For the past few months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments.
Robert S. Mueller III, director of the FBI, said cyberattacks would soon replace terrorism as the agency's No. 1 concern, as foreign hackers, particularly from China, penetrate American firms' computers and steal huge amounts of valuable data and intellectual property.
It's not hard to imagine what happens when an American company pays for research and a Chinese firm gets the results free; it destroys our competitive edge. Shawn Henry, just retired as FBI executive assistant director (and its lead agent on cybercrime), told Congress recently of an American company that had all its data from a 10-year, $1 billion research program copied by hackers in one night. Gen. Keith B. Alexander, head of the military's Cyber Command, called the continuing, rampant cybertheft "the greatest transfer of wealth in history."
Yet the same Congress that has heard all of this disturbing testimony is mired in disagreements about a proposed cybersecurity bill that does little to address Chinese cyberespionage. The bill, establishing noncompulsory industry cybersecurity standards, is bogged down in ideological disputes. Sen. John McCain, who dismissed it as a form of unnecessary regulation, has proposed an alternative bill that fails to address the inadequate cyberdefenses of companies running the nation's critical infrastructure.
Since Congress appears unable and unwilling to address the threat, the executive branch must do something to stop it.
In the past, FBI agents parked outside banks they thought were likely to be robbed, and grabbed the robbers and loot as they left. Catching cyberspace robbers is not as easy, but snatching the loot is possible.
Gen. Alexander said the military saw an inbound attack aimed to steal sensitive files from a U.S. arms manufacturer. The Pentagon warned the company, but the government did not intervene because no federal agency believes it currently has the authority or mission to do so.
With proper authorization, the U.S. government could stop files in the process of being stolen from reaching Chinese hackers. If agencies were authorized to create a major program to seize data leaving the country, they could drastically reduce today's wholesale theft of American corporate secrets.
Many companies don't even know when they've been hacked. According to congressional testimony, 94 percent of companies served by the computer-security firm Mandiant were unaware they had been victimized. And although the Securities and Exchange Commission has urged companies to reveal when they are victims of cyberespionage, most do not. Some, including Sony, Citibank, Lockheed, Booz Allen, Google, EMC and the NASDAQ have admitted to being victims. The government-owned National Laboratories and federally funded research centers have also been penetrated.
The Obama administration has not developed a proposal for spotting and stopping vast industrial espionage. It fears a negative reaction from privacy-rights and Internet-freedom advocates who don't want the government scanning Internet traffic. The administration fears further damaging relations with China, and that standing up to China might trigger disruptive attacks on America's vulnerable, computer-controlled infrastructure.
But by failing to act, Washington is effectively fulfilling China's research requirements while helping put Americans out of work. Obama must confront the cyberthreat, and he does not need new authority from Congress to do so.
Under Customs authority, Homeland Security could inspect what enters and exits the United States in cyberspace. Customs already looks online for child pornography crossing our virtual borders. Under the Intelligence Act, the president could authorize agencies to scan Internet traffic outside the United States and seize sensitive files stolen from within our borders.
This does not have to endanger privacy rights. Indeed, Obama could build in protections like appointing an empowered privacy advocate who could stop abuses or any activity that went beyond halting theft of important files.
If Congress will not act to protect America's companies from Chinese cyberthreats, Obama must.
Richard A. Clarke, special adviser to the president for cybersecurity from 2001 to 2003, wrote this piece for the New York Times. He wrote Cyber War: The Next Threat to National Security and What to Do About It.