The effects of an Internet attack could rival those of a nuclear bomb, according to a Chinese general at a briefing with the chairman of the U.S. Joint Chiefs of Staff in Beijing on Monday. From Bloomberg News:
With the Internet so difficult to control, the U.S. and China must boost coordination to shore up cybersecurity, Fang Fenghui, chairman of the People’s Liberation Army General Staff, said with Martin Dempsey yesterday. The U.S. is committed to a “better, deeper, more enduring relationship” with China, Dempsey said.
Ties between the U.S. and China have been strained by allegations by U.S. security company Mandiant Corp. that China’s army may be behind cyberattacks on companies worldwide. Dempsey is on a visit to China to seek closer dialogue with China’s military, discuss North Korea’s nuclear program and ease Chinese concerns over the Obama administration’s strategic pivot to the Asia-Pacific.
“If Internet security cannot be controlled, it’s not an exaggeration to say the effects could be no less than a nuclear bomb,” Fang said at the briefing with Dempsey.“The Internet is open to everyone and attacks can be launched from anywhere.”
The meeting marked the highest-level military talks between China and the U.S. in two years, reports Jane Perlez of The New York Times, and comes as The White House has made more direct statements about cyber security in recent weeks. The U.S. has demanded that China crack down on hacking and start negotiating rules for proper behavior in cyberspace, and new secretary of state John Kerry’s brought up cyber security during his recent visit to China. The Wall Street Journal reported yesterday that the Obama administration is weighing several options, including trade sanctions and even the indictment of Chinese nationals in U.S. courts, to more aggressively confront China over the issue. But China has denied the allegations by Mandiant and accused America of perpetrating cyber attacks as well.
Last week, Foreign Policy’s Jason Healey wrote that “there is a nugget of truth” in China’s claims that it has been the subject of U.S.-based hacking:
The Chinese press has reported that the websites of 85 public institutions and companies were “hacked” between September 2012 and March 2013, with 39 of those attacks traced back to the United States. During a similar period, Chinese authorities noted that there had been some 5,800 hacking attempts from U.S. IP addresses and that U.S.-based servers had hosted 73 percent of the phishing attacks against Chinese customers. Of the 6,747 computers controlling nearly 2 million botnets in China — the ones the Chinese spokesman told FT about — 2,194 were in the United States, “making it the largest point of origin of cyber attacks against China,” according to Xinhua.
Perhaps oddly for Chinese statistics, these actually stand up to scrutiny: American cyberspace is one of the least secure online realms. The United States does indeed top the list of botnet controllers with 40 percent of the total tracked by cybersecurity giant McAfee; Russia accounted for 8 percent and China 3 percent. Other measurements show these nations grouped closer together, but the United States is clearly a leading source of attacks. For example, Akamai, one of the world’s largest content-delivery networks, has observed that 13 percent of global attack traffic originated from the United States, though 33 percent came from China. Russia has the most malicious severs, with the United States ranking sixth; China doesn’t make the top 10, according to HostExploit’s latest quarterly report. After years of stories about U.S. military and intelligence cyber-capabilities, international audiences might see these statistics and agree with China that it is the Americans who are the troublemakers — after all, they were the ones behind Stuxnet.
Yet U.S. cyber-operations are extremely different from their Chinese equivalents and cannot be compared in the way the Chinese suggest. When the U.S. military or intelligence community conducts cyber-operations, they are quiet, coordinated, exceptionally well targeted, and under the strict control of senior officers and government executives. Lawyers review every stage. Even Stuxnet, though it was a breathtakingly sophisticated and brazen attack, was so tightly controlled that, when it escaped its target network, it caused no disruption. The White House keeps a close hold on cyber-operations through senior executives, generals, and political appointees throughout the bureaucracy.
Chinese espionage, by comparison, is under no such control. As in other areas of Chinese society, the People’s Liberation Army and state-owned enterprises are subject to little oversight and feel little need to coordinate their actions. Recently, one colleague that works for a specialized incident-response firm reported finding as many as seven different Chinese espionage groups operating in the same network, all sending information back to different masters. Few, if any, senior party officials care to rein in activities helping domestic companies (and probably lining their own pockets) by stealing foreign intellectual property.
The Diplomat’s Trefor Moss worries that “cyberspace may become the venue for a new Cold War for the Internet generation” as China, the United States and others continue to test the undefined boundaries of the Internet:
Cyberspace matters. We know this because governments and militaries around the world are scrambling to control the digital space even as they slash defense spending in other areas, rapidly building up cyber forces with which to defend their own virtual territories and attack those of their rivals.
But we do not yet know how much cyberspace matters, at least in security terms. Is it merely warfare’s new periphery, the theatre for a 21st century Cold War that will be waged unseen, and with practically no real-world consequences? Or is it emerging as the most important battle-space of the information age, the critical domain in which future wars will be won and lost?
For the time being, some states appear quite content to err on the side of boldness when it comes to cyber. This brazen approach to cyber operations – repeated attacks followed by often flimsy denials – almost suggests a view of cyberspace as a parallel universe in which actions do not carry real-world consequences. This would be a risky assumption. The victims of cyber attacks are becoming increasingly sensitive about what they perceive as acts of aggression, and are growing more inclined to retaliate, either legally, virtually, or perhaps even kinetically.