China Not A Threat
China cyber not threat
Detsch, Mark Clayton Fellow in Cybersecurity for Passcode, 2015
(Jack, “Are We Exaggerating China’s Cyber Threat?”, 5-20, http://thediplomat.com/2015/05/are-we-exaggerating-chinas-cyber-threat/)
So how much should we worry about China’s cyber capabilities?
Not much, according to Professor Jon R. Lindsay’s new policy brief, published by Harvard University’s Belfer Center. Public record on U.S. and Chinese cyber capabilities remains scant, but Lindsay suggests that the U.S. is gaining an “increasing advantage,” evidenced by a new DARPA program launched in 2012, and the use of the Stuxnet worm to damage computer systems at an Iranian nuclear enrichment facility in 2010. In America’s private cyber industry, the name of the game has shifted from defense to offense.
But China’s interest in developing cyber capabilities is political, not military, Lindsay argues, prompting incursions into foreign digitized space to suppress dissent, in the case of GitHub, or to steal secrets from adversaries. Even so, “lax law enforcement, and poor cyber defenses leave the country vulnerable to both cybercriminals and foreign spies,” Lindsay notes, suggesting that China struggles to use the information it comes away with for political gain. China’s successful campaigns target NGOs and private sector companies, and “do nothing to defend China from the considerable intelligence and military advantages of the United States.”
That doesn’t mean that the PLA isn’t busy playing catch-up. In a recent issue of The Science of Military Strategy, put out by the military’s chief research institution, analysts concede that the PLA indeed possesses network attack forces inside of intelligence and civilian wings of government, including the Ministry of State Security and the Ministry of Public Security. It suggests that the military will deal with critical infrastructure targets, like electrical grids and gas pipelines, while smaller, nimbler hacking units like Axiom, which has been suspected in intrusions against Fortune 500 companies and pro-democracy groups, will focus on industrial targets.
But making that leap will be challenging, and would force China to walk back its global positions on cybersecurity. Beijing hopes to become a leader on that front and has been heavily promoting its concept of “internet sovereignty” as the basis for international standards of behavior in cyber space. China wants to defend “internet sovereignty” at all costs. Any future cyber attack would probably be justified on those grounds.
That’s also a self-limiting belief. While it has allowed home-grown giants like Weibo, Alibaba, and Baidu to flourish, China’s exclusion of American companies and know-how put it at a serious disadvantage in building robust cyber capabilities. China’s own approach to these issues could prevent Beijing from reaching its cyber potential.
No cyber threat
Pry, Executive Director of the Task Force on National and Homeland Security, 2015
(Peter, “Cyber Hype?”, 10-28, http://mackenzieinstitute.com/cyber-hype/)
Cyber attacks, the use of computer viruses and hacking to invade and manipulate information systems, is almost universally described by Western political and military leaders as one of the greatest threats. Every day, literally thousands of cyber attacks are made on civilian and military systems, most of them designed to steal information.
U.S. Joint Chiefs Chairman, General Martin Dempsey, warned on June 27, 2013, that the United States must be prepared for the revolutionary threat represented by cyber warfare (Claudette Roulo, DoD News, Armed Force Press Service): “One thing is clear. Cyber has escalated from an issue of moderate concern to one of the most serious threats to our national security,” cautioned Chairman Dempsey, “We now live in a world of weaponized bits and bytes, where an entire country can be disrupted by the click of a mouse.”
The Skeptics
Skeptics claim that the catastrophic scenarios envisioned for cyber warfare are grossly exaggerated, in part to justify costly cyber programs wanted by both the Pentagon and industry at a time of scarce defense dollars. Many of the skeptical arguments about the limitations of hacking and computer viruses are technically correct.
However, it is not widely understood that foreign military doctrines define “information warfare” and “cyber warfare” as encompassing kinetic attacks and electromagnetic pulse (EMP) attack–which is an existential threat.
Thomas Rid’s book Cyber War Will Not Take Place (Oxford University Press, 2013) exemplifies the viewpoint of a vocal minority of highly talented cyber security experts and scholars who think there is a conspiracy of governments and industry to hype the cyber threat. Rid’s bottom line is that hackers and computer bugs are capable of causing inconvenience–not apocalypse. Cyber attacks can deny services, damage computers selectively but probably not wholesale, and steal information, according to Rid. He does not rule out that future hackers and viruses could collapse the electric grid, concluding such a feat would be, not impossible, but nearly so.
