Wednesday, January 4, 2017

Obama’s Self-Serving Cybersecurity Spin

 Jeffrey A. Eisenach   Wall Street Journal   Updated Jan. 4, 2017

There’s real cause for alarm, but it isn’t the recent malware.

Misleading the American people to advance a political narrative has been a hallmark of President Obama ’s foreign policy. The most recent example is the administration’s attempt to conflate the hacking of the Democratic Party with potential cyberattacks on critical infrastructure.

Last week, federal officials told the Washington Post that malware linked to Russian hackers was found on a laptop at Burlington Electric, a Vermont power company. By Monday the Post had recanted, writing that investigators “are finding evidence that the incident is not linked to any Russian government effort.”

But Americans could be forgiven for feeling spooked—for worrying that the hack of the Democratic Party was a lot more serious than previously thought, and that perhaps critical systems are facing a new and dangerous threat.

This simply isn’t the case. The kind of malware involved in these two intrusions is neither new nor particularly sophisticated. It is run-of-the-mill spyware that has probably been implanted on thousands of networks around the world, from home computers to those inside banks, power companies and government agencies.

These bugs are freely available online, and the code found at the Democratic National Committee and the power company isn’t even the latest version. The notion that such a mundane piece of software reveals a new and ominous threat to critical infrastructure is laughable.

Which isn’t to say American infrastructure is safe. It is common knowledge in the cybersecurity community that the U.S. power grid and other critical systems are infested with sophisticated malware placed there by foreign actors. If activated, that software has the potential to cause serious harm, similar to how the Stuxnet virus disabled Iran’s nuclear centrifuges in the early days of the Obama administration. In 2012 then-Defense Secretary Leon Panetta warned of a “cyber Pearl Harbor” that would “cause physical destruction and the loss of life,” as well as “paralyze and shock the nation.”

The risk of a serious cyberattack, for now, is moderated by the threat of retaliation: China, Iran and Russia know that the U.S. would strike back if attacked—and not necessarily only in cyberspace. But the cyber equivalent of mutually assured destruction won’t protect us for long. Rogue states like North Korea, and other actors such as Islamic State, are quickly gaining cyberwarfare capabilities. These groups don’t fear retaliation in the same way.

Cyberthreats pose a clear danger to national security, and building an effective defense will take a concerted effort by the Trump administration. Americans are right to be concerned. But by playing on those fears, the Obama administration is putting politics ahead of the national interest.

Mr. Eisenach is a visiting scholar at the American Enterprise Institute and lead author of its recent report “An American Strategy for Cyberspace.”