Tag Archives: cybersecurity

Personnel hack calls not for sanctions, but stronger and ‘active’ defense

My latest piece for Nikkei Asian Review builds on last week’s U.S.–China Week and argues that sanctions are not the answer for the Obama administration as it weighs a response the hacking of U.S. government personnel data, allegedly by the Chinese government. Read the whole piece, but here are some highlights:

Given that primary defense has failed, however, widespread calls for retaliation are not surprising. One option is sanctions. In April, President Barack Obama issued an executive order threatening foreign individuals and entities with sanctions in response to “malicious cyber-enabled activities” that constitute a threat to “the national security, foreign policy and economy of the United States.” White House press secretary Josh Earnest said June 12 sanctions were a “newly available option … that is on the table” in response to the OPM hacks.

Levying economic sanctions against China in response to its efforts to gain access to a “legitimate foreign intelligence target,” however, would be misguided. To do so would invite economic retaliation not just from China but from other countries that are targets of similar U.S. efforts. It was never a secret that the U.S. government spies on foreign governments online, but Edward Snowden and other leakers have exposed those efforts in unprecedented detail.

But the loss of important government secrets calls for a different range of policy options. The best responses might be considered “active defense.” For instance, if a breach is detected while the intruders are still working, security officials might break into the intruders’ own systems to destroy or distort the stolen data. They might also target the same intruder’s other systems for disruption as a deterrent.

This kind of “active defense” is called for and expected in the world of espionage. Given news reports that the government only discovered the OPM intrusions after weeks or months, it seems less likely these measures would be effective. Unfortunately, the most realistic response now is to minimize the harm to those affected, increase accountability for maintaining secure systems, and more effectively compartmentalize data. [more]

 

Full text: Speech by Minister Cai Mingzhao at #cybersummit2013, Nov. 5, 2013

The EastWest Institute released the full text of State Council Information Office Minister Cai Mingzhao’s speech this morning at Stanford. The following text was produced by optical character recognition based on the English-language PDF original. The Chinese version is available in PDF here.

Making Joint Efforts to Maintain Cyber Security

Keynote speech at the Fourth World Cyberspace Cooperation Summit
Cai Mingzhao
Minister of the State Council Information Office of China
November 5, 2013, Stanford University

Ladies and gentlemen, dear friends,

First of all, I would like to thank the EastWest Institute for inviting me to this summit, and giving me the opportunity to visit the beautiful campus of Stanford University. Today, I would like to share two of my aspirations with you. The first is that the Chinese people should have a safe and reliable cyberspace that provides them with positive energy as they strive to achieve their dreams. The second is that participants to this summit can reach a consensus on how to deal with the many challenges to cyber security and, through our joint efforts, make new progress in promoting international cooperation on this vital issue.

China first accessed the Internet on April 20, 1994 via facilities based in the United States. Ever since then, the Chinese people have derived enormous. benefit from the Internet. There are more than 600 million Internet users in China today and the Internet has becorne indispensable in people’s work, study and everyday life. Popular access to the Internet has played a significant role in China’s reform and opening up efforts and helped to build and strengthen the connections between China and the rest of the world.

The Chinese government has been working hard to enhance Internet development by devising appropriate policies and providing a favorable market environment and a sound legal framework. We see the Internet as a major driving force that is helping to transform our development pattern and adjust our economic structure. Just recently, the government issued a policy designating information consumption as a major focus of the campaign to boost domestic demand. We will further improve the Internet infrastructure, pursue the “Broadband China” project, and try to achieve an annual 30-percent increase in new-type information consumption.

The development of the Internet in China is very encouraging. Internet-based IT businesses have become a pillar of the economy, contributing 10 percent of China’s GDP. In 2012, the value of e-business transactions carried out in China reached US$1.4 trillion. New web applications are being launched all the time. More than 80 percent of Chinese Internet users use social networking services. Chinese citizens have opened nearly 1.3 billion micro-blog accounts. The mobile Internet, cloud computing, big data, the Internet of Things and other cutting-edge ideas are encouraging innovation and providing huge business opportunities.

Ladies and gentlemen, dear friends,

The Chinese government has always placed great emphasis on cyber security. Maintaining cyber security is an important part of China’s national strategy and is high on the government agenda. We always believe that while development is the ultimate goal, security is the guarantee of achieving that goal. Without a secure environment, development will be weak and transient.

China faces serious cyber threats. Between January and August this year, more than 20,000 websites based in China were modified by hackers and more than 8 million servers, 14 percent more than during the same period last year, were compromised and controlled by overseas computers via zombie and Trojan programs. These activities have caused severe damage to our economy and the everyday life of the people. More than 80 percent of Chinese Internet users have fallen victim to cyber attacks at some time or other. The annual economic losses run to tens of billions of US .dollars a year. Cyber crimes, especially Internet fraud, are on the rise year by year and the Internet is increasingly associated with illegal and criminal behaviors. Illegal and harmful materials such as online pornography are affecting young people and have become an issue of great concern to the public.

