In the lead-up to Chinese President Xi Jinping's state visit to Washington next week, President Barack Obama has been vocal in his warnings about Chinese state-sponsored hackers, who the U.S. says continue to launch attacks against networks to steal valuable information from companies and organizations across the country. The problem is that the president may have trouble putting his words into action.
Experts say tracing the source of cyberattacks is notoriously difficult, and producing evidence that meets international forensic standards is even tougher. Unless the U.S. government can get the attribution and evidence right, this week’s warnings and the threat of sanctions could be seen as a PR exercise for the president.
“We are preparing a number of measures that will convey to the Chinese that we are more than serious,” Obama said this week.
The president wasn't talking about the usual spying that all states participate in but about attacks against private companies and the theft of intellectual property that is then funneled to companies in China to give them a competitive advantage. "We have repeatedly said to the Chinese government that we understand how traditional intelligence-gathering functions and that all states engage in it, including us," Obama said. "What is fundamentally different is your government or its proxies engaging in industrial espionage and stealing trade secrets from a company. We consider that an act of aggression, and it must stop."
The president issued an executive order in April declaring a national emergency to deal with cyberthreats, including the theft of intellectual property, laying out the basis for applying sanctions to companies or entities that engage in such activity. The second stage of the move will see the administration actually impose sanctions on particular Chinese firms, something White House officials are said to be preparing now.
Among the possible sanctions is a restriction on Chinese companies that operate abroad from using international banking systems, as they involve U.S. banks, which would hit those companies' bottom lines.
Clearly this is an issue that Obama needs to address loudly and publicly, but the question is, if the U.S. government cannot definitively identify who is behind these attacks or even if they are happening, will sanctions really work?
Attribution Is Tough
It was as far back as 2011 that the Pentagon decreed that cyberattacks would be treated as acts of war, opening the door for responding to such attacks with old-fashioned military force. That has to date proven to be an empty threat, according to one leading cybersecurity expert.
One problem: Attackers use a variety of technical means to cover their tracks. “If I wanted to attack U.S. targets, I would route my attack through Vancouver and watch them throw missiles at Canada. It is an empty threat which they hoped would somehow restrict the attacks,” Mikko Hypponen, chief research officer with F-Secure, told International Business Times.
The threat has clearly not worked, with the volume and size of attacks against the U.S. growing significantly in the last four years. But Paul Stockton, the current managing director of Sonecon, a security and economics consulting firm in Washington, and a former assistant secretary of defense for homeland defense, believes the skills of the U.S. government's cyberoperatives are gaining daily. "The adversary is getting better at covering their tracks, but U.S. technical capabilities continue to improve."
Attribution is notoriously difficult in cyberattacks, with hackers able to spoof their location and hide their digital footprints, especially when talking about a very well-funded operation like China’s state-sponsored cyberarmy.
Details about the size of China’s cyberarmy are sketchy, but in 2013 the world got a glimpse inside their operations when security company Mandiant published a 60-page report on one of the units inside the People’s Liberation Army -- the notorious Unit 61398 -- which had been carrying out cyberespionage against 115 U.S. companies dating back to 2006. This was a single unit inside the PLA, which Mandiant estimated was staffed by hundreds if not thousands of soldiers, with many more units suspected of carrying out similar attacks.
Last year, a federal grand jury indicted, in absentia, five Chinese military officials it said were part of Unit 61398 for spying on six U.S. companies, including one that builds nuclear power plants. It was a bold move from the administration, but one which has little impact beyond the initial public relations boost it may have given Obama.
Another issue the U.S. government faces is just how it will present the evidence it has on the companies it claims are stealing intellectual property, as it will not want to reveal it sources and methods. "I do believe there will have to be a public justification and some provision in order to ensure that we are setting the standards by our actions in imposing economic sanctions that the United States would be willing to live by as we partner with other countries to build norms against the theft of intellectual property," Stockton told IBT.
Public Relations Exercise
Obama has to be seen to be making the right noises and supporting the private sector, but just a couple of weeks ago, the president himself admitted the difficultly of assigning blame accurately in cyberspace. Speaking with service members on the 14th anniversary of the Sept. 11 attacks, he outlined just how difficult stopping these intrusions can be.
“Unlike traditional conflicts and aggression, oftentimes we don’t have a return address,” Obama said. “If somebody hacks into a system and goes after critical infrastructure or penetrates our financial systems, we can’t necessarily trace it directly to that state or that actor. That makes it more difficult.”
Obama admitted that offense is moving a lot faster than defense when it comes to cyberattacks and while security companies all over the world are revealing details about attacks every day, that number is dwarfed by the attacks we simply don’t know about.
In order to be able to take definitive action, the U.S. will need something that is not very easy to get in cyberspace -- concrete evidence.
"If the U.S. really wants to stop China from carrying out economic cyberespionage, it has to show, publicly, clear evidence that China is really behind the espionage -- the challenge of attribution,” Jarno Limnell, an expert in international security politics and a former Finnish military officer, told IBT. “The U.S. must also have its policies in place and be clear about how they will act if large-scale economic cyberespionage is conducted against them and be determined to do so if needed. Otherwise cyber deterrence is not working.”
Limnell says whatever concrete actions the U.S. takes -- if any -- will set an important precedent for the rest of the world, since all countries are struggling with similar considerations.
We Will See A Lot More Of This
All attention in this area is focused on China at the moment, but this week saw a report published that linked attacks on U.S. government institutions by a hacking group tied to the Russian government; this is likely just the beginning of an escalation of these types of attacks.
The cost-effective nature of mounting cyberespionage campaigns as opposed to traditional espionage means that countries that would typically not have been involved in this area previously will now be able to take part. “I think we will be seeing more of this, not less of this,” Hypponen said. “It might very well be that we have only seen the beginning of these problems.”
Obama has said he created Cyber Command in 2010 when his administration believed that cyberspace would be “a new theater for potential conflict.” Five years later and cyberspace is arguably the most important front on which the U.S. is fighting, given the amount of critical national infrastructure which is controlled by computers and the wealth of data now stored digitally.
“The bulk of vulnerable information and data isn’t in our military, it is in the private sector, it is throughout our economy, it is on your smartphones,” Obama said on Sept. 11.
Speaking to the officers who are fighting back against China's cyberarmy, Obama said that if it comes to a fight in cyberspace, he guarantees the U.S will come out on top, but believes setting out some ground rules to which all countries can agree detailing what is acceptable and what isn’t acceptable is the way to move this forward.
Stockton believes that a two-pronged approach to this issue is needed to effectively counter these attacks. "Punish with sanctions companies that are engaged in cyberespionage, hurt their bottom line, while also reaching out to government leaders who need to understand that the United States won't tolerate government-sanctioned cyberespionage."