The Public Eye with Eric Chabrow

U.S.-China Fisticuffs Over Cyberspying Tit-for-Tat Response by Two Cyber Powers
U.S.-China Fisticuffs Over Cyberspying

It's not quite the cyberwar many have envisioned, but the United States and China are tangled in a brawl that resembles, in some respects, a combination of a trade war and cyber-sniping.

See Also: Secrets to a Simpler Security Incident Response

The conflict came to the forefront with last week's indictment of five Chinese military officers for allegedly hacking into the computers of American companies to steal trade secrets (see The Real Aim of U.S. Indictment of Chinese). Since then, it has escalated on both sides.

Establishing and maintaining the public's trust in new technologies is essential. 

Within days, China announced that it would start vetting major IT products and services to ensure their security. Then, this week, the Chinese government is advising its nation's banks to replace IBM servers with those made in China, as part of a trial program, according to Bloomberg News. IBM told the news service that it's unaware of such a policy.

The New York Times quotes a report in the state-run China Youth Daily newspaper that communications gear maker Cisco Systems is complicit with United States cyberspying, a charge Cisco denies. "Cisco does not work with any government to weaken our products for exploitation," Cisco spokesman Nigel Glennie says. "Additionally, Cisco does not monitor communications of private citizens or government organizations in China or anywhere in the world."

And, the Financial Times cites "people close to senior Chinese leaders" as saying they have ordered state enterprises to stop working with the U.S. consulting firms, such as McKinsey. McKinsey declined to comment.

The Chinese threats could be idle ones. Then again, no one really believes the five Chinese officers will be tried in the United States. It's part of the tit-for-tat response of this cyber engagement.

Who's the Real Villain?

Still, China isn't letting up on its campaign to make the U.S. look like the villain in this diplomatic battle. In a report last week, China contends it has been a major victim of U.S. cyberspying. The Chinese don't distinguish between spying to steal trade secrets to benefit state enterprises and U.S. spying that the federal government contends is done to safeguard the U.S. economy and not benefit specific businesses.

The rhetoric on both sides of the Pacific is heating up. Asst. Atty. Gen. John Carlin, speaking before the Brookings Institute, justifies the indictment of the five Chinese officers, even if a trial never takes place. "By going after these crimes, we can help to stop the next group of criminals," Carlin says. "It is, of course, possible that we will never obtain custody. But even if these five defendants evade arrest, laying bare this criminal activity takes it out of the shadows."

And Carlin says the indictments could lead to other actions, such as the one proposed last week by Sen. Charles Schumer, D-N.Y., who called on the U.S. trade representative to file suit against China at the World Trade Organization because of the cyber-attacks on U.S. businesses. "It is critical to the cybersecurity of American businesses that we have in place and take advantage of strong enforcement mechanisms to punish countries who sanction cyber-attacks," Schuman says in a letter to Trade Representative Michael Froman. "The Agreement on Trade-Related Aspects of Intellectual Property Rights requires each WTO member to protect trade secrets, and Chinese policies that sanction cyber espionage are in clear violation of that agreement."

A report from Aljazeera America says U.S. officials are considering using visa restrictions to prevent Chinese hackers from attending Defcon , a popular hacker conference in Las Vegas, this summer.

Needing Trust

The ratcheting up of the grandiloquence and threats masquerade a more pressing problem for American businesses that sell communications and computer equipment (and advice) abroad. Can their products be trusted?

Glenn Greenwald, the Pulitzer Prize winning reporter who's the prime recipient of Edward Snowden's leaks, says that National Security Agency documents show that the NSA routinely receives or intercepts routers, servers and other computer network devices being exported from the U.S. before they're delivered to international customers. According to a 2010 report from the NSA's Access and Target Development department, Greenwald reports, the agency implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on.

That's not good for business, and American vendors don't like it. "We comply with U.S. laws, like those of many other countries, which limit exports to certain customers and destinations; we ought to be able to count on the government to then not interfere with the lawful delivery of our products in the form in which we have manufactured them," Cisco Chief Compliance Officer Mark Chandler writes in a blog. "To do otherwise, and to violate legitimate privacy rights of individuals and institutions around the world, undermines confidence in our industry."

Even before the indictments of the five Chinese officers, and the latest brouhaha, American businesses expressed their jitteriness about the federal government's involvement in online information gathering and the impact it could have on their bottom line.

In March, IBM General Counsel Robert Weber said in a blog the federal government should not subvert commercial technologies, such as encryption, that are intended to protect business data. "Data is the next great natural resource, with the potential to improve lives and transform institutions for the better," Weber said. "However, establishing and maintaining the public's trust in new technologies is essential."

Integrity, along with confidentiality and availability, is one of the three pillars of cybersecurity, and that applies to the products and services American companies offer to China and the rest or the world.

Don't give the Chinese ammunition to make them seem more righteous than the United States in the cyberworld. The case against China is a strong one, but missteps by the United States only make the rest of the world perceive both nations as equals when it comes to doing harm in cyberspace.



About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network