China supports various efforts to maintain cyber security. Like many other developing countries, China faces greater cyber security challenges than developed countries. As a result, we are very keen to continue working together with other countries to maintain cyber security. We are ready to expand our cooperation with other countries and relevant international organizations on the basis of equality and mutual benefit.

To maintain cyber security, we need to show respect for national sovereignty over cyberspace. The Internet is global, but at the same time it belongs to different countries. Sovereign states have primary responsibility for maintaining order in cyberspace. It thus follows that respect for national sovereignty over cyberspace is an important prerequisite for maintaining international cyber security. Given the differences in levels of economic development, cultural traditions, laws and regulations, each country naturally has its own concerns regarding cyber security. We should respect each country’s public policies on order and security in cyberspace.

To maintain cyber security, we need to build a robust legal system. Just as in the real world, activities in cyberspace need to be governed by law. Every country has a duty to contribute to the creation of a legal framework that will maintain cyber security, punish criminal activity, protect basic rights such as the right to privacy, and promote technological innovation and fair competition in the marketplace. All countries should protect their citizens’ rights to use the Internet in accordance with the law, and citizens should make use of the Internet according to law, because only on this basis can the international community establish order in cyberspace. If each country governs its cyberspace well, incidents that harm overall cyber security can be minimized. Although China has made positive efforts to improve its laws governing cyberspace, we recognize that we still have a long way to go. We want to enhance communication with other countries and learn from them how to build a legal system for cyberspace more scientific and more effective.

To maintain cyber security, we need to strengthen international cooperation. In cyberspace, all countries face the same problems and ultimately share the same fate. Cyber security should be built on the basis of coexistence and cooperation, as cooperation is the only way to achieve win-win solutions to shared problems. The international community should tackle difficulties and challenges together, strengthen communication and exchanges, improve mutual understanding, and jointly shoulder the responsibility for maintaining cyber security.

To strengthen international cooperation and safeguard cyber security; we should take action rather than to be content with empty talks. I, therefore, would like to put forward three proposals today.

Firstly, we should lay down international rules for behavior in cyberspace. We should first define some basic rules guiding behavior in cyberspace that can be observed by all countries. On this basis we should, step by step, create a fair and transparent mechanism for the governance of cyberspace. The definition of basic behavior rules would not only place restraints on all parties, but would also provide protection for the rights of all parties. The international community should, as soon as possible, begin discussions within the framework of the United Nations to promote the process of defining international behavior rules for cyberspace.

Secondly, we should explore effective means to tackle urgent problems. Cyber security involves a number of issues of common concern, such as cyber attacks, viruses and cyber terrorism, as well as issues of concern to specific parties, such as information security and cultural security. I suggest that we give full play to the role of the UN Group of Governmental Experts (GGE) in the field of information and telecommunications in the context of international security, identify pressing problems in global security, explore ways and means to solve them, and make clear the direction of actions for all governments and parties concerned. We should start with the problems that are easiest to solve so as to accumulate practical experience that can be applied to more difficult issues in the future.

Thirdly, we should create communication channels to facilitate international cooperation. Dealing with cyber security often involves various government departments and social organizations. To handle problems more efficiently, each country should designate specific government departments or other institutions to establish mechanisms that can quickly respond to calls for international cooperation. This could serve as the substantive action for promoting international cooperation. The National Computer Network Emergency Response Technical Team Coordination Center of China (CNCERT) has established cooperative relations with 91 organizations in 51 countries and regions and has signed cyber security cooperation memoranda with 13 international organizations. From January to September 2013, the Center received and dealt with a total of 583 requests from international emergency response organizations and other cyber security related organizations. Among them, 106 requests were from the United States Computer Emergency Readiness Team. We welcome friends from all over the world to cooperate with the Center.

Ladies and gentlemen, dear friends,

The United States and China are Internet giants. We share many common interests and there is enormous scope for cooperation. Our two countries have set up a working group on cyber security within the framework of the China-US Strategic Security Dialogue. We should make good use of this mechanism to carry on dialogue and negotiations on common concerns relating to cyber security so as to increase mutual understanding, keep our differences under control and expand cooperation.

