Exploring cybersecurity from China’s perspective
Hardly a week passes without some headline accusing unnamed Chinese hackers of digital misdeeds. They’ve breached a bank, broken into a retailer, stolen data from a health insurer, or infiltrated American government networks. Most famously, Obama administration officials called out China as the No. 1 suspect in the massive Office of Personnel Management breach last year.
But even though US officials point the finger at China for aggressively hacking of American computer networks – either for commercial gain or in service of national spying – there’s often little discussion about what’s driving their actions. Of course, all countries spy and all countries use the Internet to do it. But many experts say China is in a league of its own when it comes to digital espionage for commercial gain or hacking into the networks of critics, activists, or civil society organizations working toward reform.
“Why they are constantly hacking into companies, institutions, the military, quite honestly, is because they can. There has been almost no cost to them,” said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations and author of “The Hacked World Order.”
Passcode convened a Feb. 4 panel discussion that explored China’s motivations in cyberspace –and how its actions are affecting governments, companies, and civil society – that included Segal, Sharon Hom, executive director of Human Rights in China, Michael Sulmeyer, director of the cybersecurity project at the Harvard Kennedy School’s Belfer Center, and Lobsang Gyatso Sither, digital security programs manager at the Tibet Action Institute. Excerpts follow.
All photos are by Ann Hermes, staff photographer of The Christian Science Monitor.
Why is China hacking the world?
Beyond the fact that it can, and there have been few ramifications, economics drives much of China’s digital espionage. While many people may think of China as a “massive economic success story” that has “raised hundreds of millions of people out of poverty,” said Segal, Beijing worries about being left in the next stage of global development as the world moves away from manufacturing and toward the knowledge economy.
China is also impatient, says Mr. Segal. It wants to accelerate its own engine of technological development and it’s doing that by hacking corporations and stealing intellectual property, he says. “The Chinese don’t want to be the factory to the world any longer,” said Segal, who recently wrote a cover story for The Christian Science Monitor explaining why China hacks the world. “The Chinese are really worried that in the next stage of development, they are going to get caught in a technology trap.... They want to move up the chain much more quickly, so we see them hacking to steal intellectual property.”
Everyone spies
It’s the nature of geopolitics in the Digital Age. As National Security Agency leaker Edward Snowden has shown, the NSA is certainly willing to hack phones, networks, and anything else to eavesdrop on friends and enemies alike.
“The difference that the US has been trying to establish for the past five years was that there’s good hacking, and there’s bad hacking,” said Segal. “Of course, the good hacking is the hacking the United States does. The good hacking is hacking focused on political and military espionage. Bad hacking is breaking into a company, stealing their intellectual property to help a Chinese company. The US doesn’t do that.”
Control the narrative
Both Segal and Sharon Hom said China is also exerting power in cyberspace to control freedom of expression, tamp down on criticism, and attempt to intimidate anyone – activists, artists, students, and journalists – who criticize the Communist Party. “China wants to control the narrative about itself but also the narrative about the world,” said Ms. Hom. “The party wants to manage expression online.”
While China’s hacking has become a national security issue in the US as a result of political and industrial espionage – the recent deal between Washington and Beijing is meant to curtail cyber-enabled commercial spying – Hom says the rights community has long felt the full force of China’s relentless digital assaults.
“When we think about cybersecurity, it is a transnational issue. It’s an issue that has always been obvious to the human rights community, that it affected all of us. But it’s become more obvious to the private sector when governments are attacked, when companies are attacked, they realize that they’re actually in the same boat with human rights groups and Tibetan activists. We’ve always been targeted by attacks.”
In fact, the Tibetan activist community endures so many digital assaults that it’s often characterized as being at the frontlines in a cyberwar with China. “If you’re an activist or someone who works for Tibet you will receive a social-engineered e-mail every week. And if you don’t receive an e-mail like that, you probably think you aren’t doing enough,” said Lobsang Gyatso Sither, digital security programs manager at the Tibet Action Institute.
“Everyone is targeted, and it’s not just the people in the movement,” he said. State-backed hackers target the friends, relatives, and colleagues of people who are working on rights’ campaigns, he said. “That creates a sense of fear, and that’s how they want to make people afraid of the repercussions.”
These kinds of hacks have life and death consequences, said Mr. Sither. And because of that, the international community, governments, and businesses should do more to stand up against China’s persistent digital assaults on human rights groups. “We need to make that at the forefront because human lives are at stake, it’s not just about money.”
Toward normalcy in cyberspace
One mechanism that many experts argue could convince China, and many other nations for that matter, to rein in hackers is the establishment of international norms of behavior – diplospeak for rules meant to guide how nations should act in cyberspace.
“We aren’t going to stop them from trying to break into the Pentagon. That’s just not going to happen,” said Segal. But, he said, norms could help to prevent cyber from moving to the kinetic, meaning digital assaults that trigger some physical damage or attack. “Right now there are no rules about what behavior is acceptable in cyberspace.”
But Hom pointed out that there's significant momentum at the United Nations and other international organizations to forge norms of behavior, that would also apply to how countries should treat civil society and online speech.
‘We’ve always been targeted by attacks.’ - Sharon Hom
“The debates primarily on norms in the cyberspace realm have been about economic espionage and about military espionage and about national security interests,” said Hom. But rights groups and civil society need to be a major part of the discussion, too, she said. “At least there’s a discussion and a trend and development that brings human rights into the discussion where it belongs.”
But until then, Hom asked what kind of digital response could the West exact on China that would send a clear message that its actions in cyberspace won’t be tolerated. What would a serious, proportionate look like, she asked. Could the US or hacktivists poke holes in the Great Firewall, for instance, disrupting China’s system for massive Internet censorship. That would send a clear message, said Hom. “What if there was some serious proportionate appropriate response.”
Segal pointed out that, according to a July 2015 New York Times article, someone in the government is already thinking about about breaching China’s digital cloak. “If we want to go after something that the Chinese leadership would understand – and be afraid of – then one of the things we might do is target the great firewall.”
Improving defences
Figuring out how to improve security in the digital world, and dissuading nation-state or criminal groups from attacking either for political or financial gain, is incredibly frustrating, said Michael Sulmeyer of Harvard’s Belfer Center. “The reason why this is frustrating – thinking about what to do about Chinese activity in cyberspace – is because it’s frustrating to figure out what to do about about China’s activity across the board. It is not just a cyber problem that the US has with China.”
But until there’s any kind of truce or calming to the hostilities that all nations, companies, and organizations face online, the key is to bolster cyberdefences, said Mr. Sulmeyer, formerly the director for plans and operations for cyber policy in the Office of the Secretary of Defense.
“The state of defences is really bad,” he said. “I fear we are still largely in a situation where the state of defenses is so bad that it’s just too easy for adversaries.” While international talks and agreements are worthwhile pursuits, said Sulmeyer, shoring up defense goes a long way to deterring attackers. “If the statistics are true that over 70 percent of hacks are perpetrated over known vulnerabilities,” he said, “I don’t know how you have a conversation about what to do about it without talking about defense.”