In a 2012 BBC interview, Rid chastised then Secretary of Defense Leon Panetta for claiming that Iran’s Shamoon Virus, used against the U.S. banking system and Saudi Arabia’s ARAMCO, could foreshadow a “Cyber Pearl Harbor” and force threatening military retaliation against Iran. Rid told the BBC that the world has, “Never seen a cyber attack kill a single human being or destroy a building.”
Cyber security expert Bruce Schneier claims, “The threat of cyberwar has been hugely hyped” to keep growing cyber security programs at the Pentagon’s Cyber Command, the Department of Homeland Security, and new funding streams to Lockheed Martin, Raytheon, Century Link, and AT&T, who are all part of the new cyber defence industry. The Brookings Institute’s Peter Singer wrote in November 2012, “Zero. That is the number of people who have been hurt or killed by cyber terrorism.” Ronald J. Delbert, author of Black Code: Inside the Battle for Cyberspace, a lab director and professor at the University of Toronto, accuses RAND and the U.S. Air Force of exaggerating the threat from cyber warfare.
Peter Sommer of the London School of Economics and Ian Brown of Oxford University, in Reducing Systemic Cybersecurity Risk, a study for Europe’s Organization for Economic Cooperation and Development, are far more worried about natural EMP from the Sun than computer viruses: “a catastrophic cyber incident, such as a solar flare that could knock out satellites, base stations and net hardware” makes computer viruses and hacking “trivial in comparison.”
Aurora Experiment
The now declassified Aurora experiment, conducted by the U.S., is the empirical basis for the claim that a computer virus might be able to collapse the national electric grid. In Aurora, a virus was inserted into the SCADAS running a generator, causing the generator to malfunction and eventually destroy itself.
However, using a computer virus to destroy a single generator does not prove it is possible or likely that an adversary could destroy all or most of the generators in the United States. Aurora took a protracted time to burn out a generator–and no intervention by technicians attempting to save the generator was allowed, as would happen in a nationwide attack, if one could be engineered.
Nor is there a single documented case of even a local blackout being caused in the United States by a computer virus or hacking–which it seems should have happened by now, if vandals, terrorists, or rogue states could attack U.S. critical infrastructures easily by hacking.
Stuxnet Worm and Gaza Cyber War
Even the Stuxnet Worm, the most successful computer virus so far, reportedly according to White House sources jointly engineered by the U.S. and Israel to attack Iran’s nuclear weapons program, proved a disappointment. Stuxnet succeeded in damaging only 10 percent of Iran’s centrifuges for enriching uranium, and did not stop or even significantly delay Tehran’s march towards the bomb.
During the recently concluded Gaza War between Israel and Hamas, a major cyber campaign using computer bugs and hacking was launched against Israel by Hamas, the Syrian Electronic Army, Iran, and by sympathetic hackers worldwide. The Gaza War was a Cyber World War against Israel.
The Institute for National Security Studies, at Tel Aviv University, in “The Iranian Cyber Offensive during Operation Protective Edge” (August 26, 2014) reports that the cyber attacks caused inconvenience and in the worst case some alarm, over a false report that the Dimona nuclear reactor was leaking radiation: “…the focus of the cyber offensive…was the civilian internet. Iranian elements participated in what the C4I officer described as an attack unprecedented in its proportions and the quality of its targets….The attackers had some success when they managed to spread a false message via the IDF’s official Twitter account saying that the Dimona reactor had been hit by rocket fire and that there was a risk of a radioactive leak.”
However, the combined hacking efforts of Hamas, the Syrian Electronic Army, Iran and hackers worldwide did not blackout Israel or significantly impede Israel’s war effort.
Dragonfly
But tomorrow is always another day. Cyber warriors are right to worry that perhaps someday someone will develop the cyber bug version of an atomic bomb. Perhaps such a computer virus already exists in a foreign laboratory, awaiting use in a future surprise attack.
On July 6, 2014, reports surfaced that Russian intelligence services allegedly infected 1,000 power plants in Western Europe and the United States with a new computer virus called Dragonfly. No one knows what Dragonfly is supposed to do. Some analysts think it was just probing the defences of western electric grids. Others think Dragonfly may have inserted logic bombs into SCADAS that can disrupt the operation of electric power plants in a future crisis.
