WASHINGTON – If you work in Washington — on Capitol Hill or on K Street, at a law firm or at a think tank — you’ve probably been hacked. If you work at a major American company, you’ve probably been hacked, too. The penetration of U.S. computer networks by Chinese hackers has been going on for more than three decades. It’s good that it is finally getting attention. But with that spotlight have come exaggeration and myths that need to be discarded.
1. We are in a cyber cold war with China.
We are not in a war — cold, cool or hot — with China in cyberspace. There have been none of the threats, denouncements or proxy conflicts that characterize a cold war. In fact, the Obama administration appears to be omitting any mention of the Chinese military in recent high-profile speeches on Chinese hacking. After Treasury Secretary Jack Lew met recently with top Chinese officials in Beijing, he told reporters there that cyber-attacks and cyber-espionage are a “very serious threat to our economic interests.”
“Cyber-attack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions — for instance, the blocking of a Falun Gong site hosted at the University of Alabama — China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so.
Trying to cram Chinese hackers into antiquated cold war formulas doesn’t help, either. America’s relationship with China is very different from the one it had with the Soviet Union, in which contacts were extremely limited and there was no economic interdependence. The idea of “containment” for China is inane. How would you “contain” a major economic partner?
2. China’s hackers are unstoppable cyber-warriors.
The problem isn’t that the Chinese are so skilled; it’s that U.S. companies are so inept. A survey I published last month found that more than 90 percent of corporate-network penetrations required only the most basic techniques, such as sending a bogus email with an infected attachment, and that 85 percent went undetected for months — another sign of lax security. (One more sign: They were usually discovered by an outsider rather than the victimized company.)
There is debate within the U.S. intelligence community about whether the Chinese have more sophisticated cyber-attackers waiting in the wings or whether we’ve seen the best they can do. But it’s clear that so far, they haven’t had to bring their A-game to break into our networks.
3. China is poised to launch crippling attacks on crucial U.S. infrastructure.
Obama’s State of the Union address included a line about how “our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic-control systems.” Similarly, a recent report by the security firm Mandiant suggested that China’s hackers are increasingly focused on companies with ties to U.S. critical infrastructure.
In peacetime, however, China is no more likely to launch a cyber-attack on American infrastructure than it is to launch a missile at us. It has no interest in provoking a war it couldn’t win or in harming an economy it depends on. Even in wartime, China would want to avoid escalation and would be more apt to launch cyber-attacks on the Pacific Command or other deployed U.S. forces than on domestic American targets.
China would attack civilian infrastructure only in extremis — if the survival of its regime were threatened.
4. Cyber-espionage is causing the greatest transfer of wealth in history.
This claim has been repeated by the likes of the head of U.S. Cyber Command. It’s a dramatic way to describe the theft, mainly by China, of American intellectual property, but it doesn’t make economic sense.
Putting a dollar value on the “loss” from cyber-espionage is very difficult, and many estimates are wild guesses. A reasonable assessment would be that it costs the United States no more than $100 billion a year and perhaps much less — what some economists would describe as a rounding error in our $15 trillion economy. This is not death by a thousand cuts. It probably isn’t even slowing the U.S. economy.
Even when China steals intellectual property, it can take years to turn it into a competitive advantage. The right technical skills and manufacturing base are needed to turn advanced designs into high-end competitive products. China is still lagging in many high-tech arenas, such as semiconductors.
The one area where this is not true is military technology. Chinese espionage has led to rapid improvements in that country’s stealth, submarine quieting, nuclear weapons and sensor technologies. While the economic risk from cyber-espionage is generally overstated, the U.S. has probably underestimated the damage to its lead in military technology.
5. America spies on China, too, so what can we complain about?
Chinese officials portray their country as a victim of hacking. Meanwhile, some American scholars question whether the U.S. is in a position to criticize, since it also engages in cyber-espionage.
“Perhaps the complaint is that the Chinese are doing better against our government networks than we are against theirs,” law professor Jack Goldsmith wrote. That misstates the issue.
The Internet, poorly secured and poorly governed, has been a tremendous boon for spying. Every major power has taken advantage of this, but there are unwritten rules that govern espionage and China’s behavior is out of bounds. Where Beijing crosses the line is in economic espionage: stealing secrets from foreign companies to help its own. China also outmatches all other countries in the immense scale of its spying effort, and the U.S. is far from the only nation to have suffered.
The U.S., by contrast, does not engage in economic espionage. As one Chinese official put it in recent talks at the Center for Strategic and International Studies: “In America, military espionage is heroic and economic espionage is a crime, but in China the line is not so clear.”
The U.S. and other countries need to make that line clearer and discourage China from crossing it.
James Andrew Lewis is a senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies.