China 2, U.S. Zero

The American response to Chinese cyberespionage is going to backfire.

Homeland Security Secretary Janet Napolitano testifying on cybersecurity
Homeland Security Secretary Janet Napolitano testifying on cybersecurity

Photo by Win McNamee/Getty Images

This week saw a concerted effort by top government officials to call out China as a major threat actor in cyberspace. On Monday, March 11, Obama’s national security adviser Tom Donilon said in remarks before the Asia Society in New York City: “Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyberintrusions emanating from China on an unprecedented scale. The international community cannot tolerate such activity from any country.”

The next day, Director of National Intelligence James Clapper delivered his Worldwide Threat Assessment to the Senate Select Committee on Intelligence and said: “China is supplementing its more advanced military capabilities by bolstering maritime law enforcement to support its claims in the South and East China Seas. It continues its military buildup and its aggressive information-stealing campaigns.”

That same day, Gen. Keith Alexander, the commander of U.S. Cyber Command and director of the National Security Agency, announced in testimony before Congress that CYBERCOM is creating 13 offensive teams “to help defend the nation against major computer attacks from abroad” while “twenty-seven other teams would support commands such as the Pacific Command and the Central Command as they plan offensive cyber capabilities.” The specific mention of Pacific Command was clearly intended as a message for the Chinese government.

These are just the latest attempts by the Obama administration, Congress, and the Defense Department to portray China as the primary villain in the rampant theft of America’s intellectual property. This message, which they have been pushing for the last few years, has been supplemented and fueled in part by information security firms like Mandiant, whose ex–Air Force founders have built their business on countering the APT (Advanced Persistent Threat)—an Air Force code word for China that Mandiant adopted as a way to describe who is behind the massive theft of U.S. trade secrets and IP. Mandiant’s credentials have been bolstered recently by the New York Times: First, the paper hired the firm to respond to attacks on its website that apparently came from China. Then, last month, the Times highlighted a report from Mandiant that named a People’s Liberation Army unit as the culprit behind years of attacks against 141 companies.

The momentum generated by this singular focus on China has been exploited by senators and members of Congress with their own reasons for pushing cybersecurity legislation. At one point, more than 60 separate bills were being floated, and all of them used Chinese cyberattacks as a lever to gain support. None have passed both houses yet, so the president signed his own executive order on cybersecurity back on Feb. 12, 2013, which called for more information sharing between the public and private sector and the intention to collaborate on the development of risk-based standards, a good first effort but not sufficient to make a difference in helping U.S. companies’ stem the tide of attacks.

Unfortunately, this cascade of enmity directed against China doesn’t stand up under scrutiny. Yes, China does engage in these activities. But a) so do many other nations including Russia, France, and Israel and b) we still haven’t solved the attribution problem—that is, determined who is actually attacking us. Any foreign intelligence service worth its salt would conceal their cyberespionage operations by making it look like they came from Chinese IP addresses since China is everyone’s first guess anyway and since Chinese-based servers are so easy to gain access to.

Furthermore, the anti-China rhetoric clashes with the current practices of many U.S. businesses. For example, the U.S. government rails against Huawei as a security threat, but it has purchased thousands of Huawei-made products under the brand name Huawei-Symantec that are in use today across the federal government, including Department of Defense and the Department of Justice. If Huawei is such a threat, why are we buying their products under the Huawei-Symantec brand? They’re still made in China by the same company that the U.S. government has blocked purchases from.

While Mandiant builds its business on defending companies against Chinese hackers who reportedly work for the People’s Liberation Army, GE (for whom Mandiant does data forensics and incident response) continues to expand its presence in China, including R&D on the smart grid—an essential part of U.S. critical infrastructure. This is one of the most surprising and troubling examples of this anti-China direction. The PLA has contingency plans to attack U.S. critical infrastructure if they believe a military strike by the United States is imminent. Yet here’s GE building a key component of our critical infrastructure in China, using Chinese engineers who have trusted access to GE’s network. Who needs hackers when you work for the target company?

Dell, Intel, and HP have also made major investments in China, and both have acquired information security firms—SecureWorks, McAfee, and Fortify, respectively. So these U.S. multinationals not only see China as a required region of the world to do business in; they also have intimate knowledge of the security risks, thanks to their acquisitions of SecureWorks, McAfee, and Fortify.* Yet neither is leaving China—both have indicated their commitment to expand their presence there, which includes operating their R&D labs. In fact, more than 1,200 foreign R&D firms operate inside China, which means that they hire Chinese engineers; use China Telecom, China Unicom, and China Mobile for all of their communications (which the state supervises and monitors); use Chinese vendors to clean their offices, shred their documents and provide other services, which grant them trusted access; and essentially lay bare their intellectual property and trade secrets for the taking.

Business interests generally dictate government policies, thanks to political fundraising and the virtually unlimited bank accounts of lobbyists. The effectiveness of the U.S. Chamber of Commerce stands witness to that, and even though it’s also been a victim of a China-attributed hacking attack, it continues to engage with China. The anti-China sentiment on the Hill, in the Pentagon, and at the White House clashes with the pro-China business policies of major U.S. companies, including those with very active in-house security operation centers. Beijing surely knows about this disconnect—and that makes the U.S. strategy look weak or inferior.

China and Russia have long advocated for a treaty that would establish an international code of conduct for information security—something that the United States has always opposed. Now, in light of increased U.S. accusations that China is engaging in massive amounts of cyberespionage, China has offered to “have constructive dialogue and cooperation on this issue with the international community including the United States to maintain the security, openness and peace of the Internet.” If accepted by the United States—and it’s hard to imagine that after all this saber-rattling, America would say no to the offer—China will have finally gotten what it has wanted for several years: an international code of conduct that would really be used to control dissent under the guise of attacking illegal activities (like hacking) in cyberspace.

A better approach might be for the federal government to quietly encourage U.S. companies to take steps to harden their networks against low-level attacks (which will shrink the attack surface); identify, segregate, and monitor their crown jewels (which will make it harder for any adversary, including China, to steal them); and engage with China and Russia against a mutual enemy (mercenary hacker crews). This eliminates the rhetoric and focuses on collaboration—a requirement, since the U.S. is never going to make good on threats against the single biggest holder of U.S. debt and a vital market for U.S. multinationals.

This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

Correction, March 15, 2013: This article originally stated incorrectly that HP had acquired McAfee. Intel purchased McAfee, while HP has acquired Fortify Software. (Return.)