Cybertheft of US weapons system designs. Intellectual property siphoned wholesale from America’s corporate networks. Stealth intrusions into computers that control the vital North American power grid. All linked to China.
It’s a grim picture of a digital relationship between nations gone sour that President Obama is expected to paint for Chinese President Xi Jinping during this important “working visit” between the two leaders June 7-8.
Blunt behind-closed-doors talk about this bilateral cyber problem is likely to include a laundry list of US expectations for what constitutes good cyber behavior in its largest trading partner – and possible sanctions if China doesn’t act to rein in state-tolerated or -sponsored cyberespionage, US cyber experts say.
Cyber storm clouds have gathered over the globe’s most important trading partnership largely due to fast-growing cyber insecurities on both sides. China worries about US hegemony over the Internet, cyberspying by the US intelligence agencies, and control over key network technologies it sees as key to its security.
The US, meanwhile, wants China to throttle back the flood of cyberspying that daily backs up the equivalent of digital moving vans to US corporate networks to steal away (by downloading in a few seconds) troves of ideas, plans, designs, and formulas that make the US economy hum and keep Americans employed.
Losses from the theft of US intellectual property are roughly $300 billion a year, according to a report last week by the Commission on the Theft of American Intellectual Property, spearheaded by Dennis Blair, a former director of national intelligence, and Jon Huntsman, former US ambassador to China. China is responsible for 50 percent or more of the stolen data, the group reported.
Other economists who have studied the subject say the total hit to the US economy is not that large, but they agree that the effects of Chinese cyberespionage on the US economy are serious and building quickly.
“Total losses from intellectual property theft by China are more on the scale of tens of billions of dollars,” says Scott Borg, director and chief economist of the US Cyber Consequences Unit, an independent think tank that advises government and industry about cyber issues. “There’s danger, however, that with accelerating growth of this practice it could grow to be gigantic.”
Hooked on cybertheft?
Even if China were willing to moderate some of its cyberespionage practices, its economy has become hooked on the economic boost and the competitive advantage provided by cybertheft of US business data. So it likely would not be able to give it up even if its new leader wanted to do so, Mr. Borg says.
To keep China’s society stable, its rulers believe, correctly, that they need to deliver rapid increases in the standard of living, he says. To continue to grow their economy, the Chinese need to get their hands on the high-tech secrets inside US business networks.
“It should be possible to get them to moderate their activity, to cut back on the more egregious things they’re doing,” Borg says. “But it’s difficult to see how they can change this broad cybertheft policy – the pressure on the Chinese rulers is just too great.”
There’s pressure on the US side, too. The cybersecurity issue has hit the nation with a thud, politically and diplomatically. During the past six months, a drumbeat of reports of Chinese cyberintrusions into US newspapers, cyberweapons system, and intellectual property has put fresh pressure on Congress and caused the Obama White House to shift from quiet diplomacy with China to confronting it publicly.
"Sophisticated, targeted theft of confidential business information and proprietary technologies through cyberintrusions [are] emanating from China on an unprecedented scale," former National Security Adviser Tom Donilon declared in an April speech. Cyberespionage was the big topic during recent visits to China by Secretary of State John Kerry and by Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff.
Hacking has been a focal point at "every level in our meetings with our Chinese counterparts," White House spokesman Jay Carney said last month. Now a US president will for the first time confront a Chinese leader over cyberespionage. It gives some experts the jitters, because of the pressure and limits on both sides.
“We in the US feel very vulnerable after more than a decade of cyberespionage and theft of trade secrets that have only increased in aggression and even ferocity,” says Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, a nonpartisan Washington think tank on international affairs.
In the US it’s been a slow boil, he says. After a decade spent waking up to the magnitude and source of the cyberthreat, America for the past several years has simply endured rampant cyber plundering of business secrets across defense, energy, technology, drug, manufacturing, and many other industries, Mr. Healey and other US cyber experts say.
This week, US intelligence officials revealed that documents and e-mails were stolen during the 2008 presidential campaign from both Mr. Obama and John McCain, the GOP presidential candidate. The cyberattack, first detected that summer, was traced back to China, Mr. Blair, Obama's former director of national intelligence, told NBC News.
