We’ve known for a long time that hackers in China have been responsible for massive intrusions into both government and commercial networks in the U.S. Most recently, the New York Times, Washington Post, and Wall Street Journal all reported sustained Chinese spying on their networks.
Now, working with Mandiant, the firm it hired to investigate the attacks, the Times has collected and published conclusive evidence of official Chinese involvement in the hacking (full Mandiant report here). Specifically, the efforts all seem to be coming from a Shanghai office building that houses People’s Liberation Army Unit 61938.
The question now is what are we going to do about it? And what is the role of the tech industry in dealing with the problem?
Spying is a reality. Countries, even friendly countries, spy on each other. But there are limits to acceptable espionage behavior, and the Chinese has gone well beyond them. The most problematic behavior described in the Mendiant report is the PLA’s role in the theft of massive amounts of intellectual property from U.S. companies, presumably for the benefit of Chinese competitors.
The U.S. government can and should step up efforts to improve Chinese behavior. For a long time, I believed that as Chinese industry developed and Chinese companies began developing valuable IP of their own, the nation would come to have an interest in an international rule of law. This same belief shaped U.S. policy under both Democratic and Republican administrations and was a major reason that the U.S. supported Chinese membership in the World Trade Organization more than a decade ago. It hasn’t worked.
The revelation of the PLA’s role—hardly unexpected—in the attacks may be grounds for a strong demarche from Washington to Bejing, but it is not going to change the fundamental economic and political relationship between the two countries. Our economies are too deeply entangled and our security interests too enmeshed for open hostility to be desirable, or even possible.
So beyond hoping for China to clean up its act, what should we do? The best answer lies in a much better defense, but that is going to require some significant changes in attitudes. Much of U.S. business still is not very serious about information security. Witness the endless vulnerabilities to attacks far less determined and sophisticated than those mounted by government entities. Business, including the tech industry, has mightily resisted any efforts to impose security regulations, but it has failed badly to act on its own. If it takes regulation to get the job done, so be it.
But the government also needs additional weapons in this fight. The reintroduction of the Cyber Intelligence Sharing and Protection Act provides the platform for a healthy debate on the subject. Last year, unfortunately, CISPA became hopelessly conflated with the Stop Online Piracy Act, and the notion has now pervaded much of the tech world that because SOPA was an awful idea, all measures designed to protect IP are bad. There are problems with CISPA, particularly with respect to privacy protections for individuals, but the charge echoed in many quarters of the tech world that it is “son of SOPA” (this, for example, from BoingBoing) are misguided. Instead of mounting knee-jerk opposition, the tech community should work to make it a better bill that will help the government deal with real threats.
The government also needs to refocus its priorities. There has been far too much talk of “cyberwar” and far too little of “cybercrime.” The U.S. does need to act to protect vital infrastructure from electronic attack, but the threat as of now is purely notional. It is hard to imagine a state—even an Iran or a North Korea—committing an act of naked cyber-aggression against the United States, because any serious attack on infrastructure has to be regarded as an act of war. To quote the late Omar Little, “You come at the king, you best not miss.” The chances that any state could successfully launch a knockout cyber-blow are vanishingly small. And it is difficult to conceive of a non-state opponent, which would have less to fear from retaliation, with the wherewithal to do serious damage.
On the other hand, the threats to U.S. assets are real and on-going, and their sponsorship by the government (or the PLA, to the extent there’s a difference) are becoming impossible to deny. If gangs sponsored by the Chinese (or Russian, or Canadian) government were robbing banks in the U.S., you can bet the FBI and the banking industry would be working together to end the assault. A similar concerted effort needs to get top priority, both in Washington and in corporate boardrooms.
The reality is the even the best defense will not completely protect us against the online theft of assets. Attackers have too big an inherent advantage in this game, mostly because it is impossible to fulluy secure systems without destroying their usefulness. But the threats can be mitigated significantly, and it’s time we got cracking.