The
US government is ratcheting up its rhetoric against China, claiming
that state-sponsored Chinese hackers are involved in massive-scale
campaigns to steal trade secrets over the Internet. The Chinese
government denies this, of course, while claiming that it has discovered
numerous attacks against its networks and infrastructure originating
from the United States.
The allegations fired back and forth between the world's two largest
economic powers are largely true, of course. As we have reported,
network spying has been taking place for years. (See: America's Declared (& Undeclared) Cyberwar.)
It is also a modern extension of classic cross-border espionage and
spying, which is considered to be the second-oldest profession. But
recently, cyberattacks by foreign governments, especially from China,
seem to have emerged as an unprecedented threat, according to vocal
outcries by US officials and a surge in media coverage about the "China
hacking menace."
Sticky fingers
In the worst possible outcome, the war of rhetoric could lead to an
all-out cyber war that ends the relative freedoms of data exchange.
(Source: George Thomas, Flickr)
all-out cyber war that ends the relative freedoms of data exchange.
(Source: George Thomas, Flickr)
Without condoning trade secret theft by China or any other country, I feel the agendas of those responsible for inciting a call to arms in United States to combat China's covert cyberwar against US intellectual property interests need to be carefully scrutinized. Lobbying groups and elected officials representing those hurt by the flow of technology and jobs from the United States to other countries, especially to China, certainly have a stake in playing up fears about purported cyberthreats.
However, something to watch out for is when politicians start to use false or dubious allegations to play on the fears of the populace as an excuse to restrict or more tightly control cross-border exchanges of data with China or any other country.
One worrisome example of a largely unfounded allegation against China is the publication of a report from US-based security firm Mandiant about alleged Internet attacks by the Chinese army. While Mandiant's allegations are worrisome on the surface, they are not completely grounded in fact, according to South Africa-based security firm Thinkst. (See: Cyberwarfare & the Battle to Protect Supply Chain Data.)
According to Mandiant, a China-based army unit of hackers is behind the so-called "APT1" attacks, which it says have involved over 1,900 assaults targeting mainly US and Canadian networks. Over 97 percent of the attacks originated from IP addresses in the Shanghai region, where Mandiant estimates there are possibly hundreds of hacker operatives involved.
Faulty facts?
But according to Thinkst, Mandiant's metrics are at fault. The main issue is that Mandiant failed to conclusively demonstrate that the IP addresses corresponded to a single organization, which has set a dangerous precedent. Thinkst writes:
- We are not saying the Chinese government does not hack the US.
Our concern is with this specific report; it is the first concrete
public attribution of ongoing espionage against the US, and, if the
report sets the standard for attribution, future events will be highly
muddled as competing hypotheses all meet the low standard set out in
Mandiant's APT1 report. Unfortunately it seems that contrary opinions
are being subjected to a level of diatribe usually reserved for
arguments of faith, not facts.
The US government outlines voluntary and seemingly benign best-practices to help organizations protect their sensitive data in "Theft of U.S. Trade Secrets." But what happens when the elected officials decide to take the next step and force organizations to follow certain procedures?
Chilling effects
The risk is when lobbyists convince Congress to create mandates that require organizations to spend a lot of money on software or hardware they do not want or need in the name of security. They might also mandate that companies with supply chain partners in China comply with unreasonable and expensive compliance procedures beyond the alphabet soups of regulatory compliance protocols that organizations must already follow when exchanging and storing data abroad.
Heavy-handed laws and regulations put in place under the guise of blocking Chinese hackers from stealing trade secrets would have obvious implications for supply chains that rely on cross-border data exchange over the Internet. And they would almost certainly prompt Beijing to retaliate, prompting it at a minimum to more heavily regulate and censure data communications than it already does.
In the worst possible outcome, the war of rhetoric and empty allegations could lead to an all-out cyberwar levied multilaterally, while ending the relatively freedom of data exchange that we have come to expect from the Internet.
Organizations are rightfully concerned about losing their competitive edge when hackers steal data over the Internet and obviously hope the government has a plan in place to head off these kinds of thefts in an appropriate way. But forcing organizations to comply with stricter and obtrusive laws and regulations that do not help much, based on irrational fear mongering, is not a viable solution.
Hopefully, Washington will taper off its war of words and learn how to better nab and shutdown black hat hacker networks that operate from China or anywhere else, in a way that remains transparent and unobtrusive to the non-combatants.
Related posts:
