Modern field guide to security and privacy

Intel chiefs draw distinction between digital espionage and malicious hacks

At a Congressional hearing Thursday, officials stressed the need to develop clearer international norms to determine what's a tolerable amount cyberspying and what's unacceptable. 

Gary Cameron/Reuters
Director of National Intelligence James Clapper testified at a Congressional hearing on cyberthreats Thursday along with CIA Director John Brennan (right) and FBI Director James Comey (not pictured).

Ever since Edward Snowden revealed widespread US surveillance and data gathering, US national security officials have been trying to manage the public relations fallout at home and abroad.

Two summers later, they seem willing to concede similar intelligence-gathering efforts by foreign adversaries may fall within the realm of acceptable behavior.

“I caution that we think about the old saw about people who live in glass houses,” James Clapper, Director of National Intelligence, told the House Intelligence Committee in a Thursday hearing on worldwide cyberthreats. “We should think before we throw rocks. These are very complex policy issues.”

Making the distinction between intelligence-gathering and corporate espionage is becoming especially important as the White House considers imposing groundbreaking sanctions on several Chinese entities for theft of trade secrets from American businesses, reportedly ahead of President Xi Jinping’s state visit to Washington later this month.

US officials are also reported to believe that China is behind the massive breach of the Office of Personnel Management, which compromised the Social Security Numbers and personal information of millions of people.

Washington is debating whether and how to respond, yet China routinely denies carrying out corporate espionage, instead accusing the US of hacking Chinese interests and arguing that leaks from former contractor-turned-fugitive Mr. Snowden reveal a troubling double standard.

By appearing on Capitol Hill and arguing for a clear distinction between what they see as intelligence-gathering versus other malicious cyberactivities, however, US officials seem to be making a case for why sanctions against China and other countries that engage in cyberattacks against the US would be acceptable – and not hypocritical.

The core of the argument: The US does not engage in corporate espionage, data theft and sabotage to help American businesses for economic reasons.

“We clearly understand nation states use the spectrum of capabilities they have to attempt to generate insight into the world around them,” said Adm. Michael Rogers, director of the National Security Agency. “That does not mean the use of cyber for manipulative, destructive purposes is acceptable.”

An executive order from President Obama earlier this year gives the US Treasury Department the authority to impose sanctions on individuals or organizations engaged in harmful activities against American interests in cyberspace. The order gives the Treasury Department targeted authority to freeze assets and seize property belonging to those identified as engaged in attacks against US critical infrastructure or in attacks that result in financial loss, theft of intellectual property, trade secrets and personally identifiable data.

Yet the complexities of attributing who is behind certain actions in cyberspace can make it hard to delineate between acceptable and unacceptable behavior when considering how to dole out such punishment.

All this may contribute to a heightened urgency among US officials to find common ground on the need for new rules of the road for engagement in the digital realm. “The long term end-state we have to get to is this idea of acceptable norms and behavior. What’s within reason and what’s not within reason,” Mr. Rogers said.

Making matters worse is the lack of consistent terminology and a common lexicon for describing various cyberthreats, Clapper added.

Many for instance have described the disastrous data breach at OPM as a cyberattack, while in reality, Clapper said, there was no manipulation or destruction of data – it was simply stolen. “That is a passive intelligence collection activity just like we do,” he said.

“It’s not that we don’t make that distinction,” Mr. Clapper said. “But the adversaries, most notably the Chinese, do not at all in the ultimate purpose for which they extract data from us,” he said.

Rep. James Himes (D) from Connecticut said the US needs to commit to helping develop some Geneva Convention-like rules of the road on how cyberwarfare is conducted to help policymakers develop appropriate responses, and, potentially, to avoid out-of-proportion retaliation.

“We don’t know, today, what constitutes an act of war – we don’t know what an appropriate response is, we don’t know where the line is drawn between crime and warfare,” Mr. Himes said. “Is stealing classified information from us an act or war, or is it just an act of espionage that we do to each other and maybe even grudgingly admire? What if that espionage leads to the death of a source or the death of hundreds of sources? At what point does it become an act of war?”

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.