The US government is ratcheting up its rhetoric against China, claiming that state-sponsored Chinese hackers are involved in massive-scale campaigns to steal trade secrets over the Internet. The Chinese government denies this, of course, while claiming that it has discovered numerous attacks against its networks and infrastructure originating from the United States.
The allegations fired back and forth between the world's two largest economic powers are largely true, of course. As we have reported, network spying has been taking place for years. (See: America's Declared (& Undeclared) Cyberwar.) It is also a modern extension of classic cross-border espionage and spying, which is considered to be the second-oldest profession. But recently, cyberattacks by foreign governments, especially from China, seem to have emerged as an unprecedented threat, according to vocal outcries by US officials and a surge in media coverage about the "China hacking menace."
In the worst possible outcome, the war of rhetoric could lead to an
all-out cyber war that ends the relative freedoms of data exchange.
(Source: George Thomas, Flickr)
Without condoning trade secret theft by China or any other country, I feel the agendas of those responsible for inciting a call to arms in United States to combat China's covert cyberwar against US intellectual property interests need to be carefully scrutinized. Lobbying groups and elected officials representing those hurt by the flow of technology and jobs from the United States to other countries, especially to China, certainly have a stake in playing up fears about purported cyberthreats.
However, something to watch out for is when politicians start to use false or dubious allegations to play on the fears of the populace as an excuse to restrict or more tightly control cross-border exchanges of data with China or any other country.
One worrisome example of a largely unfounded allegation against China is the publication of a report from US-based security firm Mandiant about alleged Internet attacks by the Chinese army. While Mandiant's allegations are worrisome on the surface, they are not completely grounded in fact, according to South Africa-based security firm Thinkst. (See: Cyberwarfare & the Battle to Protect Supply Chain Data.)
According to Mandiant, a China-based army unit of hackers is behind the so-called "APT1" attacks, which it says have involved over 1,900 assaults targeting mainly US and Canadian networks. Over 97 percent of the attacks originated from IP addresses in the Shanghai region, where Mandiant estimates there are possibly hundreds of hacker operatives involved.
But according to Thinkst, Mandiant's metrics are at fault. The main issue is that Mandiant failed to conclusively demonstrate that the IP addresses corresponded to a single organization, which has set a dangerous precedent. Thinkst writes:
We are not saying the Chinese government does not hack the US. Our concern is with this specific report; it is the first concrete public attribution of ongoing espionage against the US, and, if the report sets the standard for attribution, future events will be highly muddled as competing hypotheses all meet the low standard set out in Mandiant's APT1 report. Unfortunately it seems that contrary opinions are being subjected to a level of diatribe usually reserved for arguments of faith, not facts.
Following the publication of Mandiant's report in February, the US State Department published "Administration’s Strategy on Mitigating the Theft of U.S. Trade Secrets," which outlines policy measures and proposals to help organizations protect their data from foreign attacks. Both reports were released just a few days after The New York Times reported that a group of hackers originating from China had penetrated its networks.
The US government outlines voluntary and seemingly benign best-practices to help organizations protect their sensitive data in "Theft of U.S. Trade Secrets." But what happens when the elected officials decide to take the next step and force organizations to follow certain procedures?
The risk is when lobbyists convince Congress to create mandates that require organizations to spend a lot of money on software or hardware they do not want or need in the name of security. They might also mandate that companies with supply chain partners in China comply with unreasonable and expensive compliance procedures beyond the alphabet soups of regulatory compliance protocols that organizations must already follow when exchanging and storing data abroad.
Heavy-handed laws and regulations put in place under the guise of blocking Chinese hackers from stealing trade secrets would have obvious implications for supply chains that rely on cross-border data exchange over the Internet. And they would almost certainly prompt Beijing to retaliate, prompting it at a minimum to more heavily regulate and censure data communications than it already does.
In the worst possible outcome, the war of rhetoric and empty allegations could lead to an all-out cyberwar levied multilaterally, while ending the relatively freedom of data exchange that we have come to expect from the Internet.
Organizations are rightfully concerned about losing their competitive edge when hackers steal data over the Internet and obviously hope the government has a plan in place to head off these kinds of thefts in an appropriate way. But forcing organizations to comply with stricter and obtrusive laws and regulations that do not help much, based on irrational fear mongering, is not a viable solution.
Hopefully, Washington will taper off its war of words and learn how to better nab and shutdown black hat hacker networks that operate from China or anywhere else, in a way that remains transparent and unobtrusive to the non-combatants.