Cybercrime is too serious to rely solely on network defenses, Peter Harrell argues.
On April 1, the Obama administration announced a new sanctions program to target "malicious cyber-enabled activities" -- the criminal hackers and government-backed spies who threaten America's security and prosperity with sophisticated online attacks.
The U.S. government did not issue sanctions against any of the individual hackers responsible for thousands of attacks on U.S. companies and government networks in the past two years. Nevertheless, by announcing the new program and creating the legal tools to freeze the assets of individual hackers in the future, the U.S. sent a clear message: After years of playing defense against cyberthreats, America is ready to play offense as well.
Cyberattacks are one of the most serious threats facing the U.S. today. In just the past two years, hackers have broken into computer systems at the White House, State Department and Pentagon; stolen millions of Americans' personal information from U.S. companies; and disrupted the computer networks of some of America's most important companies.
U.S. officials regularly express concern that cyberattacks could undermine the integrity of America's banking sector, power grids and other vital infrastructure, while corporate executives report increasing numbers of attacks, some of which appear to be backed by foreign governments and designed to steal sensitive corporate information.
A 2014 study by McAfee found that cybercrime costs the global economy $400 billion every year.
With the new sanctions, the United States is putting the criminal groups and foreign governments responsible for these cyberthreats on notice: If the attacks continue, the U.S. will begin to freeze their assets and cut them off from doing business in this country. Foreign companies that seek to benefit from cyberattacks on the U.S. -- like foreign companies seeking to purchase trade secrets stolen from their American competitors -- will face similar penalties.
Of course, the full impact of the new sanctions program will depend on how the government implements it. Effective implementation will require greater cooperation between the U.S. private sector and the U.S. government to identify the specific hackers who should be sanctioned, and the Obama administration should encourage our allies in Europe and elsewhere, who face similar cyberthreats, to develop similar sanctions tools.
Of course, sanctions are not a substitute for a broader cybersecurity strategy. Other steps are also critical, and the government and private sector must make investments to harden our defenses and improve our online security.
Individual Americans also need to become more aware of the steps we can all take to make sure that our own computers are not hacked. Indeed, a striking percentage of successful cyberattacks succeed in part because an individual opened a suspicious email message or downloaded an infected file. Such attacks could be prevented by better individual cybersecurity awareness.
In addition, we can't fight 21st-century threats within a 20th-century legal framework. Congress must act on proposals to modernize U.S. criminal laws to better enable federal prosecutors to arrest the individuals and companies that compromise American computer networks.
The sanctions announced by the administration are an important element of an overall strategy to contain growing cyberthreats. To succeed in protecting ourselves from such threats, the United States needs to play offense as well as defense. The president's announcement is a strong signal of U.S. intentions to do just that and to hold to account the hackers and governments breaking into America's networks.
NEXT STORY: Burr stumps for cyber bill