportive articles on it and pointed out that a major offensive cyber capability now seemed essential "in a world awash in cyber-espionage, theft and disruption." The Post should have reminded its readers that the only military-style cyberattack that has actually created physical damage -- Stuxnet -- was actually executed by the United States government. The Times, likewise, should have asked tough questions and pointed to some of the evidential problems in the Mandiant report; instead, it published what appeared like an elegant press release for the firm. On issues of cybersecurity, the nation's fiercest watchdogs too often look like hand-tame puppies eager to lap up stories from private firms as well as anonymous sources in the security establishment.

Finally, the intelligence community tags along with the hype because the NSA and CIA are still traumatized by missing 9/11. Missing a "cyber 9/11" would be truly catastrophic for America's spies, so erring on the side of caution seems the rational choice. Yes, Director of National Intelligence James Clapper's recent testimony was more nuanced than reported and toned down the threat of a very serious cyberattack. But at the same time America's top spies are not as forthcoming with more detailed information as they could be. We know that the intelligence community, especially in the United States, has far better information, better sources, better expertise, and better analysts than private companies like Symantec, McAfee, and Kaspersky Lab. But for a number of reasons they keep their findings and their analysis classified. This means that the quality of the public debate suffers, as experts as well as journalists have no choice but to rely on industry reports of sometimes questionable quality or anonymous informants whose veracity is hard to assess.

The tragedy is that Obama actually has it right: Something needs to be done, urgently. But Washington's high-octane mix of profiteering, protectiveness, and politics is sadly counterproductive for four reasons:

First, the hype actually makes it harder to focus on crucial engineering details. Security standards in industrial control systems and SCADA networks -- the networks that control stuff that physically moves around, from trains to gas to elevators -- are shockingly low. The so-called Programmable Logic Controllers widely used in critical infrastructure are designed to be safe and reliable in tough factory-floor conditions and harsh weather, not secure against outside attack. This year's S4-conference in Miami Beach, organized by the small and specialized security outfit Digital Bond, again showcased how vulnerable these systems are. But Washington is too busy screaming havoc and too ill-informed to do something meaningful about concrete engineering issues. Just sharing information, as the inspector general of the Department of Homeland Security recommended in a report last month, is useful but it will not deliver security. Connecting critical infrastructure that was never designed to be linked to the Internet is also not the root of the problem -- the built-in security flaws and fragility of these systems needs to be fixed, as Digital Bond's Dale Peterson pointed out last week in response to the timid DHS report. The political dynamic behind this logic is clear: The more is declared critical, the harder it becomes to act on the really critical.

Second, the hype clouds badly needed visibility. A fascinating project at Free University Berlin has produced a vulnerability map. The map uses publicly available data from Shodan, the Google for control system hackers, and adds a layer of information crawled from the web to geo-locate the systems that often should not be connected to the Internet in the first place. Red dots on the map show those systems. The United States looks as if it has the measles. But note that the map is incomplete: It is biased towards German products, the project's founder told me. If that flaw can be fixed, the United States and other countries would look as bloody red as Germany does already. The U.S. government's attention-absorbing emphasis on offensive capabilities means it has very little visibility into what this vulnerability map would actually look like.

Third, sabotage and espionage are rather different things -- technically as well as politically. SCADA systems are highly specific kit, often old and patched together over years, if not decades. That means these systems are highly specific targets, not generic ones. Affecting critical operations requires reprogramming these systems, not just disrupting them; the goal is modifying output parameters in a subtle way that serves the saboteur's purpose. With Stuxnet, the U.S. government provided the -- so far -- most extreme and best-documented case study. The operation showed that successful sabotage that goes beyond just deleting data is far more difficult than successful espionage: It requires testing and fine-tuning an attack over many iterations in a lab environment, as well as acquiring highly specific and hard-to-get target intelligence. Stealing large volumes of intellectual property from a commercial competitor, by contrast, is a technically rather different operation -- there is little to no valuable IP hidden inside control systems. To put it bluntly: China and others have a high commercial incentive to steal stuff, but they have no commercial incentive to break stuff. All threats are not created equal. What's needed is nuance, surgical precision, differentiation, and sober analysis -- not funk, flap, and fluster.

Finally, hype favors the offense over the defense. The offense is already sexier than the defense. Many software engineers who consider a career in public administration want to head north to the dark cubicle at Fort Meade, not bore themselves in the Department of Homeland Security -- if they are not working happily in the Googleplex on bouncing rubber balls already. If the NSA sucks up most of the available talent and skill and puts it to work on the offense, the defense will continue to suffer. By overstating the threat, and by lumping separate issues into one big bad problem, the administration also inadvertently increases the resistance of powerful business interests against a regulatory over-reaction.

As President Obama mentioned in his State of the Union address, if we look back years from now and wonder why we did nothing in the face of real threats, the answer may be straightforward: too much bark, not enough bite.

U.S. Air Force photo by Senior Airman Matthew Lancaster


The Case for Just-in-Time Immigration

Why America needs a personnel system built for the 21st century.