We have already seen positive results from China-US cyber security cooperation. One example is the law enforcement cooperation between the police forces of our two countries. In June 2011, a joint US-China police operation cracked the world’s biggest Chinese-language pornographic website, the Sunshine Entertainment Alliance. A US-based culprit and 12 suspects located in China were arrested. Closing down the Sunshine Entertainment Alliance was a successful cooperation by Chinese and US law enforcement agencies targeting cross-border cyber crime. Cooperation between civil society organizations has also made substantial progress. Four years ago, I recommended to Mr. John Edwin Mroz four possible fields in which the EastWest Institute, the Internet Society of China and CNCERT could cooperate. My suggestion received a positive response from Mr. Mroz and our cooperation has yielded two results. The report, Fighting Spam to Build Trust, issued jointly by EWI and CNCERT in 2011, was a groundbreaking collaborative effort by 34 Chinese and American experts that followed two years of research and discussion. Another report, Frank Communication and Pragmatic Cooperation in Combating Harmful Hacking, to be made public during this summit, embodies the insights and reflections of Chinese and American cyber security experts. It represents another major contribution made by experts from both countries towards maintaining cyber security.

Experience teaches us that where there is action there will be results. Let us join hands to build a safer cyberspace with our wisdom and efforts.

Finally, I would like to wish the Fourth World Cyberspace Cooperation Summit every success.

Thank you all!

Understanding root differences on the Internet to make progress on cybersecurity: my latest at China-US Focus

New at China-U.S. Focus, I argue that there is real potential for progress on cybersecurity in the U.S.–China relationship, but basic differences in the way the governments and peoples view the Internet cannot be brushed aside.

Probe Deep Differences to Make Real Progress on Cybersecurity

In a U.S.–China relationship confronting numerous challenges, perhaps no topic is as hard to discuss as cybersecurity. Unlike other strategic challenges, such as minimizing the potential for inadvertent clashes at sea or in the air, smoothing bilateral economic investment regulations, or even reducing the severity and effects of climate change, cybersecurity cuts across policy areas with a blade of uncertainty and mutual suspicion. Some observers have suggested U.S.–China differences are so deep that dialogue is futile, but even if it doesn’t produce a swift resolution, a recent increase in public and private discussions on the topic can build a foundation of understanding.

[Continue reading.]

Why one might think the US government sees China as threat no. 1

In recent weeks, a series of U.S. government statements, leaks, and policy changes could leave you with the impression that policymakers see China as the biggest threat to U.S. security.

My guess is that even if top officials in the Obama administration believe this, they would rather temper that impression. On the other hand, take a look, and consider what impression you would get from the last month:

2013-02-11

Someone leaked at least part of a classified U.S. intelligence document to the Washington Post, which wrote: “The National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.”

2013-02-12

President Obama, in his State of the Union speech, made a thinly veiled reference to Chinese hacking—the only substantial China-related statement:

America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

2013-02-18

The New York Times reported on a study released by the private computer security company Mandiant, asserting that the People’s Liberation Army is behind attacks on U.S. businesses, national security institutions, and critical infrastructure.

On the record, a National Security Council spokesman said: “We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so.” That sounds reasonable, even though a Chinese foreign ministry spokesman called the Mandiant allegations “irresponsible and unprofessional.”

But here’s what unnamed U.S. sources told the Times:

  • “There are huge diplomatic sensitivities here,” said one intelligence official, with frustration in his voice.
  • “In the cold war, we were focused every day on the nuclear command centers around Moscow,” one senior defense official said recently. “Today, it’s fair to say that we worry as much about the computer servers in Shanghai.”

OK, now we have a direct Cold War comparison, framing Chinese actions as taking the place of the nuclear threat from the Soviet Union.

2013-02-20

The White House released its “Strategy to Mitigate the Theft of U.S. Trade Secrets.” The document does not name China in the body text, but six of the seven concrete examples of theft in sidebars mention China explicitly. An attached Department of Justice list of “economic espionage and trade secret criminal cases” since 2009 includes 20 examples, 17 of which involve China.

2013-02-25

Senate Intelligence Committee Chairwoman Diane Feinstein said the Mandiant report accusing the PLA of specific actions is “essentially correct.” And House Intelligence Committe Chairman Mike Rogers said the Chinese government and military are behind attacks on U.S. companies “beyond a shadow of a doubt.”

2013-02-27

A report from the Department of Homeland Security outlined a six-month effort to target U.S. natural gas pipeline operators, and press reports such as this one from the Christian Science Monitor said the attack signatures indicate ties to Chinese attacks. The link to China comes from information newly released by the DHS. Whether the motive of an attacker would be to compromise gas pipelines, to steal technology to run them, or both, is left an open question.

2013-03-11

After a slight lull in action, filled nonetheless with plenty of commentary, U.S. National Security Advisor Thomas Donilon gave one of the administrations most thorough recent speeches on Asia and the Pacific region. The speech has some new material and plenty of small adjustments, but the press angle was clear: “U.S. Demands China Block Cyberattacks and Agree to Rules.”

