Bringing Out the Big Stick


President Obama yesterday signed an executive order that will put serious economic pressure on organized cyber criminals operating from overseas and on foreign companies that benefit from the cyber theft of American trade secrets and other intellectual property.  I have previously criticized this administration for bringing too little, too late to this fight, but this order has real teeth.  The President has moved beyond palliatives.

The order permits the government to freeze the assets of anyone who engages in, or who is complicit in, cyber attacks from abroad that harm or attempt to harm organizations “in a critical infrastructure sector.”  That sector, defined in regulation, now includes a wide swath of the economy, including banks, energy, and pharmaceuticals, all of which are being relentlessly attacked over our networks.  Anyone who uses cyber means to steal trade secrets, money, or intellectual property “for commercial or competitive advantage or private financial gain” is also subject to the order.

These provisions alone would not accomplish much because cyber thieves are hard to catch and are usually protected by uncooperative governments, chiefly in Russia and China.  So the order goes farther.  In the case of stolen intellectual property, it permits the government to freeze the assets of any company that benefits from the stolen property, “knowing it to be stolen.” That knowledge is easily supplied, either to company that manufactured the widgets or the U.S. company that imported them.  The goods would then be subject to seizure.

The order also covers the property of people and companies acting directly or indirectly on behalf of parties whose property is blocked by the order.  If you’re an estate agents in Mayfair, for example, you must now think very carefully before handling the property of Russian Mafiosi who has been or could be tied to cyber crime.  If you do, you can now be excluded from entry into the United States, and if your agency has an office in Beverly Hills or Manhattan, the whole operation can be seized, kit and caboodle.  Banks, which already have a headache trying to “know their customers,” will require even more aspirin.

This order was made under statutes that give the President emergency powers.  Invoking them was a big step.  It was based on the President’s finding that “increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”  True enough.  Well done, Mr. President.  It’s now up to the Treasury Secretary to put this order into effect through regulations.  Let’s get going, Mr. Secretary.


Let’s Stop Playing Whac-a-Mole on our networks

The White House has been slow to the cyber defense problem and continues to miss the boat.  For years we’ve been playing Whac-a-Mole, but there are too many moles in the garden to whack.  The President’s proposal for better information sharing with the private sector would be a good thing; Congress should pass that bill.  But it would not touch the underlying weaknesses in the networks.  Nor would heavier penalties for cyber fraud or a uniform national breach reporting law.  In Politico today I lay out five steps we could take that could really make us safer.

Merely an attack on a German steel producer — or is it a message to Germany?

This link will take you to an account of a sophisticated, network-enabled attack on a German steel producer that disrupted production and caused physical damage to a blast furnace.  We are the beginning, not the end, of an era in which proliferating and uncontrollable expertise, backed by very little capital, can be leveraged to cause huge damage to critical systems that reside on the same vulnerable infrastructure that supports middle school chit chat.

State-Sponsored IP Theft: The Huge Hole in the WTO — and How to Fix It

How is it that the world’s trading nations, including Russia and China, are obligated by treaty to protect other nationals’ intellectual property within their own borders, but are free to steal it when operating abroad?  Near-universal digitization of information and pervasive connectivity have turned state-sponsored IP theft into a plague.   The World Trade Organization was created in 1994 — just before the digital revolution shook up commercial and personal life. It was meant to bring IP into the world of “honest commercial practices in international trade,” but the treaty came too early to deal with cross-border, network-enabled IP theft.  This is a huge hole in the way the WTO works, and it’s time to fix it.  This will be hard and will require a sustained diplomatic effort.  This month, in an an article called “The New Industrial Espionage” in The American Interest, I lay out a case for how it could be done.

A Reflection on Veterans’ Day 2014

I had the good fortune this Veterans’ Day to participate in a panel on surveillance sponsored by the ACLU at Harvard Law School and moderated by Professor Jonathan Zittrain, and the equal good fortune to have as fellow panelists federal appellate Judge Alex Kozinsky and the ACLU’s Alex Abdo.  It was fitting, on the day we remove our hats to those who served in our military, to recall the liberties for which they served and to wrestle with the relationship of liberty and security.  Rather than retail the high-minded sentiments we’ve all heard on that subject, however, I want to repeat something I said at NSA when I became that agency’s inspector general in 2002.


If one draws a Venn diagram of two circles on a page, one circle representing those who care deeply about civil liberties and another representing those who care deeply about national security, they hardly overlap.  By “care deeply,” I don’t mean a distracted shrug in the right directions.  I mean taking the time and trouble to know and speak up about abuses of liberty that even in the best of times occur around us, and to understand the military and other structures, but especially the military and those who serve in it, that make us secure.  This separation of concerns, and even worse, the sociological separation of interested groups, has grown decidedly greater since the creation of a volunteer military.   Less than one percent of Americans now serve in the military.  As a result, knowledge of military affairs in the public and in Congress may be at an historic and lamentable all-time low.


The two circles on my Venn diagram will never be perfectly superimposed.  Sociological as well as ideological factors push them apart.  They nevertheless represent values that in a decent civil society can never be separated.  It was clear to me as I assumed my duties at NSA in 2002 that the powerful momentum toward security would one day shift, and that actions taken in the face of immediate danger would eventually be subject to harsh scrutiny.  In some cases that scrutiny would result from cooler judgments about real risk, in others from the fickle attention of citizens who, having comfortably forgotten the truly grave threats to the country that followed the first strikes on September 11, 2001, were equally willing to forget the need for exceptional measures and for the exceptional sacrifices that people in and out of uniform were making to protect the country.  Yet it was hot-headed to say, as some highly placed politicians were then saying, “Everything has changed now” – that was code for ignoring Constitutional principles on detention and torture – or who said we could not take even a one-percent risk of terrorism.  Free societies take constant risks with both crime and terrorism.  We could reduce crime to near zero – the Soviets did it. We could probably also reduce the risk of terrorism to near zero – but not a price in liberty we are willing to pay.  A society that declares it will take no risk with crime or terrorism defines itself as a police state.


And so on Veterans’ Day it seems to me fit to reflect that it is a citizen’s duty to push these two circles closer together by becoming personally engaged both in the actual state of civil liberty in our land and in the treatment of our veterans.  It is not sufficient to thank these men and women for their service.   When soldiers, sailors, airmen, and marines return from warfare with broken bodies and shaken minds, they require a consistent and high level of care and training, and they have not had it.  We are breaking faith.  A nation that taxes itself to make war must also tax itself to care for its warriors.