Chinese Hacking: What Is To Be Done?

by Steve Wildstrom   |   February 20th, 2013

Photo pf People's Liberation Army parade (Wikimedia Commons)

We’ve known for a long time that hackers in China have been responsible for massive intrusions into both government and commercial networks in the U.S. Most recently, the New York Times, Washington Post, and Wall Street Journal all reported sustained Chinese spying on their networks.

Now, working with Mandiant, the firm it hired to investigate the attacks, the Times has collected and published conclusive evidence of official Chinese involvement in the hacking (full Mandiant report here). Specifically, the efforts all seem to be coming from a Shanghai office building that houses People’s Liberation Army Unit 61938.

The question now is what are we going to do about it? And what is the role of the tech industry in dealing with the problem?

Spying is a reality. Countries, even friendly countries, spy on each other. But there are limits to acceptable espionage behavior, and the Chinese has gone well beyond them. The most problematic behavior described in the Mendiant report is the PLA’s role in the theft of massive amounts of intellectual property from U.S. companies, presumably for the benefit of Chinese competitors.

The U.S. government can and should step up efforts to improve Chinese behavior. For a long time, I believed that as Chinese industry developed and Chinese companies began developing valuable IP of their own, the nation would come to have an interest in an international rule of law. This same belief shaped U.S. policy under both Democratic and Republican administrations and was a major reason that the U.S. supported Chinese membership in the World Trade Organization more than a decade ago. It hasn’t worked.

The revelation of the PLA’s role—hardly unexpected—in the attacks may be grounds for a strong demarche from Washington to Bejing, but it is not going to change the fundamental economic and political relationship between the two countries. Our economies are too deeply entangled and our security interests too enmeshed for open hostility to be desirable, or even possible.

So beyond hoping for China to clean up its act, what should we do? The best answer lies in a much better defense, but that is going to require some significant changes in attitudes. Much of U.S. business still is not very serious about information security. Witness the endless vulnerabilities to attacks far less determined and sophisticated than those mounted by government entities. Business, including the tech industry, has mightily resisted any efforts to impose security regulations, but it has failed badly to act on its own. If it takes regulation to get the job done, so be it.

But the government also needs additional weapons in this fight. The reintroduction of the Cyber Intelligence Sharing and Protection Act provides the platform for a healthy debate on the subject. Last year, unfortunately, CISPA became hopelessly conflated with the Stop Online Piracy Act, and the notion has now pervaded much of the tech world that because SOPA was an awful idea, all measures designed to protect IP are bad. There are problems with CISPA, particularly with respect to privacy protections for individuals, but the charge echoed in many quarters of the tech world that it is “son of SOPA” (this, for example, from BoingBoing) are misguided. Instead of mounting knee-jerk opposition, the tech community should work to make it a better bill that will help the government deal with real threats.

The government also needs to refocus its priorities. There has been far too much talk of “cyberwar” and far too little of “cybercrime.” The U.S. does need to act to protect vital infrastructure from electronic attack, but the threat as of now is purely notional. It is hard to imagine a state—even an Iran or a North Korea—committing an act of naked cyber-aggression against the United States, because any serious attack on infrastructure has to be regarded as an act of war. To quote the late Omar Little, “You come at the king, you best not miss.” The chances that any state could successfully launch a knockout cyber-blow are vanishingly small. And it is difficult to conceive of a non-state opponent, which would have less to fear from retaliation, with the wherewithal to do serious damage.

On the other hand, the threats to U.S. assets are real and on-going, and their sponsorship by the government (or the PLA, to the extent there’s a difference) are becoming impossible to deny. If gangs sponsored by the Chinese (or Russian, or Canadian) government were robbing banks in the U.S., you can bet the FBI and the banking industry would be working together to end the assault. A similar concerted effort needs to get top priority, both in Washington and in corporate boardrooms.

The reality is the even the best defense will not completely protect us against the online theft of assets. Attackers have too big an inherent advantage in this game, mostly because it is impossible to fulluy secure systems without destroying their usefulness. But the threats can be mitigated significantly, and it’s time we got cracking.

Tags:

Steve Wildstrom

Steve Wildstrom is veteran technology reporter, writer, and analyst based in the Washington, D.C. area. He created and wrote BusinessWeek’s Technology & You column for 15 years. Since leaving BusinessWeek in the fall of 2009, he has written his own blog, Wildstrom on Tech and has contributed to corporate blogs, including those of Cisco and AMD and also consults for major technology companies.
  • http://www.facebook.com/profile.php?id=1042792179 Brian M. Monroe

    One of the things that can be done right away is to use services like OpenDNS and updated browsers to add a layers of protection. Still, I agree with you that more attention needs to be paid to information security. The thing is that from what I have see, we do need to move forward to better ways to secure the end user devices and services than passwords.

  • http://www.facebook.com/profile.php?id=1131685622 Peter Buckton

    On the other hand…
    If companies and corporations can’t be bothered putting in sufficient safeguards for their own security, why should anyone else care.

    Imagining that passing a law, legislation, regulation, and the like is going to change anything, is naive at best. Embedded in Steve’s article seemed to be an assumption that the government could or should do “something”. Except that if appointing a czar or specialist dept actually worked, the “war on drugs” would have been won years ago. The government won’t win this war either. Instead, this is another way of saying – I want the problem to go “away”, I want some-one else to solve this for me.
    If anyone out there is actually seriously worried about Cyber-crime/spying, then it is their own problem to find a solution to. Form an industry grouping, institute internal reforms, look after your own back year. But imagining the government would/should/can help you is delusional.

    • steve_wildstrom

      It’s not so simple. Companies with poor information security practices don’t just jeopardize themselves. They expose customer and partner information, for example.

      I don’t believe the comparison to the war on drugs is relevant. The failure of drug policy is a discussion for another place and time, but the government has a significant role to play here. The National Security Agency and the National Institute of Standards & Technology have expertise in this area that vastly exceeds that of the private sector, but efforts to get private companies to adopt best practices have been very difficult.

      The federal sector has been making considerable strides moving from a security regime where performance was judged by the quality of the reports you filed to one where actual security performance is the criterion. But most of the private sector is lagging.

    • Rich

      “Imagining that passing a law, legislation, regulation, and the like is going to change anything, is naive at best.”

      In that case, let’s let people drive drunk all they want.

    • Air_Cav

      Peter, I disagree with you in every particular.

      The Chinese are using state supported espionage to attack both private and public concerns. This is no different than the PLA attacking a sovereign state or citizens of a sovereign state. Public and Private institutions should be able to utilize the services of their governments to redress a wrong.

      Setting aside the philosophical arguments for a moment, on a practical level the Chinese government has resources beyond the capability of an individual or corporation.