James Andrew Lewis
By James Andrew Lewis
If you work in Washington — on Capitol Hill or on K Street, at a law firm or at a think tank — you’ve probably been hacked. If you work at a major American company, you’ve probably been hacked, too. The penetration of US computer networks by Chinese hackers has been going on for more than three decades. It’s good that it is finally getting attention. But with that spotlight have come exaggeration and myths that need to be discarded.
1. We are in a cyber cold
war with China
We are not in a war — cold, cool or hot — with China in cyberspace. There have been none of the threats, denouncements or proxy conflicts that characterize a cold war. In fact, the Obama administration appears to be omitting any mention of the Chinese military in recent high-profile speeches on Chinese hacking. After Treasury Secretary Jack Lew met recently with top Chinese officials in Beijing, he told reporters there that cyberattacks and cyberespionage are a “very serious threat to our economic interests.”
“Cyberattack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions — for instance, the blocking of a Falun Gong site hosted at the University of Alabama — China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so.
Trying to cram Chinese hackers into antiquated cold war formulas doesn’t help, either. America’s relationship with China is very different from the one it had with the Soviet Union, in which contacts were extremely limited and there was no economic interdependence. The idea of “containment” for China is inane. How would you “contain” a major economic partner?
2. China’s hackers are unstoppable cyber-warriors
The problem isn’t that the Chinese are so skilled; it’s that US companies are so inept. A survey I published last month found that more than 90 percent of corporate-network penetrations required only the most basic techniques, such as sending a bogus email with an infected attachment, and that 85 percent went undetected for months — another sign of lax security. (One more sign: They were usually discovered by an outsider rather than the victimized company.)
There is debate within the US intelligence community about whether the Chinese have more sophisticated cyber attackers waiting in the wings or whether we’ve seen the best they can do. But it’s clear that so far, they haven’t had to bring their A-game to break into our networks.
3. China is poised to launch crippling attacks on crucial U.S. infrastructure.
US President Barack Obama’s State of the Union address included a line about how “our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic-control systems.” Similarly, a recent report by the security firm Mandiant suggested that China’s hackers are increasingly focused on companies with ties to US critical infrastructure.
In peacetime, however, China is no more likely to launch a cyber attack on American infrastructure than it is to launch a missile at us. It has no interest in provoking a war it couldn’t win or in harming an economy it depends on. Even in wartime, China would want to avoid escalation and would be more apt to launch cyber attacks on the Pacific Command or other deployed U.S. forces than on domestic American targets.
China would attack civilian infrastructure only in extremis — if the survival of its regime were threatened.
4. Cyber-espionage causing the greatest transfer of wealth in history
This claim has been repeated by the likes of the head of US Cyber Command. It’s a dramatic way to describe the theft, mainly by China, of American intellectual property, but it doesn’t make economic sense. Putting a dollar value on the “loss” from cyber espionage is very difficult, and many estimates are wild guesses.
A reasonable assessment would be that it costs the United States no more than $100bn a year and perhaps much less — what some economists would describe as a rounding error in our $15 trillion economy. This is not death by a thousand cuts. It probably isn’t even slowing the US economy.
Even when China steals intellectual property, it can take years to turn it into a competitive advantage. The right technical skills and manufacturing base are needed to turn advanced designs into high-end competitive products. China is still lagging in many high-tech arenas, such as semiconductors.
The one area where this is not true is military technology. Chinese espionage has led to rapid improvements in that country’s stealth, submarine quieting, nuclear weapons and sensor technologies. While the economic risk from cyber espionage is generally overstated, the United States has probably underestimated the damage to its lead in military technology.
5. America spies on China, too, so what can we complain about?
Chinese officials portray their country as a victim of hacking. Meanwhile, some American scholars question whether the United States is in a position to criticize, since it also engages in cyber espionage. “Perhaps the complaint is that the Chinese are doing better against our government networks than we are against theirs,” law professor Jack Goldsmith wrote. That misstates the issue.
The Internet, poorly secured and poorly governed, has been a tremendous boon for spying. Every major power has taken advantage of this, but there are unwritten rules that govern espionage and China’s behaviour is out of bounds. Where Beijing crosses the line is in economic espionage: stealing secrets from foreign companies to help its own. China also out-matches all other countries in the immense scale of its spying effort, and the United States is far from the only nation to have suffered.
The United States, by contrast, does not engage in economic espionage. As one Chinese official put it in recent talks at the Centre for Strategic and International Studies: “In America, military espionage is heroic and economic espionage is a crime, but in China the line is not so clear.” The United States and other countries need to make that line clearer and discourage China from crossing it.
(James Andrew Lewis is a senior fellow and director of the technology and public policy programme at the Centre for Strategic and International Studies).