Importantly, the China section comes in contrast to kind words about “emerging powers” in India and Indonesia. Although a “constructive” relationship with China is framed as its own pillar in the administration’s Asia Pacific strategy, little is new here other than a drastically higher billing for cybersecurity concerns:

Both countries face risks when it comes to protecting personal data and communications, financial transactions, critical infrastructure, or the intellectual property and trade secrets that are so vital to innovation and economic growth.

It is in this last category that our concerns have moved to the forefront of our agenda. I am not talking about ordinary cybercrime or hacking. And, this is not solely a national security concern or a concern of the U.S. government. Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale. The international community cannot afford to tolerate such activity from any country. As the President said in the State of the Union, we will take action to protect our economy against cyber-threats.

From the President on down, this has become a key point of concern and discussion with China at all levels of our governments. And it will continue to be. The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property. But, specifically with respect to the issue of cyber-enabled theft, we seek three things from the Chinese side. First, we need a recognition of the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.

2013-03-12 – The reporting goes overboard?

The top U.S. intelligence official “suggested that [cyber] attacks now pose the most dangerous immediate threat to the United States, even more pressing than an attack by global terrorist networks,” according to The New York Times. That official, Director of National Intelligence James Clapper, also said there was only a “‘remote chance’ in the next two years of a major computer attack on the United States, which he defined as an operation that ‘would result in long-term, wide-scale disruption of services, such as a regional power outage.'”

The Times assertion that Clapper suggested cyber attacks could be more of a risk than terrorism seems to be based on the fact that Clapper discussed them first, so it is to be taken with a grain of salt. The full text of his statement for the record is available online. His remarks as delivered are online too. I haven’t found a transcript of the Q&A yet, but I just watched most of it, and the direct comparison of cyber attacks to terrorist attacks does not seem to be there.

So the reporting here may be a bit much, but the 2012 statement listed terrorism and proliferation above “cyber threats,” whereas the 20032013 document puts “cyber” ahead of those two.

So, how does this all sound?

Especially if you read Clapper’s list order as indicative, these developments and statements as a whole sure could look like a concerted effort to escalate U.S. attention to one kind of threat posed by Chinese military operations. Meanwhile, the difference between stealing secrets and threatening military systems or life-supporting infrastructure is often glossed over, allowing fear of economic espionage to bleed into fear of military battle. Meanwhile, for obvious reasons, the government sources are not disclosing the U.S. military and NSA’s own cybersecurity capabilities and activities, except to announce greater efforts. Though other countries are sometimes mentioned, China is always held up as a marquee threat.

To at least some in the Chinese government, this is going to look like a move toward an aggressive and adversarial stance.

Is this the impression the Obama administration wants?

It is quite clear that the Obama administration has moved to bring greater pressure on the Chinese government over the issue of computer-enabled espionage and even sabotage. It is also clear that the issue is real, even if some elements of the story are being fudged in the press or by private contrators looking for a piece of the pie.

But it is less clear that this level of escalation is in the best interest of U.S.–China ties. As Donilon said in his speech (before emphasizing the cybersecurity demands), “Taken together, China’s leadership transition and the President’s re-election mark a new phase in U.S.-China relations—with new opportunities.” An agressive stance, however, might undermine the opportunities for renewed contact.

At worst, it could trigger a retrenchment in Chinese officials’ willingness to engage in meaningful dialogue with the U.S. leadership. At best, pressure on this issue could produce results and bring a major irritant into the open in bilateral dialogue. One potential good sign came from the Chinese Foreign Ministry, where a spokeswoman said Tuesday “Cyberspace needs rules and cooperation, not wars. China is willing to have constructive dialogue and cooperation with the global community, including the United States.”

Meanwhile, I hope the U.S. government will take into account the media amplification effects that come from their increased frankness in public in this particular direction. If more people in the U.S. start seeing China as a Cold War-like enemy, they may find themselves fulfilling their own prophesy, an outcome far worse than the loss of corporate secrets.

Coda

Nothing in this post should be taken to suggest I view cybersecurity as unimportant or as an argument that all sides in the Chinese government are innocent. Indeed, military and critical infrastructure security are absolutely critical to national security, and not just in the United States. Minimizing the theft of corporate secrets is a reasonable economic interest of the United States, and even more so an interest of the corporations. I support scrutiny of this issue and increased efforts by government and private sector organizations. But piggy-backing fear of the unknown in cyber threats and fear of the unknown in the field of a potential “China threat” presents a risk of simplification and harmful cascades. China is not the only element of the cybersecurity issue, and cybersecurity is not the only element of the U.S. relationship with China.

Fighting 'the myth of unitary control' in China cybersecurity politics

My latest for Al Jazeera English asks for more recognition of pluralism and ambiguity when governments and firms accuse “China” or the “Chinese government” of hacking. Check it out!

For fun, my first piece for Al Jazeera fought the notion of a “cyber cold war” between the United States and China. In 2011.

[Crossposted on gwbstr.com]