Cyber Attacks—What’s the Best Response?

A ChinaFile Conversation

With regular ChinaFile Conversation contributor Elizabeth Economy on the road, we turned to her colleague Adam Segal, Maurice R. Greenberg Senior Fellow for China Studies at the Council on Foreign Relations in New York. Segal said that “the time for naming and shaming has passed. That strategy is clearly not working.”

Even if the Obama Administration plans to make it clearer to the incoming leadership in Beijing that cybersecurity is significant to bilateral relations between the world’s two largest economies, the U.S. must take more concrete actions to solve the problem, Segal said in a telephone interview.

“First, the U.S. government has to put some of its own cards on the table in addition to those laid out by Mandiant,” Segal said, referring to the Virginia-based information security firm whose February 19 report labeled a unit of the China’s People’s Liberation Army an “Advanced Persistent Threat” of the highest order.  “I suspect that the U.S. has better intelligence than Mandiant.”

Indeed, last October, outgoing Defense Secretary Leon Panetta, in a speech to the Business Executives for National Security, said that attribution is getting easier, which was clearly meant as a deterrant to Chinese and other hackers. But that hasn’t happened yet, Segal said, adding that it must if American businesses are to be shielded from cyberespionage that threatens to undermine the American competitive edge. “Thus far, the U.S. and China are dealing through proxies in this war of words.  We’ve been relying on Mandiant and the press to deliver the message, which is an effective tool to avoid making the issue too hot,” Segal said.  “But it’s not an effective way to solve the problem.”

If other countries—Russia, Israel, France, and the U.S. itself, to name but a few—are known to engage in cyber espionage, why all the attention on China now? Segal says that China is in the hot seat because while U.S. law makes it illegal to engage in industrial espionage, China does not recognize any distinction between economic espionage and military espionage or spying for the good of the nation. “China is trying to move up the value chain in the world economy, partly through cyber espionage. This is a threat to U.S. economic competitiveness,” Segal said.  "While Israel, France, and Russia may also be involved in these practices, it’s about the pure scale of the attacks from China.”

Why, then, if it’s about safeguarding intellectual property and economic competitive edge might some of the attacks have been aimed at private firms that are linked to computer system controls of America's energy grid?

“In that case, the hacking is not going after industrial information but is China sending a message of deterrence, if there’s a conflict over islands in the South China Sea, China wants Washington to understand that if they wished to they could see to it that the U.S. homeland also could be compromised.” This is dangerous, Segal said, because while the U.S. has said the law of international armed conflict applies to cyberspace, China has signaled that cyberspace should be considered a new kind of turf altogether, one that requires new regulations.

“The potential for misperception is great, because we don’t really know what set of assumptions under which the Chinese are operating.”

Comments

My reaction might be disappointing to those hoping for a roiling online debate, but I actually agree with the big picture presented by Adam Segal.

The big picture is that this issue is an awkward match for any kind of “name and shame” policy from the U.S. It’s awkward because the U.S. undoubtedly has, but doesn’t want to discuss, its own cyber capabilities that are even more advanced. Without implying any broader parallels, this is like the straddle Israel must carry out in denouncing Iran’s nuclear ambitions without getting into detail about its own nuclear capabilities. It is awkward because the U.S. government doesn't want to reveal everything it knows about Chinese intrusions. It is awkward because so much is—or seems from the outside—uncertain about the degree of military coordination and central-government-purposefulness in these assaults. And it’s awkward because the long history of U.S.-China interactions suggests that public scolding does very little good and usually backfires, because it turns disagreements into matters of national pride and "face."

Thus the frustrating conclusion that the right next step for the U.S. government is to add this to the very long list of items for month-by-month effort, pressure, negotiation, and horse-trading in the Strategic/Economic Dialogues and all the other tiers of interaction between the two governments. As always, the U.S. fares better in these talks when it can urge China to meet “international” standards, rather than knuckling under to some “hegemonic” American demand. That’s what the U.S. has been doing for years on currency issues, intellectual property questions, environmental issues, and so on. The recent publicity focused on cyber-war has the valuable effect of moving this item to the top tier of that list. 

