China’s aggressive cyber espionage and military reconnaissance operations against both U.S. government and private networks show no sign of abating under the Obama administration’s policy of holding talks and threatening but not taking punitive action.
Typical of the administration’s approach has been the seemingly endless series of high-level meetings with Chinese officials, such as talks held last week in Washington to discuss "norms" of behavior in cyberspace.
For at least the past five years, President Obama and the White House have ignored appeals from security and military officials, as well as from Congress and the private sector, to show greater resolve and take some type of action against the Chinese, lest the country’s technology wealth be drained empty.
The meeting on May 11 included officials of the Senior Experts Group on International Norms and Related Issues. Christopher Painter, State Department coordinator for cyber issues, led the U.S. side, and the Chinese delegation was headed by Wang Qun, director of the Chinese Foreign Ministry’s department of arms control.
China’s appointment of an arms control official to lead their delegation shows clearly Beijing’s approach to the discussions: The Chinese, as with other communist regimes, view arms control as political warfare and a means of limiting your enemies capabilities while pretending to agree to limits on your own capabilities. The Soviets perfected this tactic in the Cold War.
The cyber meeting, as with most sessions involving China, is being kept secret. Only a brief, two-paragraph statement on the session was released by the State Department.
For the diplomats at State, substantive outcomes from talks like these matter little. The process of holding discussions is considered to be progress.
The administration has been talking to China for years with little result. In fact, an earlier round of talks were cut off by the Chinese in 2014 after the Justice Department indicted five People’s Liberation Army hackers for stealing corporate data from Westinghouse, Alcoa, and other entities. China demanded the indictment be dropped, even though an actual prosecution remains extremely unlikely.
This week’s talks grew out of the summit in September between Obama and Chinese leader Xi Jinping. It was at the summit that the president was set to actually impose sanctions on China for more than five years of widespread data theft and hacking, most recently the theft of Office of Personnel Management records on 22 million federal workers. But at the last minute, Xi staved off the sanctions by merely pledging that China would end cyber economic espionage. The pledge prompted a relieved Obama, ever fearful of escalating confrontation, to back off the sanctions.
Nicole Thompson, a State Department spokeswoman, told The Cyber Threat the talks last week were the first meeting of the experts group. The talks included discussion of whether international law applies to state actions in cyber space, adopting voluntary international norms of state behavior in peacetime, and unspecified cyber confidence building measures.
Thompson declined to say whether the talks were productive or contentious, or whether any progress was made. China’s state-run Xinhua, however, said the two sides engaged in "positive, in-depth, and constructive" conversations.
We can glean from testimony before Congress by Painter, the cyber security coordinator, how the U.S. side likely approached the talks, however. Painter told the Senate a year ago that the administration wants an agreement on "voluntary measures of self-restraint," such as promising not to attack critical infrastructure, not conducting cyber attacks on systems used to respond to cyber attacks, and cooperation on investigating cyber crime.
A final objective is for governments to shun "cyber-enabled theft of intellectual property" and giving the secrets to companies. This is what Xi promised in September and yet China has continued to ignore the accord. No one in the Obama administration at any level has called the Chinese president to account for the lie.
As the pervasive nature of Chinese cyber attacks begins to sink in and the damage revealed, the debate within government over how to respond is heating up. At the forefront is Adm. Mike Rogers, commander of the U.S. Cyber Command and director of the National Security Agency, who has lamented that the cost of entry for cyber spying remains low. He has also warned that state-sponsors of hacking face no fear of a counter attack or other punitive measures that could create a deterrent calculus for Chinese leaders. Continued inaction by the president on Chinese cyber attacks proves his point.
Asked why there has been no action against the Chinese, a White House official would not say, other than to note that "we consistently and candidly raise our concerns" with the Chinese and press them to abide by pledges not to conduct cyber attacks. "We have been clear with the Chinese government that we are watching to ensure their words are matched by actions," the official said.
On whether continuing Chinese cyber activity indicates the president’s policy is not working, the official said, "for more than seven years [Obama] has acted comprehensively to confront that challenge."
The current strategy seeks to raise awareness of cyber security needs, to deter, disrupt, and interfere with malicious cyber activity, and to be ready to respond to cyber attacks.
"Bold action is required to secure our digital society and keep America competitive in the global digital economy," the official said.
Bold action against cyber attacks, however, is lacking.
A key question in the debate is whether government should carry out cyber counterattacks to demonstrate once and for all to Beijing there is a price to be paid for state-sponsored hacking. A second question is whether private sector security firms should be permitted to conduct counterattacks or "hack backs" to steal or damage stolen information residing in hackers’ computers.
Russia’s government-sponsored cyber attacks are said to be more advanced and sophisticated than those of China. But recent cases involving Chinese hackers and the length of time China has been targeting the United States provide the best argument to make Beijing the target of counter cyber strikes.
Targets of Chinese hacking have ranged from classified details of the F-35 jet fighter radar and engine schematics stolen from defense contractors, to the 80 million healthcare records hacked from Anthem, to the 22 million sensitive files pilfered from OPM. Less publicized are China’s covert penetrations of critical infrastructure operational control networks that run the electric grid, water system, and other elements of national infrastructure. These activities, more than the data theft, are the key indicator that in a future conflict the PLA plans to attack and bring down the electric grids in the United States in a coordinated campaign of asymmetric cyber warfare.
The Chinese, masters of information warfare and political influence, have taken the measure of the president and appear to regard him as a geopolitical rube. The president has spent his tenure in office committed to a progressive dream that views strategic threats from China, Russia, and Iran as overblown, and calls for aggressive action to respond to those threats as outdated strategic thinking.
The Chinese have understood this about the president and in response adopted a strategic deception program designed to fool him into believing China is a normal nation to be trusted to abide by norms and laws—and not a nuclear-armed communist dictatorship bent on global hegemony as an anti-democratic superpower. China regards the president and other liberal politicians like Vice President Joe Biden as easily deceived by their own vision.
Private industry also has pressed the White House to do more to protect American intellectual property from Chinese cyber attacks. But the Justice Department has prohibited companies from going after hackers – either by using cyber counterattacks to steal back stolen data, or by taking action to disrupt, disable or damage foreign computer hackers and their networks.
A bipartisan congressional China commission highlighted the problem in its annual report last year.
"The U.S. reaction to the increasing number and sophistication of foreign cyber espionage and malicious network attacks has been mostly defensive," the U.S.-China Economic and Security Review Commission said. "U.S. law does not allow retaliatory cyber attacks by private citizens and corporations, nor does it appear to allow counter intrusions or ‘hack backs’ for the purpose of recovering, erasing, or altering stolen data in offending computer networks."
Nevertheless, policy discussions on offensive and retaliatory cyber operations are underway, and need to speed up. Talks with China will achieve little. As the commission report puts it:
The Chinese government appears to believe that it has more to gain than lose from its cyber espionage and attack campaign. So far it has acquired valuable technology, trade secrets and intelligence. The costs imposed have been minimal compared to the perceived benefit. The campaign is likely to continue and may well escalate as the Chinese Communist Party leadership continues to seek further advantage while testing the limits of any deterrent response.
China then will continue widespread theft and the mapping of critical infrastructures in preparation for future cyber war, while the administration continues to hold out the naïve hope that China can be convinced to act like a normal state.
A new policy of cyber deterrence and counter cyber attacks is needed before it is too late and the high-technology wealth of the United States and its national security are squandered.
The Cyber Threat column appears Mondays. It is co-published on Flash//CRITIC Cyber Threat News at flashcritic.com.