The U.S. president should tell the leader of China’s communist party that its cyber attacks against Western targets threaten to undermine the Chinese economy and social order, an analyst said.
When asked what President Barack Obama should say to President Xi Jinping at their next meeting in June, James Mulvenon, a vice president at Defense Group Inc., a technology company in Vienna, Va., was blunt.
“This is imperiling your own economic development, which is imperiling your social stability, which is your No. 1 priority,” Mulvenon said May 21 during a panel discussion at the Center for Strategic and International Studies, a think tank in Washington, D.C. “The only message that will get through to a general secretary of the Chinese communist party is that economic development and social stability are threatened by the brazen scope and scale of this intrusion.”
China was a frequent topic of discussion during the discussion, part of an event called “Threat and Response: Combating Advanced Attacks and Cyber-Espionage,” which drew a roomful of academics, executives, government and military officials, and reporters.
A Chinese espionage group since 2006 has stolen hundreds of terabytes of information from at least 141 companies across 20 major industries, including aerospace and defense, according to a February report from Mandiant, a closely held company based in Alexandria, Va., which sells information-security services.
Obama should tell Xi that such actions “are undermining that last remaining pillar of strategic cooperative Sino-U.S. relations,” Mulvenon said. “The trade and business community are some of the loudest critics of what’s going on on the Chinese side who traditionally have been the strongest proponents of cooperative Sino-U.S. relations.”
Mulvenon also criticized China’s official response to the report.
“The Chinese, in my view, have always been terrible strategic communicators but they reached a new low recently when their response to the Mandiant report was — and this is an official spokesman at the Ministry of National Defense said — there is no Unit 61398,” he said. “We have hundreds of pieces of open-source data identifying that unit is public knowledge,” he added. “Their literally response at the official level is to deny reality.”
U.S. companies are already being hurt by the theft of intellectual property, according to Shawn Henry, president of CrowdStrike Services, a security technology firm based in San Francisco, and former executive assistant director of the Federal Bureau of Investigation. A biotechnology company that typically takes five years to take an idea to market has noticed Chinese competitors churning out similar products in 18 months, Henry said.
“It’s not because they’ve come up with some newfangled manufacturing process,” he said during the panel. It’s because concept and engineering resources are “being stolen, and they’re going right from manufacturing and to market.”
Chief executive officers must be responsible for the security of their companies’ networks, according to Chris Inglis, deputy director of the National Security Agency, the Pentagon’s code-breaking wing.
“We need to hold CEOs or the appropriate parties accountable for the resilience, the security, integrity of those things that generate revenue or generate whatever the business is of that particular organization,” he said in separate remarks at the event.
Similar to the way they pay attention to finances under Sarbanes-Oxley, the 2002 legislation designed to protect investors from fraudulent accounting practices, executives may “spend an equal amount of time to the integrity and the resilience of their networks because it’s not just a commodity whose fate may have an effect on their bottom line, it’s a foundation for their business,” Inglis said.
A bill sponsored by Rep. Mike Rogers, R-Mich., chairman of the House Intelligence Committee, would make it easier for intelligence agencies to share information with the private sector. The legislation, Cyber Intelligence Sharing and Protection Act, H.R. 624, has been referred to the Senate Intelligence Committee.
The U.S. Defense Department in a report released May 5 for the first time blamed China directly for targeting its computer networks. The attacks were focused on extracting information, including sensitive defense technology.
“In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military,” it states. “The accesses and skills required for these intrusions are similar to those necessary to conduct computer network attacks.”
China called the accusations “groundless” and “not in line with the efforts made by both sides to strengthen mutual trust and cooperation,” according to a May 9 article published on the state-run website, “People’s Daily Online.” The country is a “victim itself of cyberattacks,” it states.
The U.S. faces a dilemma in talks with China because the U.S. has tried to make a distinction between types of spying in cyberspace, including traditional espionage, which it says cannot be legislated or governed through treaty, and commercial espionage, which it says can, Mulvenon said.
“This has been a real clangor with the Chinese because they don’t see the distinction because in their system the same people are doing both,” he said. China has single, large-scale, state-owned companies in each sector of the economy, making it easy for government spies to pass intelligence to corporate executives, he said.
“They don’t believe us when we tell them we are statutorily precluded from doing commercial espionage and we even give them a very practical reason: We say if the United States conducted commercial espionage on behalf of its companies, we wouldn’t know how to share the proceeds without somebody who didn’t get it suing us in the U.S. government for anti-trust violations,” Mulvenon said.
Russia is much stealthier than China when it comes to cyberspace espionage, Mulvenon said. “They use a lot more crypto,” he said, referring to cryptography.