That’s for the government. What corporations should do is be hyper-wary (details another time). And the most valuable single thing that individuals can do is turn on “two-step” security procedures, like those offered by Gmail, for any online dealings they would like to protect. That’s not full protection but it is an important start.

I saw a statement published on China's Ministry of National Defence official website. It called into question the evidence put forth by The New York Times story, saying, “The report, in only relying on linking IP addresses to reach the conclusion the hacking attacks originated from China, lacks technical proof.”

In the meantime, Chinese netizens have quickly found further evidence to support the Times’ story—a 2004 notice, still viewable on the website of Zhejiang University (at the time of this post, anyway), titled “China’s People’s Liberation Army Unit 61398 Recruiting Graduate Students.” The translation of this recruiting notice is now on the China Digital Times.

 

Both Adam and Jim make very good points. A big question is whether the U.S. response we are seeing will stop at “name and shame” or if there is much more going on in the background, either through the presentation of much more evidence to Chinese authorities or actions against individuals and other targets in China to show the U.S. is not a cyber-patsy, all in an attempt to induce behavior modification and get the cyber activities into a smaller zone that generally matches what other countries such as the U.S. do.

Name and shame alone will not work. There is, of course, risk to a more robust response. If the Chinese feel backed in to a corner we may see near-term behavior modification while it redoubles efforts to never be put in such a position again. To deal with the “Third Taiwan Straits Crisis” in 1995-96 the U.S. sent two aircraft carrier battlegroups into the area and things calmed down. But that move arguably influenced a generation of military officers and strategists and contributed to a much deeper resolve to develop weapons to counter U.S. power to avoid ever being humiliated by the U.S. like that again.

We must also consider China’s domestic political situation. Xi Jinping has just taken over and he has been spending a lot of time with the P.L.A. and pushing it to become stronger and more professional. If the Mandiant allegations are true, and the U.S. response is robust enough to force at least a near-term reduction of activities, we should not expect the Chinese response to be to just stop. More likely we will see even more resentment and animosity towards the U.S. and an increase in efforts to develop much stronger cyber capabilities.

Neither of the issues cited in the previous two paragraphs are reasons for the U.S. to not respond. But we need to recognize that while there is obviously a lot of risk to the U.S. in not doing anything, there is also much risk in a robust response as well. I would expect that the Obama administration weighed its options very carefully and perhaps decided that things have gotten so bad that delaying a muscular response was far more dangerous. Whatever is really going on, this is a very difficult situation that has me increasingly worried we will see a much more tense U.S.-China relationship going forward.

Cyber attacks will not stop, and U.S. companies and organizations need to do a much better job of protecting their data. For many companies data now is one of their key assets, just as cash in a vault is a bank’s key asset. Can you imagine a bank locking its front doors with a bicycle lock and leaving the cash in cardboard boxes around the offices? Of course not, but that is what many corporations and institutions are effectively doing with their data.

Some interesting insights from a Chinese information security expert about cyber-attacks that China has suffered in recent times. In an article in the Communist Youth League last December, Prof. Liu Jianwei of the Beihang University's School of Electronic and Information Engineering pointed out that around 10,500 Chinese websites had been attacked and paralyzed in 2011, and one-third of these attacks originated from the U.S. While these attacks are different from the espionage activities spotlighted in the Mandiant report, it does indicate that the Chinese cyber community sees the U.S. as a major if not the biggest threat to China's cyber-security. Moreover, a report by a Chinese government think-tank noted that China only has around 40,000 cyber-security professionals working in its information security industry as of late 2012, but that actual demand is more than 12 times that number at 500,000. This indicates that China is highly vulnerable to cyber-attacks. Given such chronic cyber vulnerabilities in China and the U.S., there does appear to be some common ground for the two countries to come together to tackle their shared problems, although this is unlikely in this politically hostile climate.