Co-authored by Dr. Stephen Bryen
The news is out --semi-officially-- thanks to a report by the Defense Science Board. The Board, which was established in 1956, is made up of civilians who advise the Pentagon on a variety of technology-related subjects. It has released a report, Resilient Military Systems and the Advanced Cyber Threat, which makes it clear that the Pentagon's cyber "hygiene" is weak and U.S. defense technology has been effectively targeted by foreign governments. The result is that most advanced U.S. weapons systems, from the F-35 stealth fighter to the most advanced underwater torpedoes, and everything in-between, has been stolen. While the word "China" is not mentioned, everyone knows that it is China that is systematically purloining our technology.
The fact is, we can say we have two defense budgets --one for us and one for them. Indeed, as things stand today, the technology pipeline to China is wide open, and we are losing billions and billions of dollars of investment and seriously compromising our security.
While the Report of the DSB is serious and important, unfortunately it is not "news." The fact of the matter is that China's rip off of America's defense technology assets has been going on for a number of years. There are numerous public reports about it, and the intelligence community has been watching this happen for an even longer period.
It is fair to ask a straightforward question. Why have we let this go on?
We believe the answer is that we have approached the problem with a fundamentally flawed concept on how to stop Chinese cyber theft.
The Pentagon's idea, which is more or less shared across the government, is that the answer is to build better cyber defenses. While cyber defenses are certainly important, so far implementation of effective cyber defenses remains incomplete and, to some degree, elusive. Technology is moving so fast, and hacking has become so extreme, that keeping up is nearly impossible. The DSB is pushing for more and better cyber defense measures, but the jury remains out whether this tactic can succeed.
Defense technology is shared between government organizations and the military on one side, and industry on the other. Millions upon millions of pages of documentation are associated with every defense program, and much of this documentation is not classified.
The reason for this is operational. It is probably impossible to classify all defense department documents since doing so would limit the number of engineers and technicians who can work on defense programs, make sharing with allies and friends extremely difficult, and create a massive supervisory burden that today's system cannot manage.
If information is not classified, typically it is stored on computers that also are not classified. What does this mean? It means that the information is not encrypted or scrambled. In turn that means that if the information is stolen, it is readily accessible by the thieves.
What has to change is the ground rule on encrypting sensitive, but not classified information.
Most government information is poorly protected because it is not encrypted --information such as tax forms, social security data, health and human services documents to name a few. The bulk of defense system information is not encrypted.
The classical division between classified information and unclassified information is no longer functional. We need to implement encryption, not classification, for all government materials that are not accessed by the public, and particularly for defense information. Defense contractors should be directed to do the same.
Good encryption will block the Chinese from using stolen information. While it won't prevent cyber attacks (we still need good cyber defense for that), it will blow up China's effort to use our defense systems against us.