THE PRIVATE SECTOR:  A RELUCTANT PARTNER IN CYBERSECURITY  99

           against five members of the People’s Liberation Army’s Shanghai cyberunit
           and alleged that the hackers infiltrated the computer networks of several
                              38
           American corporations.  Among these were Allegheny Technologies,
           which provides “materials and components” to a diverse group of clients
           including defense contractors; and Alcoa, which manufactures a range of
                              39
           materials used in defense.  In the past, General Dynamics, Boeing, Lockheed
           Martin, Raytheon, and Northrop Grumman—the United States’ leading
                         40
           defense contractors —have all fallen victim to hackers. And a cyber-espionage
           operation against Lockheed Martin in 2007 made it possible for China to
           steal design details of the F-35 Lightning II, which were subsequently used
           to develop China’s J-20 stealth fighter plane. 41
             Moreover the private sector is responsible for supplying and maintain-
           ing much of the technology, which includes information technology, used
           by the government. The computers and software used by the Department
           of Defense—and other federal agencies—are themselves designed,
           manufactured, and often serviced by the private sector. Prior to the 1990s,
           the Pentagon used in-house programmers to design secure software tai-
           lored to the military’s needs. However, the military has since increasingly
           shifted to off-the-shelf commercial software as a means of cutting costs
           and satisfying Congress, which seems to be influenced by private sector
                  42
           lobbying.  These technologies are vulnerable not only because they are
           produced in the private sector, but also because the private sector often
           sources its equipment and components overseas—which includes China.
             Third, the private sector is responsible for the maintenance of much of the
           United States’ critical infrastructure, including energy, telecommunica-
           tions, transportation, health services, and banking and finances. Without the
           private sector’s willing adoption of stronger cybersecurity measures,
           these critical services remain vulnerable to kinetic cyber attacks. On
           June 6, 2014, the Financial Stability Oversight Council released a report
           that shows that the financial industry is vulnerable to cyber attacks. It
           held that “cyber incidents that disrupt, degrade, or impact the integrity
           and availability of critical financial infrastructure . . . [could] threaten
                                         43
           the stability of the financial system.”  Another June 2014 report from
           the Government Accountability Office cautioned that “maritime security
           plans required by law and regulation generally [do] not identify or address
           potential cyber-related threats.” Thus, private “maritime stakeholders” at
           U.S. ports, which handle more than $1.3 trillion in goods per year, remain
           vulnerable to cyber attacks, which could shut down business communica-
           tions, disable physical security systems, and more. 44
             In short, the difference between the public and private sectors is much
                                                      45
           smaller than is often assumed in public discourse.  There can be no
            reliable cybersecurity in the public realm unless there is also heightened