Recent reports of Chinese cyberspying have revealed hacking operations with a shocking scale and level of sophistication. China's hackers appear to be stealing massive amounts of intellectual property and proprietary information from U.S. companies, including those connected to the nation's critical infrastructure, such as waterworks, the electrical power grid and oil and gas pipelines. A recent study by security company Mandiant has shown that, in all probability, some of the snooping has been done by an arm of the Chinese military.
The revelations of China's misbehavior have led some writers to rashly declare that the U.S. is at war with our Asian rival, at least in cyberspace. This could not be further from the truth, and here's why.
There's No War
First, something obviously needs to be done to punish China for its thievery. But to describe the current state as war or cyberwar draws emotions at the expense of rational thinking. We are not at war with China, either in or out of cyberspace.
Real cyberwar would start with an attack that destroys something valuable or vital, kills people, or both. If the recipient labels the strike an act of war then time for negotiations is over. "Reacting diplomatically and legally to an act of cyberwar is inadequate," says Stewart Baker, a partner at Steptoe & Johnson and a former assistant secretary for policy at the Department of Homeland Security. "It's an act of war, we need to treat it as such and respond with our own acts of war."
An example of a true cyberattack was the Stuxnet malware that destroyed centrifuges in Iran's nuclear facilities. Discovered in 2010, Stuxnet was designed by the U.S. and Israel, according to media reports.
We are not under attack by China. The country is not our enemy. It is our economic and political rival. There is no evidence China wants to destroy anything. What it wants is information that provides a trade advantage, and at the moment there's no better way to get data from U.S. competitors than to let your spies loose on the Internet.
Most experts assume the U.S. also hacks China's computers to gather intelligence. The Brookings Institution, a Washington think tank, has identified two growth areas in the U.S. defense industry, drone manufacturing and the development of malware capable of exploiting software vulnerabilities not yet known to the developer.
Governments have always spied on each other, so it's no surprise that China, the U.S. and many other countries are using the Internet to steal information. Where China goes too far is in hacking U.S. companies. By law, the U.S. government cannot break into the computers of private companies for the sole purpose of taking intellectual property. China has no such restrictions.
What We Can Do
So the U.S. is within its rights to use every diplomatic, political, legal and economic tool at its disposal to pressure China to stop hacking private companies – or to at least negotiate an informal agreement that sets limits. While it's true China holds $1.2 trillion in U.S. debt, the U.S. is also the biggest buyer of Chinese goods. The U.S. is not without leverage here.
The Obama administration has already put China on notice. On Wednesday, the White House released its strategy for preventing the theft of U.S. trade secrets. The plan includes ratcheting up diplomatic efforts and making prosecution of foreign companies a top priority.
Such pressure could eventually lead to informal agreements that start small and grow in scope as trust builds. A starting point for the U.S. and China could be a ban on the destruction or disruption of critical infrastructure or technology driving the global economic system.
In the past, nations have reached understandings governing maritime transportation, air transport, the behavior of navies and international trade well in advance of formal treaties on these subjects, according to a recent paper by Richard Clarke, a former White House adviser on cybersecurity and cyberterrorism, entitled "Securing Cyberspace Through International Norms." For example, the U.S. and Russia are in discussions to establish a cyber hotline in order to prevent cyberspace activity from escalating into a conflict.
In the meantime, the U.S. should move much faster to adopt regulations for securing critical infrastructure and corporate networks. A good start would be passage of the Cyber Intelligence Sharing and Protection Act (CISPA), which would establish rules for sharing cyberthreat information between private industry and government agencies. Such information is important in strengthening defenses.
Eventually, China and the U.S. will draw lines in cyberspace that neither will cross. To get there, we should avoid nonsensical discussions of war that paint China as the enemy, and look for areas of agreement from which we can move forward.
Photo by Shutterstock