If you’re the type of person prone to conspiracy theories, you might conclude that the US administration is currently doing the cyberspace equivalent of sailing a gunboat up the Yangtze and firing off some warning shots.
We’ve just seen a report submitted to Congress by the Department of Defense (DoD) directly naming (for the first time at this level) China as the source of cyber-espionage operations. Earlier, there was a report by the US-China Economic and Security Review Commission, a Congressional committee, which came to much the same conclusion.
In February, a White House study was a little more even-handed, putting the blame equally on China and Russia. “We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace,” it said. This was part of a raft of measures and proclamations intended to protect US government and trade secrets and beef up cyber-security. This included the publication of the ‘Administration Strategy on Mitigating the Theft of US Trade Secrets’ which mentions China 120 times, an average of nearly once per page.
A US appropriations bill – the Consolidated and Further Continuing Appropriations Act of 2013 – recently put a ban on government agencies buying technology from firms “owned, operated or subsidised” by the People’s Republic of China. This was only a short-term measure, lasting until the end of September, but was clearly intended as a shot across the bows of Huawei and ZTE. It led to Sprint saying it would avoid using Huawei kit in its network developments.
A bunch of senators have now proposed a bipartisan bill – the Deter Cyber Theft Act – to create a ‘watch list’ of countries suspected of carrying out cyber-espionage against the US. You can guess which country would be at the top of that list. It would also allow for the blocking of products from the worst culprits. The chances of the bill passing into law are remote, especially as Congress failed to push through the recent Cyber Intelligence Sharing and Protection Act (CISPA), but its very existence is another bit of sabre-rattling.
It’s not just government and legislators getting in on the act: in March, security firm Mandiant released its report on the so-called APT1 team, said to be the crack cyberwar unit of the People’s Liberation Army. Not everyone was as convinced as Mandiant that APT1 represented the most significant threat, but it nevertheless grabbed headlines.
Now the Alliance for American Manufacturing has concluded that the reliance of the US military on foreign-made electronics and communications gear is ‘frightening’ and an unacceptable security risk. It concludes that critically important equipment should be sourced domestically – although it clearly has a commercial interest in what could be interpreted as a blatantly protectionist move.
All of this is interesting in the light of the latest Data Breach Investigations Report from Verizon. Its analysis of 621 breaches (out of 47,000 security incidents) concluded that, where external actors were involved, 30% of them could be traced to China. Yet almost the same number (28%) were located in Romania. (Admit it, you thought I was going to say Russia, didn’t you? In fact, Russia came fifth at 5%, behind the US (18%) and Bulgaria at 7%.) The difference between the Chinese and Romanians was a simple matter of what they were after. The majority of the Chinese were engaged in espionage, according to Verizon, while the Romanians were purely motivated by financial gain. So if it’s cyber-spies you want, the Chinese are your lads.
Actually, you don’t need to be a conspiracy theorist to see that the US is telling China to knock it off. To what degree these reports and other activities are co-ordinated, as opposed to simply being the product of a nervous zeitgeist, we’ll never know. But clearly there’s a high level of concern in the US about China’s alleged cyber-naughtiness.
At this point, it’s normal practice to adopt a scrupulously fair and neutral position and point out that: a) attribution of attacks is notoriously difficult on the Internet, and what appears to be coming from China isn’t necessarily originating there; and b) that the Chinese Government, and firms like Huawei, vigorously deny they’re up to no good.
Well, they would, wouldn’t they?