Escalating Cyber Attacks
Tomorrow’s cyber super-threat, that with computer viruses and hacking alone can blackout the national electric grid for a year or more, and so destroy an entire nation, may already be upon us today. Admiral Michael Rogers on November 20, 2014, warned the House Permanent Select Committee on Intelligence that sophisticated great powers like China and Russia have the capability to blackout the entire U.S. national electric grid for months or years by means of cyber attack, according to press reports.
Admiral Rogers, as Chief of U.S. Cyber Command and Director of the National Security Agency, is officially the foremost U.S. authority on the cyber threat. “It is only a matter of the when, not the if, that we are going to see something traumatic,” Admiral Rogers testified to Congress, as reported on CNN (November 21, 2014).
However, Jonathan Pollett, a cyber-security expert, in an article challenged Admiral Rogers’ warning as wrong, or misunderstood and exaggerated by the press: “No, hackers can’t take down the entire, or even a widespread portion of the US electric grid. From a logistical standpoint, this would be far too difficult to realistically pull off,” writes Pollett in “What Hackers Can Do To Our Power Grid,” Business Insider (November 23, 2014).
No Escalation
Restraint
Farley, Patterson School of Diplomacy and International Commerce senior lecturer, 2015
(Robert, “The US, China and an Abundance of Cyber-Caution”, 12-11, http://thediplomat.com/2015/12/the-us-china-and-an-abundance-of-cyber-caution/)
Why does China appear to be backing down to U.S. pressure on cyber-espionage? National security and cyber-warfare analysts have reacted with skepticism and surprise to China’s apparent receptivity to recent U.S. criticism over its cyber-espionage practices. Why have seemingly tepid U.S. actions had such an impact? This may be the wrong question. There’s a way of thinking about this question that rests less on the idea that the United States intimidated China (and consequently wonders why China felt intimidated), and more on the possibility that states are still finding their way in the cyber-realm, that the norms of cyber-conflict remain plastic, and that restraint may carry the day. While many analysts have predicted that the opening of the cyberspace would lead to national conflict, and government conflict against subnational groups, Brandon Valeriano and Ryan Maness argue in Cyber War versus Cyber Realities that the chief characteristic of conflict in the cyber-age has been restraint. While the development of the cyber commons opens up wide avenues in which states can attack one another, most governments thus far have not pressed their advantages. In part because of uncertainty about their own vulnerability, states restrain themselves from escalating. Some states may also worry about principal-agent problems: the degree to which they can exert full control over the cyber-capabilities that they develop. And while non-state proxies may offer some states certain advantages, these states may also be concerned about the use of such actors because of the long-term threat that enabling the groups could pose. If the theory of cyber-restraint proves correct, then legal and diplomatic efforts at preventing or constraining cyber-espionage may yet bear fruit. The nature of restraint lies in the development of norms of appropriate behavior. International and domestic law help to inform and produce these norms. Conceivably, careful construction of trade agreements could put bounds on the acceptability of some forms of cyber-espionage. Intellectual property law, for example, could help determine how states think about the appropriateness of certain kinds of cyber-espionage under certain circumstances. If U.S. officials have their way, the bounds would involve respect for the property rights of private firms, and a renunciation of efforts to directly copy and export foreign systems.