“It’s like a marriage relationship,” he says. “If you’re enduring something for 10 years and keeping it bottled up inside, you’re going to be really angry and ready to hit someone after that. Well, the US had decided the time for silence is over, but we’ve let it go on so long that I’m worried we may not be patient enough to wait for China’s response.”
On the other hand, Blair notes, “The Chinese feel backed against a wall.”
“Everywhere they look, they see America on the high ground in cyberspace,” he says. “They see Microsoft, Cisco, Apple looking down on them along with the National Security Agency, and they feel vulnerable to that.”
The hope: moderation in cyber stealing
Healey and Borg agree the US should be able to get China to moderate some of its more egregious practices. Healey notes that during one recent investigation no fewer than seven different Chinese cyberespionage groups were detected operating within a single company’s network.
Indeed, US companies and lawmakers are putting new pressure on Obama, watching to see how forcefully and successfully he confronts a Chinese leader and lays out cyber rules of the road.
In the US Senate, a new bill would create a “watch list” of foreign countries engaging in cyberespionage. The president would be allowed to block imports of classes of goods if certain companies benefited from the stolen US technology or proprietary information.
“I thought you could refer to this bill in your meeting with President Xi as an example that the US will indeed impose real costs on China should they continue to steal our intellectual property,” wrote Sen. Carl Levin (D) of Michigan in a letter to Obama.
Business leaders are watching, too.
“China has hacked some of our most advanced weapons systems while also engaging in systematic cyber-espionage against our electric grids, water resources, and other critical infrastructure,” Scott Paul, president of the Alliance for American Manufacturing, declared in a statement this week. “This is hardly the time to engage in the usual chit-chat with Beijing. President Obama must stand up to China’s bullying.”
February saw revelations of Chinese cyberspying directed at US news media outlets, as well as a major cybersecurity company report that fingered the Chinese government – in the form of a secret unit of the Chinese military dubbed Unit 61398 – for stealing terabytes of information from each of the 141 companies, government agencies, and other organizations it had infiltrated over seven years.
A US government report last month determined that 29 defense system designs had been compromised by cyberintrusions from China, including the F-35 strike fighter, the most advanced US aircraft. China has unveiled a version of its own fighter that bears a striking resemblance to the F-35.
China says it's a victim, too
When accused of tolerating or backing cyberespionage, China has typically proclaimed its innocence, noting that it, too, is victimized by cyberespionage and cybercrime, much of it from US-based Internet addresses.
Some 85 websites belonging to Chinese companies and public institutions were hacked between September 2012 and February 2013 alone, including government agencies, a property insurance company, a virus research facility in central China, and a provincial examination authority, according to a March report by China’s National Computer Network Emergency Response Technical Team Coordination Center.
Attacks on 39 of those websites came from Internet addresses in the US. In the past two months, 6,747 overseas servers were found using botnets to control nearly 1.9 million mainframe computers in China, with nearly one-third of those servers located in the US, the largest single point of origin for cyberattacks against China, the report said.
Yet there is a distinct apples-and-oranges aspect when comparing US and Chinese concerns.
Attacks from US computers are largely the work of criminal gangs using the US computer infrastructure. And while US intelligence agencies doubtless have considerable cyberespionage operations ongoing, their focus is on government and military, not ripping off China’s economy.
Obama is expected to assert that official cyberspying should focus on governments and militaries, not private industry.
Besides trade sanctions, US options to pressure China include threatening to prevent Chinese companies that use stolen proprietary information from being listed on US stock exchanges – or even selling their goods in the US. Visas might be denied to the executives of Chinese companies using stolen US business data.
There are at least a few bright spots. The US and China recently convened a high-level working group that has marching orders to develop a set of norms that both nations understand on cyber relations.
Indeed, the US does not want cyberespionage to stop – especially with officials bragging that US intelligence agencies are the best in the world at doing it. But under the onslaught of cybertheft, the US appears genuinely eager for some mutually understood cyberspy parameters roughly akin to those that governed the US-Russian relationship during the cold war spy-versus-spy years.
“Cyberinvasions of grid-control systems might be a really good place to start dialogue among the two leaders,” says Irving Lachow, director of the Technology and National Security Program at the Center for a New American Security, a Washington think tank. “Let’s agree that cyberattacks on certain types of infrastructure are off limits – hospitals, nuclear power plants, and the grid. [That] might be a good first step.”