The debate over the Cyber Intelligence Sharing and Protection Act is largely a debate about how Congress will allocate authorities and powers to fight against Chinese cyber-espionage, which siphons off from the U.S. economy as much as $100 billion a year in intellectual property and proprietary information. CISPA is controversial because it vaguely defines what a "cyber threat" actually is, immunizes U.S. companies who share personal information with the government, lacks oversight mechanisms to prevent abuse by the government, and militarizes what is, in essence, a law enforcement function — an FBI and Department of Homeland Security function.
That latter objection is based on the Obama administration's intention to fight Chinese crime using a variety of different mechanisms. Importantly, it wants to determine how to fight — it does not want Congress to tell them how and when cyber information must be shared between private companies, the FBI, the CIA or the National Security Agency. Still, the White House has not explicitly said that President Obama won't allow some version of CIPSA to reach his desk. It has said that personal privacy is not well-protected by CIPSA, but traditionally, the executive branch has used this excuse as a fig-leaf to cover their opposition for other reasons.
So what can the U.S. do to reduce the cyber threat from China?
1. It can build an electronic wall around the country, forcing all Internet traffic to be subject to deep packet inspection; and then, to compare those packets against known signatures from China; segregate them; eradicate the malware from them, and then let them through. As I've written before, this is something the National Security Agency believes it CAN do but something that virtually every stakeholder except those inside the government believe would be an awfully hard sell to the American people.
2. It can require, or encourage, major technology companies that serve as Internet gateways for most Americans to boost their own cyber defenses, and then share, with immunity, suspected cyber threats with the government in real-time, allowing the NSA to swoop in and solve the problem. This is, incidentally, the CISPA approach.
3. It can secretly share with the big Internet companies the cyber techniques and tactics used by Chinese corporations and the military, giving U.S. companies a chance to develop cyber counter-measures. It can work in secret with companies to lure hackers from China into systems, and then manipulate those hackers into divulging attack patterns, which can be reverse-engineered to fortify defenses. Publicly, it can enforce its own laws against hacking and set an example for the world to follow.
4. It can fight back, engaging in tit-for-tat brinksmanship, hoping to convince the Chinese to back off by demonstrating the capacity of U.S. computer network operations. Though there is a body of secret law authorizing offensive cyber exploitation against China, the Obama administration doesn't want to engage in "war," as commonly understood. Less kinetic means include sanctions, property seizures and military deception/information operations campaigns.
5. It can provide significant incentives for individuals and corporations to protect themselves, allowing free market mechanisms to determine the structure and rules of economy-wide computer network defense. For this approach to be effective, there has to be a broad understanding of what the threat is, what can and can't be done about it, and informal "rules" to shame/encourage those who don't and do participate. It can also work with companies that do major business with China to influence Chinese policies; it can propose a global treaty that would set clear guidelines and an enforcement mechanism. It can, can, can, but there are so many ifs, ands and buts to deal with it that they — we — probably won't, not for awhile anyway.
Some combination of all of these approaches is going to be the de facto law of the land, even though the community of smart people who debate cyber security still haven't agreed on a set of basic propositions, like whether it is possible to determine precisely where an attack emanated and what its motive actually was and who can be blamed for it.
But the U.S. is not powerless. And that's the point.