Status Quo Solves
Status quo levels of engagement solve commercial espionage
Iasiello, Department of State cyber threat analyst, 2015
(Emilio, “Ramping Down Chinese Commercial Cyber Espionage”, 12-9, http://www.foreignpolicyjournal.com/2015/12/09/ramping-down-chinese-cyber-espionage/)
Despite criticism from skeptics, China is trying to honor its “no commercial hacking for profit” commitments as first promised in an accord with the United States, and later reaffirmed at the November 2015 G20 summit. Recent news reports cited that in a show of good faith, China had arrested hackers per the U.S. government’s request prior to meeting with President Obama in September. While detractors believe that commercial cyber espionage hasn’t really stopped, recent Chinese efforts show a government trying to get a handle on its large spying apparatus that could include hired and independent contractors acting autonomously in addition to its other resources. While complete cessation may never occur, significant timely reduction demonstrates Beijing’s willingness to work with the United States as a partner and not a pariah, and provides a foundation from which the two governments can move forward on other cyber security areas where incongruity persists. China’s Cyber Spying Apparatus – Too Large to Manage? According to recent press reporting,[1] cyber spying perpetrated by the Chinese military against U.S. commercial targets waned substantially after the Department of Justice indictment of five People’s Liberation Army (PLA) officers for cyber-enabled commercial espionage. While this represents significant progress toward curbing bad behavior by a state whose nefarious cyber theft was termed “pervasive”[2] by the Director of National Intelligence, some believe that China’s foreign intelligence service is still engaged in these types of activities. According to one security vendor,[3] as of mid-October 2015, hackers associated with the Chinese government have targeted seven U.S. companies (five technology, two pharmaceutical) since September. Still, despite these proclamations, there are those U.S. officials taking a pragmatic approach to the cessation of China’s cyber spying for commercial gain, such as the deputy commander of U.S. Cyber Command,[4] who believes the effort will take time. According to the same press report, led by its president, China began applying pressure on its military to cease its economic espionage refocusing it on operations that support ensuring the country’s national security interests. This is encouraging for a state that has perpetually denied any involvement in hacking. China is suspected of having successfully infiltrated the networks of as many as 141 organizations from 15 nations and in nearly two-dozen critical industries including tech, financial services, government, and defense since 2006,[5] an effort that would take considerable resources to perform. The Chinese military, which has approximately 15 units known as technical reconnaissance bureaus[6] that have a signals/cyber collection mission, is only one part of equation. The PLA has a strong militia system,[7] as well, in which active reserves augment almost every area of military operations. Added to the mix are several civilian organizations that are believed to have a cyber mission such as the Ministry of Public Security (MPS), as well as the Ministry of State Security (MSS),[8] which has been linked by some to the 2015 Anthem breach.[9] Added to the mix are academic[10] and research institutes[11] that may also be pursuing their own cyber espionage efforts. While this may seem monolithic in scope, and a surprise to some, for China watchers, Chinese interest in this area is not novel, although it has been evolving. Discussions on network warfare were included in China’s 2013 Science of Military Strategy,[12] an authoritative study of Chinese strategic thinking. Identifying PLA, MSS/MPS, and “non-governmental” forces involved in these types of activities. Indeed, the need for these forces is reaffirmed in China’s 2015 military strategy in which it identified “information society” (cyber power) as the departure point of international security.”[13] Of note, according to the same press report,[14] some portion of the vast Chinese cyber espionage operations looks to have been conducted by military personnel independent of the government’s direction, and perhaps, knowledge. Like independent contractors looking for buyers for their merchandise, these individuals provided stolen information to companies, further blurring the lines of what constitutes state culpability in these types of activities, and further complicates controlling them. There has been steady reporting reflecting the continued convergence of the tactics, techniques, and procedures (TTPS) used by cyber criminal and cyber espionage actors, such as employing spear phishing and using the same malware, for example.[15] Despite having a steadily increasing military budget, inflation has impacted any benefits, contributing to significant corruption among its ranks,[16] which may help explain “moonlighting” practices and this cross pollination of criminal and espionage TTPs. Given the various state and non-state individuals potentially engaged in cyber collection, it should come as little surprise that the volume of theft cannot be turned off at a moment’s notice. Taking into account overlapping mission areas, competition to deliver, target deconfliction issues, operations currently underway, independent operations, priority and non-priority tasking, it is understandable why reduction of cyber theft may be more of a evolving process than previously anticipated. This may help to explain the various targets and various types of capabilities observed over the past few years. Further complicating matters, oversight of these groups likely varies depending on the level of state affiliation that exists. The recent arrest of hackers suspected of conducting the breach against the Office of Personnel Management in 2015 revealed that the hackers in question were criminals and not state-sponsored, according to Chinese officials.[17] While skeptics doubt that the “real” perpetrators will be the ones prosecuted, it does demonstrate China’s willingness to meet the conditions of its promises to the United States. It also sends the message that China is a contributing partner in the global fight against cyber crime—crime being the optimum word here—and may open up future discussions to determine what is a global consensus on espionage definitions and characteristics. Conclusion This gives hope for cautious optimism in Beijing reducing—not completely stopping—cyber-enabled commercial espionage. While detractors are quick to point out that the recent “no hack” pledges made by China with other governments, including the joint one made at the recent G20 meeting,[18] are paper promises that have no hope of enduring over a long period of time, they are nevertheless a marked progression toward codifying acceptable—and more importantly, unacceptable—nation state behavior in cyberspace. This is not to say the United States should grant China carte blanche to stopping cyber espionage activities on their timetable. Washington should further engage with Beijing on the identification of key deliverable milestones and how they will be measured that would demonstrate Beijing’s commitment to its pledge. Too much progress has been made to let a knee-jerk reaction derail the agreement. As cited by one former White House director for cyber security policy at the National Security Council, “The importance of China committing to answer our calls… is a massive, massive change.”[19] Allow the carrot of diplomatic engagement to run its course as the stick of sanctions always looms near.