It is often said that government could learn a thing or two from the private sector, but what if the very same management innovations that powered the recent surge in global productivity could be leveraged to solve America's immigration problem? It sounds far-fetched, but "just-in-time" production strategy -- which matches supply and demand for manufacturing components, thereby reducing wasteful imbalances -- is crying out to be applied to immigration policy. We have the technology and the data to do it -- all we need is the will.

Despite persistent unemployment problems, the United States faces significant labor shortages, particularly in the manufacturing and technology sectors. Large employers like Siemens, Apple, Microsoft, and LinkedIn, for example, have struggled to fill thousands of job openings because of the lack of suitable candidates. Meanwhile, current immigration policies permit too few skilled worker visas and dictate long waiting periods for skilled H-1B visa holders to obtain green cards. Current green card quotas, moreover, are woefully insufficient to meet labor demands in many sectors. Fortunately, there's an easy fix for this mismatch between supply and demand for human capital: dynamic "just-in-time" labor and immigration policies that let in immigrants as they are needed.

American success in the postwar period was built on the free flow of trade and capital -- and human capital was an essential part of the story. From 1970 onward, roughly 10 million college-educated women chose to work professionally instead of becoming full-time wives and mothers. Between 1970 and 1990, 17 million immigrants came to the United States, and made profound contributions to construction, agriculture, manufacturing, technology, and the service sector. They also changed the lives of a generation of working mothers. The availability of legal, reasonably priced childcare allowed women to manage their familial obligations while competing in the global work force. The advent of the dual-income family, in turn, provided a formidable boost to our consumption-driven economy for the next four decades.

Today, human capital flows are seriously obstructed by political gridlock in Washington. At the same time, the Baby Boomer generation is graying, retiring, and increasingly relying on the social welfare programs to which it contributed -- but not enough given the longer life expectancy of its members. In a blink of an eye, it seems, the Boomers have gone from the locomotive to the caboose.

The key to solving this demographic challenge is a sustained and selective immigration policy. Based on data collected by the PEW Research Center and the Department of Labor-Bureau of Labor Statistics, the United States needs roughly 50 million new immigrants over the next 20 years in order to meet our demographic and balance-sheet demands. That's about 2.5 million immigrants per year, compared to the roughly 2 million (one million legally and one million, give or take, illegally) who have arrived in the United States every year for the last two decades. It's not much of an increase -- 500,000 people per year -- but it's enough to make a positive difference in our fiscal deficits, consumption, savings, and investment needs, and to take care of the household and other employment demands of an aging population.

To meet these needs, the United States should adopt four policies that balance supply and demand for human capital -- bringing the U.S. immigration system more in line with just-in-time principles. First, the government should make it easier for foreign students who graduate from U.S. colleges and graduate schools to obtain work visas, as Mayor Bloomberg and others have suggested. The United States trained them, so it should have the option of keeping them.

Second, the government should stop taxing at the water's edge. Switzerland, Britain, Canada, the United Arab Emirates, Singapore, and many other countries have opened their economies to wealthy foreigners who as resident aliens have brought their savings, investment, and consumption strength. These countries attract wealthy foreigners by taxing only what residents spend or produce within their borders, or some other fixed amount, not their global income and savings, as the United States does. Many Americans see such policies as politically incorrect -- and they may be -- but they're also smart and have worked well for the countries that have adopted them.

Third, the United States should retain and tax illegal immigrants. Today, there are roughly 10 million illegal immigrants in the country, the vast majority of whom are working productively. They should be given visas and brought into the tax-paying apparatus immediately. It is fiscally prudent and humane to do so.

Finally, the United States should increase the availability of infant and elder-care visas. The responsibility for caring for America's youth and elderly populations falls disproportionately on women. Unless America opens immigration to child and nursing care practitioners, we will see many of the gains achieved by women and dual income families eroded by the very real, unfairly-distributed, and now rapidly increasing family demands on working women's time.

We have already begun to see a leveling off and marginal decrease in the higher value-added strata of middles class professional women, forced to leave the labor force for lack of home management support. That could be the most destructive trend of all. We have allowed immigrants to fill in seasonal employment demands for farming; we should do the same for child and elder care needs. Three-year renewable work permits would solve this problem.

Nobel Prize winning economist Gary Becker has suggested a workable market-based solution, which would charge, say, a $50,000 fee to approve a legal work immigrant visa. This fee could take the form of a loan for existing lower income illegal immigrants, who could pay it off over a number of years, thereby avoiding the perceived unfair windfall created by blanket amnesty. This market-based solution could also work well in leveling off the playing field and increasing tax revenue. Added to just-in-time dynamic visa and temporary worker programs, this fee would bring a win-win solution to our labor imbalance and fiscal problems.

Just-in-time can do for immigration what it has done for inventory management: increase productivity and reduce human adversity. Those countries who tackle the labor mobility challenge with dynamic, insightful policies will get first mover advantage -- a clear head start that will enhance global competitiveness. It's time for just-in-time.

David McNew/Getty Images