Jeffrey Carr
The US administration is trying to portray China as the primary villain in the rampant theft of America’s intellectual property.
By Jeffrey Carr
Last week saw a concerted effort by top government officials to call out China as a major threat actor in cyberspace. On Monday, March 11, Obama’s national security adviser Tom Donilon said in remarks before the Asia Society in New York City: “Increasingly, US businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale. The international community cannot tolerate such activity from any country.”
The next day, Director of National Intelligence James Clapper delivered his Worldwide Threat Assessment to the Senate Select Committee on Intelligence and said: “China is supplementing its more advanced military capabilities by bolstering maritime law enforcement to support its claims in the South and East China Seas. It continues its military buildup and its aggressive information-stealing campaigns.”
That same day, General Keith Alexander, Commander of US Cyber Command and Director of the National Security Agency, said in testimony before Congress that CYBERCOM is creating 13 offensive teams “to help defend the nation against major computer attacks from abroad” while “twenty-seven other teams would support commands such as the Pacific Command and the Central Command as they plan offensive cyber capabilities.” The specific mention of Pacific Command was clearly intended as a message for the Chinese government.
These are just the latest attempts by the Obama administration, Congress and the Defence Department to portray China as the primary villain in the rampant theft of America’s intellectual property. This message, which they have been pushing for the last few years, has been supplemented and fuelled in part by information security firms like Mandiant, whose ex-Air Force founders have built their business on countering the APT (Advanced Persistent Threat) — an Air Force code word for China that Mandiant adopted as a way to describe who is behind the massive theft of US trade secrets and IP. Mandiant’s credentials have been bolstered recently by the New York Times: First, the paper hired the firm to respond to attacks on its website that apparently came from China. Then, last month, the Times highlighted a report from Mandiant that named a People’s Liberation Army unit as the culprit behind years of attacks against 141 companies.
The momentum generated by this singular focus on China has been exploited by senators and members of Congress with their own reasons for pushing cyber security legislation. At one point, more than 60 separate bills were being floated, and all of them used Chinese cyber attacks as a lever to gain support. None have passed both houses yet, so the president signed his own executive order on cyber security back on February 12, 2013, which called for more information sharing between the public and private sector and the intention to collaborate on the development of risk-based standards, a good first effort but not sufficient to make a difference in helping US companies’ stem the tide of attacks.
This cascade of enmity directed against China doesn’t stand up under scrutiny. Yes, China does engage in these activities. But so do many other nations including Russia, France and Israel and we still haven’t solved the attribution problem — that is, determined who is actually attacking us. Any foreign intelligence service worth its salt would conceal their cybere spionage operations by making it look like they came from Chinese IP addresses since China is everyone’s first guess anyway and since Chinese-based servers are so easy to gain access to.
The anti-China rhetoric clashes with the current practices of many US businesses. For example, the US government rails against Huawei as a security threat, but it has purchased thousands of Huawei-made products under the brand name Huawei-Symantec that are in use today across the federal government, including Department of Defence and the Department of Justice. If Huawei is such a threat, why are we buying their products under the Huawei-Symantec brand? They’re still made in China by the same company that the US government has blocked purchases from.
While Mandiant builds its business on defending companies against Chinese hackers who reportedly work for the People’s Liberation Army, GE (for whom Mandiant does data forensics and incident response) continues to expand its presence in China, including R&D on the smart grid — an essential part of US critical infrastructure. This is one of the most surprising and troubling examples of this anti-China direction. The PLA has contingency plans to attack US critical infrastructure if they believe a military strike by the US is imminent. Yet here’s GE building a key component of our critical infrastructure in China, using Chinese engineers who have trusted access to GE’s network. Who needs hackers when you work for the target company?
Dell, Intel and HP have made major investments in China, and have acquired information security firms — SecureWorks, McAfee and Fortify, respectively. So they not only see China as a region to do business in, they also have knowledge of the security risks. Yet neither is leaving China — both have indicated their commitment to expand their presence there, which includes operating their R&D labs. More than 1,200 foreign R&D firms operate inside China, which means that they hire Chinese engineers; use China Telecom, China Unicom and China Mobile for all of their communications (which the state supervises and monitors); use Chinese vendors to clean their offices, shred their documents and provide other services, which grant them trusted access; and essentially lay bare their intellectual property and trade secrets for the taking.
Business interests generally dictate government policies, thanks to political fundraising and the virtually unlimited bank accounts of lobbyists. The effectiveness of the US Chamber of Commerce stands witness to that, and though it’s also been a victim of a China-attributed hacking attack, it continues to engage with China. The anti-China sentiment on the Hill, in the Pentagon, and at the White House clashes with the pro-China business policies of major US companies, including those with very active in-house security operation centres. Beijing surely knows about this disconnect — and that makes the US strategy look weak or inferior.
China and Russia have long advocated for a treaty that would establish an international code of conduct for information security — something that the US has always opposed. Now, in light of increased US accusations that China is engaging in massive amounts of cyber espionage, China has offered to “have constructive dialogue and cooperation on this issue with the international community including the US to maintain the security, openness and peace of the Internet.” If accepted by the US, China will have finally gotten what it has wanted for several years: an international code of conduct that would really be used to control dissent under the guise of attacking illegal activities (like hacking) in cyberspace.
A better approach might be for the federal government to encourage US firms to take steps to harden their networks against low-level attacks (which will shrink the attack surface); identify, segregate and monitor their crown jewels (which will make it harder for any adversary, including China, to steal them); and engage with China and Russia against a mutual enemy (mercenary hacker crews). This eliminates the rhetoric and focuses on collaboration — a requirement, since the US will never make good on threats against the single biggest holder of US debt and a vital market for US multinationals.
