— A question from a member of the Pentagon’s new cyberwarfare unit the other day prompted President Obama to voice his frustration about America’s seeming inability to deter a growing wave of computer attacks, and to vow to confront the increasingly aggressive adversaries who are perpetrating them.
“Offense is moving a lot faster than defense,” Mr. Obama told troops on Friday at Fort Meade, Md.
, home of the National Security Agency and the United States
Cyber Command. “The Russians are good. The Chinese are good. The Iranians are good.” The problem, he said, was that despite improvements in tracking down the sources of attacks, “we can’t necessarily trace it directly to that state,” making it hard to strike back.
Then he issued a warning: “There comes a point at which we consider this a core national security threat.” If China
and other nations cannot figure out the boundaries of what is acceptable, “we can choose to make this an area of competition, which I guarantee you we’ll win if we have to.”
If Mr. Obama sounded uncharacteristically combative on the topic, it is because finding a way to deter computer attacks is one of the most urgent and confounding problems he faces in his last 16 months in office. The problem is all the more pressing because it is where the high-tension diplomacy surrounding the state visit, in just 10 days, of President Xi Jinping of China merges with the challenge of containing Iran in the aftermath of the recently completed nuclear agreement with Tehran
Mustering the leverage to deter attacks is exactly what Mr. Obama is struggling to accomplish in the days leading up to Mr. Xi’s visit. For six weeks, American officials have warned that they are preparing sanctions against Chinese hackers, telling Chinese officials in private meetings that the combination of intellectual property theft and espionage on an unprecedented scale — the theft of the 22 million security dossiers from the Office of Personnel Management, for example — cannot go unanswered.
But an argument has broken out within the administration over whether to invoke those sanctions now and risk a blowup with Beijing
before Mr. Xi’s arrival, or use the threat of them to try to extract something from the Chinese.
The White House revealed late Saturday that a high-level Communist Party envoy sent by Mr. Xi, Meng Jianzhu, spent four days in Washington last week meeting with intelligence and law enforcement officials in an effort to create some “rules of the road” for Internet actions between the United States and China before they derail an already fraught relationship.
Josh Earnest, the White House
press secretary, described the talks with the Chinese as “pretty blunt,” and one of the officials who met with Mr. Meng, China’s domestic security chief, was less diplomatic, calling the talks “pretty ugly.”
The day Mr. Meng returned home, China’s official state news media quoted him as saying that the Chinese government would crack down on criminal hackers, though the statement was vague about what would happen to those acting on behalf of the Chinese government.
In classified sessions, American intelligence agencies have told members of Congress that while computer attacks on the United States emanating from Iran decreased during the negotiations over the nuclear accord, they believe that an Iran
stymied in developing a nuclear ability over the next 10 to 15 years is likely to pour more resources into cyberweapons. Such weapons have already been used against the Navy, American banks, a Las Vegas casino and Saudi Arabia’s largest oil producer, without setting off significant retaliation.
The day before Mr. Obama spoke at Fort Meade, the director of national intelligence, James R. Clapper Jr., said at a congressional hearing that the United States lacked “both the substance and the mind-set of deterrence.” But he went on to say that he was far less worried about a “large Armageddon strike” that would take out America’s power systems than about the kind of smaller but persistent attacks that damaged Sony Pictures Entertainment.
With both Iran and China, Mr. Obama is struggling with variants of the same problem: How do you contain a rising power that has discovered the benefits of an anonymous, havoc-creating weapon that can also yield vast troves of secret data? And how do you convince them that actions for which “they have paid no price,” as the director of the N.S.A. and the Cyber Command, Adm. Michael S. Rogers, put it the other day, will no longer be cost-free?
“We have a deterrence deficit,” said David Rothkopf, the author of “National Insecurity: American Leadership in an Age of Fear.”
“The U.S. is very good at dealing with the gravest global challenges, like global thermonuclear war, and also very good at empty gestures and rhetoric,” he said. “The problem we have is with our middle game, and yet most of the challenges we face are, of course, in the middle.”
With Iran and China, of course, cyberwarfare is only part of those middle-game challenges. Containing Iran’s growing influence in Iraq
, Yemen and throughout the region is central to the administration’s post-accord challenge. And containing China’s effort to reclaim islands in the South China Sea, a bet by Beijing that neither Washington nor Asian nations will stop it from developing a new base of operations and exclusive claims to air and sea territory, is the subtext of much of the tension with Mr. Xi’s government.
But the escalating cyberconflict poses a particularly complex problem, because there is no equivalent of the Nuclear Nonproliferation Treaty for computer networks. That is exactly what makes the use of cybertechniques and weapons so attractive to the Russians, the Chinese, the Iranians and the North Koreans — and, to some extent, the United States.
So far, the administration’s response has seemed inconsistent, and to many incoherent.
When North Korea was identified as the country that attacked Sony, Mr. Obama — in possession of evidence gleaned from the N.S.A.’s yearslong penetration of North Korean networks — went to the White House press room, declared that the leadership in Pyongyang was responsible, and said the United States would retaliate at the time and in the manner of its choosing.
The public retaliation was a series of modest financial sanctions that did little additional damage to the most sanctioned country on earth. If there was a lasting response to the attack, only North Korea knows about it.
And when Unit 61398 of the People’s Liberation Army in China was exposed as the force behind the theft of intellectual property from American companies, the Justice Department announced the indictment of five of the army’s officers. Justice officials hailed that as a breakthrough. Inside the intelligence community and the White House, however, it was regarded as purely symbolic, and the strike on the Office of Personnel Management continued after the indictments were announced.
“The Chinese have discovered they can launch cyberattacks against us and that our officials seek to downplay them or offer up limp, ineffective responses, like indicting people behind them who will never ever see the inside of a U.S. court,” Mr. Rothkopf said. “This has added to the perception that we are weak, which in turn is an incentive to more opportunistic bad actors.”
Mr. Obama was determined to do more, his aides said. He issued an order in the spring, based on lessons learned in the Sony attack, enabling him to issue sanctions against individuals or organizations deemed responsible for computer attacks — similar to his powers to deal with nuclear proliferators or terrorists. But they have never been used.
The administration made it clear that Chinese hackers would be in the first wave. And when Susan E. Rice, the national security adviser, went to Beijing recently to prepare for the visit of Mr. Xi, computer warfare was a major source of contention. “That’s when they woke up and sent Meng,” said one senior official who would discuss private diplomatic conversations only on the condition of anonymity.
No one is expecting a simple solution. In testimony last week, Mr. Clapper went out of his way to correct members of Congress who called the personnel office episode an “attack,” noting that it was espionage, something the United States does often to the Chinese. And the intelligence agencies do not want any agreements that would limit their own ability to use cyberweapons for covert purposes, as the United States did against Iran in an operation aimed at disabling parts of its nuclear program.
And now Iran is part of the worry. Admiral Rogers told a House panel that while cyberattacks directed at the United States abated during talks over the nuclear deal, the country was now “fully committed” to using them as part of a revamped military strategy. The Iranians, another senior intelligence official said, discussing private intelligence assessments on the condition of anonymity, “will be looking intensely at how we handle the Chinese.”