In recent weeks, a series of U.S. government statements, leaks, and policy changes could leave you with the impression that policymakers see China as the biggest threat to U.S. security.
My guess is that even if top officials in the Obama administration believe this, they would rather temper that impression. On the other hand, take a look, and consider what impression you would get from the last month:
Someone leaked at least part of a classified U.S. intelligence document to the Washington Post, which wrote: “The National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.”
President Obama, in his State of the Union speech, made a thinly veiled reference to Chinese hacking—the only substantial China-related statement:
America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
The New York Times reported on a study released by the private computer security company Mandiant, asserting that the People’s Liberation Army is behind attacks on U.S. businesses, national security institutions, and critical infrastructure.
On the record, a National Security Council spokesman said: “We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so.” That sounds reasonable, even though a Chinese foreign ministry spokesman called the Mandiant allegations “irresponsible and unprofessional.”
But here’s what unnamed U.S. sources told the Times:
- “There are huge diplomatic sensitivities here,” said one intelligence official, with frustration in his voice.
- “In the cold war, we were focused every day on the nuclear command centers around Moscow,” one senior defense official said recently. “Today, it’s fair to say that we worry as much about the computer servers in Shanghai.”
OK, now we have a direct Cold War comparison, framing Chinese actions as taking the place of the nuclear threat from the Soviet Union.
The White House released its “Strategy to Mitigate the Theft of U.S. Trade Secrets.” The document does not name China in the body text, but six of the seven concrete examples of theft in sidebars mention China explicitly. An attached Department of Justice list of “economic espionage and trade secret criminal cases” since 2009 includes 20 examples, 17 of which involve China.
Senate Intelligence Committee Chairwoman Diane Feinstein said the Mandiant report accusing the PLA of specific actions is “essentially correct.” And House Intelligence Committe Chairman Mike Rogers said the Chinese government and military are behind attacks on U.S. companies “beyond a shadow of a doubt.”
A report from the Department of Homeland Security outlined a six-month effort to target U.S. natural gas pipeline operators, and press reports such as this one from the Christian Science Monitor said the attack signatures indicate ties to Chinese attacks. The link to China comes from information newly released by the DHS. Whether the motive of an attacker would be to compromise gas pipelines, to steal technology to run them, or both, is left an open question.
After a slight lull in action, filled nonetheless with plenty of commentary, U.S. National Security Advisor Thomas Donilon gave one of the administrations most thorough recent speeches on Asia and the Pacific region. The speech has some new material and plenty of small adjustments, but the press angle was clear: “U.S. Demands China Block Cyberattacks and Agree to Rules.”
Importantly, the China section comes in contrast to kind words about “emerging powers” in India and Indonesia. Although a “constructive” relationship with China is framed as its own pillar in the administration’s Asia Pacific strategy, little is new here other than a drastically higher billing for cybersecurity concerns:
Both countries face risks when it comes to protecting personal data and communications, financial transactions, critical infrastructure, or the intellectual property and trade secrets that are so vital to innovation and economic growth.
It is in this last category that our concerns have moved to the forefront of our agenda. I am not talking about ordinary cybercrime or hacking. And, this is not solely a national security concern or a concern of the U.S. government. Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale. The international community cannot afford to tolerate such activity from any country. As the President said in the State of the Union, we will take action to protect our economy against cyber-threats.
From the President on down, this has become a key point of concern and discussion with China at all levels of our governments. And it will continue to be. The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property. But, specifically with respect to the issue of cyber-enabled theft, we seek three things from the Chinese side. First, we need a recognition of the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.
2013-03-12 – The reporting goes overboard?
The top U.S. intelligence official “suggested that [cyber] attacks now pose the most dangerous immediate threat to the United States, even more pressing than an attack by global terrorist networks,” according to The New York Times. That official, Director of National Intelligence James Clapper, also said there was only a “‘remote chance’ in the next two years of a major computer attack on the United States, which he defined as an operation that ‘would result in long-term, wide-scale disruption of services, such as a regional power outage.'”
The Times assertion that Clapper suggested cyber attacks could be more of a risk than terrorism seems to be based on the fact that Clapper discussed them first, so it is to be taken with a grain of salt. The full text of his statement for the record is available online. His remarks as delivered are online too. I haven’t found a transcript of the Q&A yet, but I just watched most of it, and the direct comparison of cyber attacks to terrorist attacks does not seem to be there.
So the reporting here may be a bit much, but the 2012 statement listed terrorism and proliferation above “cyber threats,” whereas the
20032013 document puts “cyber” ahead of those two.
So, how does this all sound?
Especially if you read Clapper’s list order as indicative, these developments and statements as a whole sure could look like a concerted effort to escalate U.S. attention to one kind of threat posed by Chinese military operations. Meanwhile, the difference between stealing secrets and threatening military systems or life-supporting infrastructure is often glossed over, allowing fear of economic espionage to bleed into fear of military battle. Meanwhile, for obvious reasons, the government sources are not disclosing the U.S. military and NSA’s own cybersecurity capabilities and activities, except to announce greater efforts. Though other countries are sometimes mentioned, China is always held up as a marquee threat.
To at least some in the Chinese government, this is going to look like a move toward an aggressive and adversarial stance.
Is this the impression the Obama administration wants?
It is quite clear that the Obama administration has moved to bring greater pressure on the Chinese government over the issue of computer-enabled espionage and even sabotage. It is also clear that the issue is real, even if some elements of the story are being fudged in the press or by private contrators looking for a piece of the pie.
But it is less clear that this level of escalation is in the best interest of U.S.–China ties. As Donilon said in his speech (before emphasizing the cybersecurity demands), “Taken together, China’s leadership transition and the President’s re-election mark a new phase in U.S.-China relations—with new opportunities.” An agressive stance, however, might undermine the opportunities for renewed contact.
At worst, it could trigger a retrenchment in Chinese officials’ willingness to engage in meaningful dialogue with the U.S. leadership. At best, pressure on this issue could produce results and bring a major irritant into the open in bilateral dialogue. One potential good sign came from the Chinese Foreign Ministry, where a spokeswoman said Tuesday “Cyberspace needs rules and cooperation, not wars. China is willing to have constructive dialogue and cooperation with the global community, including the United States.”
Meanwhile, I hope the U.S. government will take into account the media amplification effects that come from their increased frankness in public in this particular direction. If more people in the U.S. start seeing China as a Cold War-like enemy, they may find themselves fulfilling their own prophesy, an outcome far worse than the loss of corporate secrets.
Nothing in this post should be taken to suggest I view cybersecurity as unimportant or as an argument that all sides in the Chinese government are innocent. Indeed, military and critical infrastructure security are absolutely critical to national security, and not just in the United States. Minimizing the theft of corporate secrets is a reasonable economic interest of the United States, and even more so an interest of the corporations. I support scrutiny of this issue and increased efforts by government and private sector organizations. But piggy-backing fear of the unknown in cyber threats and fear of the unknown in the field of a potential “China threat” presents a risk of simplification and harmful cascades. China is not the only element of the cybersecurity issue, and cybersecurity is not the only element of the U.S. relationship with China.