If Rule Number One in medicine is “Do No Harm,” then Rule Number One in foreign policy-making is surely “Do No Harm to Your Own Country.” Which is why the Washington Post‘s report this morning on the latest wrinkle in the Obama administration’s cyber-security strategy is such bad news if it’s true.
According to Post reporter Ellen Nakashima, the president is seriously considering retaliating against China’s cyber-attacks on American business in significantly stronger ways. At first glance, this kind of decision seems welcome. After all, unlike Chinese (and other) hacks of U.S. government agencies, attacks on business don’t qualify as just the newest version of the kind of national security-related spying that’s common practice by all the world’s governments, including America’s. The administration has responded so far mainly by complaining to Beijing, urging the negotiation of international cyber “rules of the road,” and by indicting a handful of Chinese military personnel for penetrating American corporate computer systems – to no apparent avail.
But the likeliest effect of this report – much less an actual U.S. decision to take the steps described – is to advertise American weakness on this front, not strength, and encourage still more, and more destructive, Chinese (and other) attacks. The reason is simple. The retaliatory moves supposedly being mulled by Mr. Obama wouldn’t target the Chinese economy as such. Instead, they would be aimed at “Chinese companies and individuals who have benefited from their government’s cybertheft.”
Targeted sanctions arguably make sense when companies and individuals are the real culprits. But does anyone seriously think that whatever and whoever Chinese actors are hacking American companies are free agents having nothing to do with the Chinese government – and in fact the top Chinese leadership? Of course not.
One former Obama cyber security official quoted (by name) in the article argued that the contemplated sanctions could effectively put out of business any large and global companies that are sanctioned. Why so? Because, as he explained “most significant financial institutions refuse to do business with individuals who have been sanctioned by the United States. ‘So any company that’s been targeted under this authority…will likely find it very difficult to participate in the international financial sector. ‘”
That reasoning sounds impressive – but only if the sanctions hit one of the state-owned business giants so prominent in the Chinese economy. Any entities even modestly smaller would seem to face few obstacles under China’s fake legal and regulatory systems in dodging retaliation by simply changing their names and resuming operations after a decent interval. The Chinese government is so secretive that Washington would face excruciating difficulties even identifying the ruse.
And since both the Chinese government and the U.S. government are undoubtedly aware of all these realities, it’s hard to avoid concluding that this new American approach amounts to (unwittingly) flashing a green light for Beijing’s hackers, not issuing a credible warning. And this interpretation looks even more convincing given the statement I’ve flagged from recently retired Chairman of the Joint Chiefs of Staff Martin Dempsey (while he was still on duty) that the United States does not enjoy cyber-war superiority in today’s world. Just to remind you – that’s the American military’s top post.
As a result, no one should blame President Obama for proceeding cautiously in the cyber warfare realm. But he can legitimately be blamed for making – and telegraphing – policy choices that can only embolden U.S. adversaries.