WP-Bloomberg
The US administration is trying to portray China as the primary villain in the rampant theft of America’s intellectual property.
By Jeffrey Carr
Last week saw a concerted effort by top government officials to call out China as a major threat actor in cyberspace. On Monday, March 11, Obama’s national security adviser Tom Donilon said in remarks before the Asia Society in New York City: “Increasingly, US businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale. The international community cannot tolerate such activity from any country.”
The next day, Director of National Intelligence James Clapper delivered his Worldwide Threat Assessment to the Senate Select Committee on Intelligence and said: “China is supplementing its more advanced military capabilities by bolstering maritime law enforcement to support its claims in the South and East China Seas. It continues its military buildup and its aggressive information-stealing campaigns.”
That same day, General Keith Alexander, Commander of US Cyber Command and Director of the National Security Agency, said in testimony before Congress that CYBERCOM is creating 13 offensive teams “to help defend the nation against major computer attacks from abroad” while “twenty-seven other teams would support commands such as the Pacific Command and the Central Command as they plan offensive cyber capabilities.” The specific mention of Pacific Command was clearly intended as a message for the Chinese government.
These are just the latest attempts by the Obama administration, Congress and the Defence Department to portray China as the primary villain in the rampant theft of America’s intellectual property. This message, which they have been pushing for the last few years, has been supplemented and fuelled in part by information security firms like Mandiant, whose ex-Air Force founders have built their business on countering the APT (Advanced Persistent Threat) — an Air Force code word for China that Mandiant adopted as a way to describe who is behind the massive theft of US trade secrets and IP. Mandiant’s credentials have been bolstered recently by the New York Times: First, the paper hired the firm to respond to attacks on its website that apparently came from China. Then, last month, the Times highlighted a report from Mandiant that named a People’s Liberation Army unit as the culprit behind years of attacks against 141 companies.
The momentum generated by this singular focus on China has been exploited by senators and members of Congress with their own reasons for pushing cyber security legislation. At one point, more than 60 separate bills were being floated, and all of them used Chinese cyber attacks as a lever to gain support. None have passed both houses yet, so the president signed his own executive order on cyber security back on February 12, 2013, which called for more information sharing between the public and private sector and the intention to collaborate on the development of risk-based standards, a good first effort but not sufficient to make a difference in helping US companies’ stem the tide of attacks.
This cascade of enmity directed against China doesn’t stand up under scrutiny. Yes, China does engage in these activities. But so do many other nations including Russia, France and Israel and we still haven’t solved the attribution problem — that is, determined who is actually attacking us. Any foreign intelligence service worth its salt would conceal their cybere spionage operations by making it look like they came from Chinese IP addresses since China is everyone’s first guess anyway and since Chinese-based servers are so easy to gain access to.
The anti-China rhetoric clashes with the current practices of many US businesses. For example, the US government rails against Huawei as a security threat, but it has purchased thousands of Huawei-made products under the brand name Huawei-Symantec that are in use today across the federal government, including Department of Defence and the Department of Justice. If Huawei is such a threat, why are we buying their products under the Huawei-Symantec brand? They’re still made in China by the same company that the US government has blocked purchases from.
While Mandiant builds its business on defending companies against Chinese hackers who reportedly work for the People’s Liberation Army, GE (for whom Mandiant does data forensics and incident response) continues to expand its presence in China, including R&D on the smart grid — an essential part of US critical infrastructure. This is one of the most surprising and troubling examples of this anti-China direction. The PLA has contingency plans to attack US critical infrastructure if they believe a military strike by the US is imminent. Yet here’s GE building a key component of our critical infrastructure in China, using Chinese engineers who have trusted access to GE’s network. Who needs hackers when you work for the target company?
Dell, Intel and HP have made major investments in China, and have acquired information security firms — SecureWorks, McAfee and Fortify, respectively. So they not only see China as a region to do business in, they also have knowledge of the security risks. Yet neither is leaving China — both have indicated their commitment to expand their presence there, which includes operating their R&D labs. More than 1,200 foreign R&D firms operate inside China, which means that they hire Chinese engineers; use China Telecom, China Unicom and China Mobile for all of their communications (which the state supervises and monitors); use Chinese vendors to clean their offices, shred their documents and provide other services, which grant them trusted access; and essentially lay bare their intellectual property and trade secrets for the taking.
Business interests generally dictate government policies, thanks to political fundraising and the virtually unlimited bank accounts of lobbyists. The effectiveness of the US Chamber of Commerce stands witness to that, and though it’s also been a victim of a China-attributed hacking attack, it continues to engage with China. The anti-China sentiment on the Hill, in the Pentagon, and at the White House clashes with the pro-China business policies of major US companies, including those with very active in-house security operation centres. Beijing surely knows about this disconnect — and that makes the US strategy look weak or inferior.
China and Russia have long advocated for a treaty that would establish an international code of conduct for information security — something that the US has always opposed. Now, in light of increased US accusations that China is engaging in massive amounts of cyber espionage, China has offered to “have constructive dialogue and cooperation on this issue with the international community including the US to maintain the security, openness and peace of the Internet.” If accepted by the US, China will have finally gotten what it has wanted for several years: an international code of conduct that would really be used to control dissent under the guise of attacking illegal activities (like hacking) in cyberspace.
A better approach might be for the federal government to encourage US firms to take steps to harden their networks against low-level attacks (which will shrink the attack surface); identify, segregate and monitor their crown jewels (which will make it harder for any adversary, including China, to steal them); and engage with China and Russia against a mutual enemy (mercenary hacker crews). This eliminates the rhetoric and focuses on collaboration — a requirement, since the US will never make good on threats against the single biggest holder of US debt and a vital market for US multinationals.
WP-Bloomberg
