In a speech on Monday at the Asia Society in New York, National Security Adviser Tom Donilon addressed Chinese cyber intrusions into U.S. government and business network infrastructures. In moving cybersecurity “to the forefront of our agenda,” Mr. Donilon noted that he wasn’t referring to “ordinary cybercrime or hacking.” He called on Beijing to recognize the importance of cyber issues, take “serious steps” to investigate Chinese cyber intrusions, and engage in a “constructive dialogue” to define “acceptable norms of behavior in cyberspace.”
To his credit, Mr. Donilon differentiates between hacking and China’s threat in cyberspace—the software that controls the operation of networks linking computers in the governmental and private sphere. But in asking Beijing to investigate cyber intrusions, he is asking the government to investigate its own military’s massive continuing cyberspying. While his speech reflects a desire to be diplomatic in public, it muddles the true nature of the threat and thus may confound U.S. efforts to respond.
After last month’s report by Internet security firm Mandiant linking China’s People’s Liberation Army to hundreds of thousands of cyberattacks across the globe, including against U.S. corporations and government agencies, cybersecurity is finally getting the media attention it deserves. Yet there remain misperceptions about cyberthreats and how to respond. For instance, Chinese cyber intruders on the PLA payroll shouldn’t be considered “hackers.” They are spies for the Chinese government. Mr. Donilon’s speech would have made the distinction clearer in the news media and in the public mind, had he not called on Beijing to fix the problem, as if it originated elsewhere.
Hacking has historical associations that differ considerably from what the PLA is doing. From the late 1960s through the early 1980s, hackers were mostly a benign phenomenon: pranksters playing hide-and-seek with network administrators. Sometimes they even played the role of outsiders testing firewalls to inform administrators of security problems.
By the 1980s, hacking had acquired a second, negative connotation. Malicious software—”malware”—made its appearance. Malware encompasses “viruses” that begin self-replicating when activated by the unsuspecting user. Also included are “worms” that replicate without user action, “logic bombs” that activate at a later time, and “Trojan horses” that appear to be legitimate programs even when detected.
Hackers from time to time purloined or altered data, malicious acts that led to the passage of federal and state laws making such intrusions unlawful. But the authorities still were dealing with a small-scale phenomenon.
Yet in the late 1980s there was a glimpse of cyberthreats to come: On May 13, 1988, Israel detected and stopped the “PLO virus,” a logic bomb designed to infect and destroy files on computers at Hebrew University timed for May 14, 1988, the 40th anniversary of Israel’s independence.
In the 1990s, significant economic damage became a reality. The emergence of the public Internet meant that networks connected to the World Wide Web served not thousands but many millions of computers through myriad interconnected networks.
The first decade of the 21st century saw the rise of network use by two new, malevolent actors rarely present before: terrorist groups and hostile governments. Shortly after the 9/11 attacks, Richard Clarke, the top government bureaucrat focusing on cyberthreats during the late Clinton and early George W. Bush years, was right to warn of a looming “digital Pearl Harbor.”
Yet unlike terrorist organizations that generally inspire individual or small groups of hackers, the Chinese are conducting operations—cyberspying and widespread theft of sensitive data—akin to what the Soviets did during the Cold War to better position themselves in the event of a hot war. Mere hackers don’t steal volumes of documentation on the ultra-advanced F-35 Lightning, the only fifth-generation fighter still being produced by the U.S. China’s spies have invaded every major national-security database that they can within the Pentagon and U.S. defense companies.
In the event of war, China could use stolen data to bypass security firewalls and launch cyber strikes to blind the global positioning satellites that direct U.S. weapons to their targets and to disable satellites that enable global military and diplomatic voice and data communications. They also could cripple U.S. public telecommunications networks that link financial, energy, transportation and electric-grid infrastructures. China’s newest Stealth fighter, the J-31, closely resembles the F-35.
So what should the U.S. do?
Begin by acknowledging the magnitude of the threat. The PLA’s “Third Department,” which handles telecommunications, can call on 12 operation bureaus to carry out cyberattacks, and three research institutes for technical support with some 13,000 staff upon request. The volume of stolen data is staggering: In March 2011, a single cyber intruder stole 24,000 files from a defense industry computer network.
A full panoply of diplomatic and economic levers must be employed to raise the costs of China’s campaign. Economic sanctions can target key companies and officials; trade can be conditioned on significantly curbing cyberspying; and demonstrating the ability to penetrate Chinese military networks can impose costs on the Chinese.
Now that America’s economic and financial affairs are deeply entangled with China’s, mounting such a robust response may seem a daunting task. But the U.S. must begin by recognizing that the country is dealing with a hostile regime. China isn’t an enemy out to destroy America, as is al Qaeda or the Islamic Republic of Iran; it is out to supplant the U.S. as the premier power on the world stage.
Had China sent military aircraft repeatedly into U.S. airspace, there would have been a swift and strong response from Washington. Had Chinese spies broken into U.S. office buildings and walked out with purloined documents, they would have been tried and punished. Instead, they did so in “cyberspace”—stealing on a scale mere burglars couldn’t imagine.
China’s cyber challenge won’t end soon. The U.S. had better respond promptly, forcefully and creatively—and settle in for the long haul.
John Wohlstetter is the author of “Sleepwalking With the Bomb” (Discovery Institute Press, 2012).