NEG-deal good
Healey, Atlantic Council senior fellow, 2015
(Jason, “Opinion: Even if flawed, cybertheft deal with China a win for Obama”, 9-25, http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0925/Opinion-Even-if-flawed-cybertheft-deal-with-China-a-win-for-Obama)
It seems that no visit of a Chinese official can happen without a revival of Chinese proverbs. Maybe the point is to remind us how ancient a culture China is, or emphasize a reputation for wisdom. Even President Xi Jinping joined in, saying, “The fire burns high when everyone brings wood to it.” But the English language has folksy aphorisms, too, including this one: "Give your adversaries just enough rope to hang themselves." In fact, that's just what the US should do with its cybersecurity deal with Beijing. According to the official fact sheet on the agreement: "The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors." Since that was released Friday, the scoffing has been deafening. China experts and cybersecurity professionals both says China's commitment to the agreement lacks all credibility. After all, earlier this week, President Xi denied that China engages in cyberespionage, despite numerous reports that are rich with detailed evidence. Maybe the critics are too fast to pounce on the deal, which is a pretty easy target. Are they missing an important point? Perhaps China continues its attacks intended to steal trade secrets but reduces the volume of the assaults. Cybersecurity experts often forget that diplomacy isn't binary. It's analog and if this leads to "less but not zero" – it is still a win for our side. Perhaps more importantly, if this agreement does fall apart (and chances are it won't hold for long, if at all), the US will be in a much stronger position to respond to Beijing over its commercial espionage. We now have Xi’s public and very personal commitment to Obama that China doesn't engage in commercial espionage, nor will it in the future. We also have a rich vein of proof saying China does exactly what it denies. The administration – and cybersecurity companies – should start planning their campaign of naming and shaming now. When the Chinese operations continue, we must call them out. To succeed, this cannot be an occasional release of damning reports every year or so, but a sustained campaign. Every denial has to be met with evidence. Every mewling “hacking is illegal in China” must be met with “then arrest this person and bring them to justice.” When state-owned enterprises are shown to be involved, demand “party discipline” be imposed on the executives and political officers. To make this happen, the Obama administration should declassify significant amounts of material to make the case against China, and publicly expose Xi’s false claims. President Reagan burned intelligence sources to prove the Soviets knew that the Korean airliner they shot down was not a US Air Force jet (as summarized in Jeffery Richelson’s "A Century of Spies: Intelligence in the Twentieth Century"). A National Security Agency article noted "a Soviet official claimed that it was the most damaging blow of the Cold War, one from which the USSR never recovered." President Obama doesn’t need to go so far to expose sources and methods, but must embrace that same principle. While naming and shaming will go only so far, so the administration should be ready with sanctions. After giving his personal commitment to reduce cyberattacks, Xi has far less room to maneuver if the US decides to sanction commercial spying that takes place after Friday's agreement. But maybe, just maybe, none of this naming and shaming or threat of sanctions is needed and China actually fulfills its pledge. Another aphorism in English is more timely than ever: "When you come to a fork in the road, take it." Whether the deal with China succeeds or fails, it can still be a win-win for the US. That probably isn’t the same win-win that Xi alluded in his speech to US tech executives in Seattle earlier this week, but it still counts. China might have had Confucius, but the United States had Yogi Berra. And it ain’t over until it’s over.
Share with your friends: |