WP-BLOOMBERG
By James Andrew Lewis
If you work in Washington — on Capitol Hill or on K Street, at a law firm or at a think tank — you’ve probably been hacked. If you work at a major American company, you’ve probably been hacked, too. The penetration of US computer networks by Chinese hackers has been going on for more than three decades. It’s good that it is finally getting attention. But with that spotlight have come exaggeration and myths that need to be discarded.
1. We are in a cyber cold
war with China
We are not in a war — cold, cool or hot — with China in cyberspace. There have been none of the threats, denouncements or proxy conflicts that characterize a cold war. In fact, the Obama administration appears to be omitting any mention of the Chinese military in recent high-profile speeches on Chinese hacking. After Treasury Secretary Jack Lew met recently with top Chinese officials in Beijing, he told reporters there that cyberattacks and cyberespionage are a “very serious threat to our economic interests.”
“Cyberattack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions — for instance, the blocking of a Falun Gong site hosted at the University of Alabama — China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so.
Trying to cram Chinese hackers into antiquated cold war formulas doesn’t help, either. America’s relationship with China is very different from the one it had with the Soviet Union, in which contacts were extremely limited and there was no economic interdependence. The idea of “containment” for China is inane. How would you “contain” a major economic partner?
2. China’s hackers are unstoppable cyber-warriors
The problem isn’t that the Chinese are so skilled; it’s that US companies are so inept. A survey I published last month found that more than 90 percent of corporate-network penetrations required only the most basic techniques, such as sending a bogus email with an infected attachment, and that 85 percent went undetected for months — another sign of lax security. (One more sign: They were usually discovered by an outsider rather than the victimized company.)
There is debate within the US intelligence community about whether the Chinese have more sophisticated cyber attackers waiting in the wings or whether we’ve seen the best they can do. But it’s clear that so far, they haven’t had to bring their A-game to break into our networks.
3. China is poised to launch crippling attacks on crucial U.S. infrastructure.
US President Barack Obama’s State of the Union address included a line about how “our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic-control systems.” Similarly, a recent report by the security firm Mandiant suggested that China’s hackers are increasingly focused on companies with ties to US critical infrastructure.
In peacetime, however, China is no more likely to launch a cyber attack on American infrastructure than it is to launch a missile at us. It has no interest in provoking a war it couldn’t win or in harming an economy it depends on. Even in wartime, China would want to avoid escalation and would be more apt to launch cyber attacks on the Pacific Command or other deployed U.S. forces than on domestic American targets.
China would attack civilian infrastructure only in extremis — if the survival of its regime were threatened.
4. Cyber-espionage causing the greatest transfer of wealth in history
This claim has been repeated by the likes of the head of US Cyber Command. It’s a dramatic way to describe the theft, mainly by China, of American intellectual property, but it doesn’t make economic sense. Putting a dollar value on the “loss” from cyber espionage is very difficult, and many estimates are wild guesses.
A reasonable assessment would be that it costs the United States no more than $100bn a year and perhaps much less — what some economists would describe as a rounding error in our $15 trillion economy. This is not death by a thousand cuts. It probably isn’t even slowing the US economy.
Even when China steals intellectual property, it can take years to turn it into a competitive advantage. The right technical skills and manufacturing base are needed to turn advanced designs into high-end competitive products. China is still lagging in many high-tech arenas, such as semiconductors.
The one area where this is not true is military technology. Chinese espionage has led to rapid improvements in that country’s stealth, submarine quieting, nuclear weapons and sensor technologies. While the economic risk from cyber espionage is generally overstated, the United States has probably underestimated the damage to its lead in military technology.
5. America spies on China, too, so what can we complain about?
Chinese officials portray their country as a victim of hacking. Meanwhile, some American scholars question whether the United States is in a position to criticize, since it also engages in cyber espionage. “Perhaps the complaint is that the Chinese are doing better against our government networks than we are against theirs,” law professor Jack Goldsmith wrote. That misstates the issue.
The Internet, poorly secured and poorly governed, has been a tremendous boon for spying. Every major power has taken advantage of this, but there are unwritten rules that govern espionage and China’s behaviour is out of bounds. Where Beijing crosses the line is in economic espionage: stealing secrets from foreign companies to help its own. China also out-matches all other countries in the immense scale of its spying effort, and the United States is far from the only nation to have suffered.
The United States, by contrast, does not engage in economic espionage. As one Chinese official put it in recent talks at the Centre for Strategic and International Studies: “In America, military espionage is heroic and economic espionage is a crime, but in China the line is not so clear.” The United States and other countries need to make that line clearer and discourage China from crossing it.
(James Andrew Lewis is a senior fellow and director of the technology and public policy programme at the Centre for Strategic and International Studies).
WP-BLOOMBERG
