In 1993’s “Groundhog Day,” Bill Murray plays a weatherman who finds himself reliving the same day over and over again. Over time, he acquires many new skills and insights from this repetitive experience. By the end of the movie, he is not only enriching the lives of those around him, he is saving lives as well.
When it comes to cybersecurity, the U.S. is stuck in its own “Groundhog Day.” But a happy ending may not be in the cards. Unlike the weatherman, it’s not clear that we are learning from the past.
Several months ago, President Trump tweeted out that he was thinking about working with the Russians to create “an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded.” Thankfully, this tweet was quickly walked back. But it exposed Washington’s continuing confusion about how to approach bad actors in cyberspace.
Under President Obama, bad actors like Russia, China, Iran and North Korea were sometimes punished as the aggressors they are. At other times, however, they were treated as fellow victims. In 2012, for example, then Secretary of State Hillary Clinton said that America and China were both “victims of cyberattacks and it is vital that we work together to curb this behavior.”
A couple of years later, the U.S. indicted five Chinese military hackers for cyberespionage. Then in 2015, the U.S. went back to buddy-buddy mode, inking an agreement with China on cybersecurity.
While the U.S. waffles and wavers, these countries continue to do whatever they think is in their interests — international norms and agreements be damned. Their consistency is impressive.
Moscow has violated numerous nuclear, chemical, and biological weapons treaties. It has repeatedly flouted basic law enforcement norms to protect Russian hackers, and continues to occupy illegally Crimea and other parts of Ukraine, of Georgia, and of Moldova in direct violation of multiple agreements it has signed.
Beijing, a signatory to the U.N. Convention on the Law of Sea, has ignored a U.N. arbitration panel rejection of its spurious territorial claims in the South China Sea. It continues to trample on the rights it guaranteed to the people of Hong Kong in the Sino-British joint declaration. And despite its promises to stop state-sponsored cyberattacks and espionage, the regime continues these activities, albeit in a less in-your-face fashion.
Iran and North Korea are just as bad, or worse.
Yet despite these histories of consistent hostility and duplicity, the nagging notion that we can cooperate with these bad actors in cyberspace sticks around some Washington quarters as persistently as Groundhog Day does for Bill Murray.
Clearly Russia, China, et al. would be unreliable partners. Worse, collaborating with them would actually undermine our security. It would give them deeper insight into how our systems operate and how our organizations function. What better way for malicious nations to learn how to attack us more effectively in cyberspace?
Washington’s seesaw approach to cybersecurity — playing nice with our antagonists and then playing hardball — only shows them that we do not understand them or how to handle them. And that simply emboldens them further.
It’s time to learn from the past and stop entertaining the foolish notion that our cyber opponents are interested in cooperating with us in any way that would advance U.S. interests.
When the Senate takes up the National Defense Authorization Act in the coming weeks, it should explicitly reject cyber-cooperation with Russia and China. Specifically, lawmakers should bar the U.S. military from spending any money on cybercollaboration with bad actors. Exceptions can be made for emergency hotlines and similar forms of communication.
It took weatherman Phil Connors years and years of Groundhog Days to get things right. The U.S. can’t wait that long to shake the recurring delusion that cybercriminals can make good partners. Congress needs to shut it down for good.
This piece originally appeared in The Washington Times