Last year, a technology firm that monitors web traffic revealed that one-third of observed cyberattacks originate in China. A new report is far more specific about the exact source of those attacks.
According to the recent report from Mandiant, an American computer security firm, the majority of Chinese attacks on U.S. corporations can be traced to a single neighborhood on the outskirts of Shanghai. The area contains several restaurants and massage parlors, a wine importer – and the headquarters of a secretive military unit that the state-owned telecom has equipped with multiple high-speed fiber optic lines. Researchers believe that China’s notorious “Comment Crew” hackers and the military unit called the People’s Liberation Army Unit 61398 are either linked or are one and the same.
The Mandiant report provides some of the strongest non-classified evidence to date that the regular Chinese cyberattacks on American corporations and government agencies are state-sponsored. China denies this. Rather than discussing the allegations, China has focused on its own claims of U.S.-based hacking.
As it becomes clearer that the attacks are part of Chinese government policy, Washington has no choice but to respond. Corporations, no matter how large, are no match for an extended assault coordinated by a major foreign power.
Part of the response will need to be a continued investment in cybersecurity. The government can constructively encourage private companies, particularly those that play a role in American infrastructure and security, to do the same, and can provide legal and technological tools to that end. Washington gridlock has prevented our virtual defenses from becoming as strong as they should be. Last year, just a month after Congress failed to pass a bill setting voluntary cybersecurity standards for operators of vital infrastructure systems, a company that provides remote access services for most oil and gas pipelines in North and South America announced that it had been successfully attacked.
But increased security will lead only to increasingly complex assaults that we cannot expect to stave off every time. One senior defense official, quoted in The New York Times, compared the technological fight to the Cold War arms race. The only long-term solution is to begin attacking the incentives behind those attacks. Representative Mike Rogers of Michigan, the Republican chairman of the House Intelligence Committee, captured the problem perfectly in an interview with The Times. “Right now there is no incentive for the Chinese to stop doing this,” he said. “If we don’t create a high price, it’s only going to keep accelerating.”
Since the bulk of Chinese attacks appear to be corporate espionage operations aimed at gaining a commercial advantage, the market is the natural place to make the Chinese start paying for misbehavior. The international community needs to make it absolutely clear that, just as there should be no market for stolen goods, there will be no market for goods that incorporate stolen intellectual property or are manufactured using misappropriated trade secrets. We will likely need to implement retaliatory tariffs and even trade bans to keep the fruits of corporate espionage from U.S. sales floors.
We will need to work with our allies to extend these efforts. If other developed countries are reluctant to act individually, the World Trade Organization may need to step in to establish and enforce procedures. This may seem inconsistent with the organization’s goal of encouraging free trade, but, contrary to the Chinese interpretation, “free” trade does not mean taking other people’s information for free. To truly have free and fair trade, we need to take a stand against economic foul play.
With this new information suggesting links between hackers the Chinese military and the continuing rise in attacks, the Obama administration shows signs that it is preparing to act. “We cannot look back years from now and wonder why we did nothing,” Obama said in the State of the Union address. In the next few weeks, White House officials are expected to address the issue with China’s newly reshuffled leadership.
The less China has to gain from breaking the rules, the more likely it is to begin thinking about what it could gain from following them. Eventually, as Chinese companies develop more of their own intellectual property, their government may see the value of cooperating in an international system that helps to protect that property. Redirected, the same ingenuity that hackers have applied to infiltrating competitors’ systems could give birth to a whole new wave of innovative products and processes that the Chinese government would be proud to defend.