Here's a headline you could have found crossing the news wires any time in the last decade: "Pentagon worried, China upgrading cyberwarfare capabilities."
But now Uncle Sam is really starting to fret. A new Pentagon report to Congress on the state of China's military (PDF) describes the People's Liberation Army as being on a march to acquire a more potent information technology-fighting capacity.
Looking more than a decade over the horizon, the Pentagon expects China to try to gain expertise that would allow it to strike foreign communications and logistics nodes, as well as financial infrastructure and information operations, in case of a conflict.
What's more, French and German government officials in the past year have accused the Chinese of sponsoring computer network intrusions. The director-general of Britain's MI5 security service also weighed in with a warning to 300 financial institutions that the People's Republic of China was targeting their computer networks.
However, here is where things get sketchy. You can talk about intrusions, but in the absence of a smoking gun--or is it a dirty keyboard?--identifying the culprit involves much guesswork. Even the Pentagon allows as much:
It is unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC government. Developing capabilities for cyberwarfare is consistent with authoritative PLA writings on this subject.
I needed a reality check, so I called up Howard Schmidt, a security consultant who was the White House's second cybersecurity czar. After reading the paper, he said the one aspect that differed from years past is the amount of time the Pentagon devoted to the topic.
"That's the biggest difference," Schmidt said. "Not only the Chinese government, but other governments as well have been looking at the asymmetric warfare space--and it's not only in the kinetic environment, but in the cyber(environment) as well. If you can blind the enemy by hitting their communications, then you have effective control."
At the risk of belaboring the obvious,for quite a while. If we're still sitting ducks, who's really to blame? In the post-September 11 era, there's been no shortage of commentary urging the U.S. to fix network holes that have existed for years. Schmidt quite correctly pointed out in our conversation that these remaining vulnerabilities offer a tempting target for outsiders to steal data.
"That's what we should focus on," Schmidt said. "Here's the bigger issue: we need to focus to make sure that we don't have vulnerabilities that would otherwise give people these opportunities. It's a given that people will do these things--whether they be state-sponsored or the acts of an individual. We have to close the holes."
Sooner, rather than later? I wouldn't hold my breath.