After responding to a report linking the Chinese army to cyber attacks against the U.S. by claiming that America had perpetrated cyber attacks in China as well, China on Thursday provided details of the alleged intrusions . From Reuters:
“The Defense Ministry and China Military Online websites have faced a serious threat from hacking attacks since they were established, and the number of hacks has risen steadily in recent years,” said ministry spokesman Geng Yansheng.
“According to the IP addresses, the Defense Ministry and China Military Online websites were, in 2012, hacked on average from overseas 144,000 times a month, of which attacks from the U.S. accounted for 62.9 percent,” he said.
The comments were made at a monthly news conference, which foreign reporters are not allowed to attend, and posted on the ministry’s website.
Geng said he had noted reports that the United States planned to expand its cyber-warfare capability but that they were unhelpful to increasing international cooperation towards fighting hacking.
“We hope that the U.S. side can explain and clarify this.”
Geng also criticized the Mandiant Report, calling it “unprofessional and not in accordance with the facts,” though cyber security professionals interviewed by the Associated Press praised it for painting a detailed picture of China’s state-sponsored cyber espionage program. He denied that China engaged in cyber warfare, according to Xinhua News, claiming that the Chinese military conducts drills to safeguard against cyber attacks rather than conduct their own.
The Financial Times had more on China’s accusations:
CNCERT, a cyber-security institution under China’s Ministry for Industry and Information Technology, said more than 14m computers in China were hijacked and controlled from foreign IP addresses last year, and more than 10m of those infiltrated machines were under control from IP addresses located in the US. The institution listed South Korea and Germany as second- and third-ranking countries of origin for attackers on Chinese computers.
In response to questions, CNCERT said it was unable to identify either victims or attackers.
Huawei, the Chinese company which is the world’s second-largest vendor of telecom networking equipment, said it was also under constant attack. John Suffolk, the company’s chief security officer, estimated that Huawei is attacked about 10,000 times a week.
The National Journal’s Brian Fung writes that it’s naive to assume that the US isn’t snooping back, but he also pokes holes in China’s claims:
It’s obviously impossible to know whether Beijing is being honest about those figures. But if this is their way of accusing the United States of doing the same thing that they are — and that everyone should quit complaining — it’s a pretty weak defense. Even if we take their figures at face value (more on that next), there’s a big difference between knocking a website offline and penetrating a corporate network undetected so that you can steal trade secrets. The former involves very low stakes; anyone can do it, and the payoff is insignificant. Espionage and intelligence-gathering is all about the latter.
Sixty-three percent of China’s website hacks were traced back to the United States. But, just as it’s very difficult to prove with 100 percent certainty that recent cyberspying on American firms was the work of Chinese hackers and not, say, Russian or North Korean hackers routing their work through China, it’s equally hard to prove that the American government was responsible for the hacks going in the other direction. This is what’s called the attribution problem: All the circumstantial evidence points you to one culprit, but you can never know if you’ve fingered the right actor for sure. If the United States is retaliating against China with hacks of its own, website vandalism should be the least of Beijing’s complaints.
Meanwhile, Foreign Policy’s Dan Blumenthal writes that it’s time for the US government to go on the diplomatic, security and legal offensive to make China pay for militarizing cyberspace:
The U.S. military’s cyber-efforts presumably already include it own probes, penetrations, and demonstrations of capability. While the leaks claiming the U.S. government’s involvement in the Stuxnet operation — the computer worm that disabled centrifuges in the Iranian nuclear program — may have damaged U.S. national security, at least China knows that Washington is quite capable of carrying out strategic cyberattacks. To enhance deterrence, the U.S. government needs to demonstrate these sorts of capabilities more regularly, perhaps through cyber-exercises modeled after military exercises. For example, the U.S. military could set up an allied public training exercise in which it conducted cyberattacks against a “Country X” to disable its military infrastructure such as radars, satellites, and computer-based command-and-control systems.
To use the tools at America’s disposal in the fight for cybersecurity will require a high degree of interagency coordination, a much-maligned process. But Washington has made all the levers of power work together previously. The successful use of unified legal, law enforcement, financial, intelligence, and military deterrence against the Kim regime of North Korea during a short period of George W. Bush’s administration met the strategic goals of imposing serious costs on a dangerous government. China is not North Korea — it is far more responsible and less totalitarian. But America must target those acting irresponsibly in cyberspace. By taking the offensive, the United States can start to impose, rather than simply incur, costs in this element of strategic competition with China. Sitting by idly, however, presents a much greater likelihood that China’s dangerous cyberstrategy could spark a wider conflict.