Exploring cybersecurity from China鈥檚 perspective
Excerpts from a talk with Adam Segal, Sharon Hom, Michael Sulmeyer, and Lobsang Gyatso Sither.
Ann Hermes/海角大神
Hardly a week passes without some headline accusing unnamed Chinese hackers of digital misdeeds. They鈥檝e breached a bank, broken into a retailer, stolen data from a health insurer, or infiltrated American government networks. Most famously, Obama administration officials called out China as the No. 1 suspect in the massive Office of Personnel Management breach last year.
But even though US officials point the finger at China for aggressively hacking of American computer networks 鈥 either for commercial gain or in service of national spying 鈥 there鈥檚 often little discussion about what鈥檚 driving their actions. Of course, all countries spy and all countries use the Internet to do it. But many experts say China is in a league of its own when it comes to digital espionage for commercial gain or hacking into the networks of critics, activists, or civil society organizations working toward reform.
鈥淲hy they are constantly hacking into companies, institutions, the military, quite honestly, is because they can. There has been almost no cost to them,鈥 said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations and author of
Passcode convened a Feb. 4 panel discussion that explored China鈥檚 motivations in cyberspace 鈥揳nd how its actions are affecting governments, companies, and civil society 鈥 聽that included Segal, Sharon Hom, executive director of , , director of the cybersecurity project at the Harvard Kennedy School鈥檚 Belfer Center, and Lobsang Gyatso Sither, digital security programs manager at the . Excerpts follow.
All photos are by Ann Hermes, staff photographer of 海角大神.
Why is China hacking the world?
Beyond the fact that it can, and there have been few ramifications, economics drives much of China鈥檚 digital espionage. While many people may think of China as a 鈥渕assive economic success story鈥 that has 鈥渞aised hundreds of millions of people out of poverty,鈥 said Segal, Beijing worries about being left in the next stage of global development as the world moves away from manufacturing and toward the knowledge economy.
China is also impatient, says Mr. Segal. It wants to accelerate its own engine of technological development and it鈥檚 doing that by hacking corporations and stealing intellectual property, he says. 鈥淭he Chinese don鈥檛 want to be the factory to the world any longer,鈥 said Segal, who recently wrote a cover story for 海角大神 explaining why China hacks the world. 鈥淭he Chinese are really worried that in the next stage of development, they are going to get caught in a technology trap....聽聽They want to move up the chain much more quickly, so we see them hacking to steal intellectual property.鈥
Everyone spies
It鈥檚 the nature of geopolitics in the Digital Age. As National Security Agency leaker Edward Snowden has shown, the NSA is certainly willing to hack phones, networks, and anything else to eavesdrop on friends and enemies alike.
鈥淭he difference that the US has been trying to establish for the past five years was that there鈥檚 good hacking, and there鈥檚 bad hacking,鈥 said Segal. 鈥淥f course, the good hacking is the hacking the United States does. The good hacking is hacking focused on political and military espionage. Bad hacking is breaking into a company, stealing their intellectual property to help a Chinese company. The US doesn鈥檛 do that.鈥
Control the narrative
Both Segal and Sharon Hom said China is also exerting power in cyberspace to control freedom of expression, tamp down on criticism, and attempt to intimidate anyone 鈥 activists, artists, students, and journalists 鈥 who criticize the Communist Party. 鈥淐hina wants to control the narrative about itself but also the narrative about the world,鈥 said Ms. Hom. 鈥淭he party wants to manage expression online.鈥
While China鈥檚 hacking has become a national security issue in the US as a result of political and industrial espionage 鈥 the recent deal between Washington and Beijing is meant to curtail cyber-enabled commercial spying 鈥 Hom says the rights community has long felt the full force of China鈥檚 relentless digital assaults.
鈥淲hen we think about cybersecurity, it is a transnational issue. It鈥檚 an issue that has always been obvious to the human rights community, that it affected all of us. But it鈥檚 become more obvious to the private sector when governments are attacked, when companies are attacked, they realize that they鈥檙e actually in the same boat with human rights groups and Tibetan activists. We鈥檝e always been targeted by attacks.鈥
In fact, the Tibetan activist community endures so many digital assaults that it鈥檚 often characterized as being 鈥淚f you鈥檙e an activist or someone who works for Tibet you will receive a social-engineered e-mail every week. And if you don鈥檛 receive an e-mail like that, you probably think you aren鈥檛 doing enough,鈥 said Lobsang Gyatso Sither, digital security programs manager at the .
鈥淓veryone is targeted, and it鈥檚 not just the people in the movement,鈥 he said. State-backed hackers target the friends, relatives, and colleagues of people who are working on rights鈥 campaigns, he said. 鈥淭hat creates a sense of fear, and that鈥檚 how they want to make people afraid of the repercussions.鈥
These kinds of hacks have life and death consequences, said Mr. Sither. And because of that, the international community, governments, and businesses should do more to stand up against China鈥檚 persistent digital assaults on human rights groups. 鈥淲e need to make that at the forefront because human lives are at stake, it鈥檚 not just about money.鈥
Toward normalcy in cyberspace
One mechanism that many experts argue could convince China, and many other nations for that matter, to rein in hackers is the establishment of international norms of behavior 鈥 diplospeak for rules meant to guide how nations should act in cyberspace.
鈥淲e aren鈥檛 going to stop them from trying to break into the Pentagon. That鈥檚 just not going to happen,鈥 said Segal. But, he said, norms could help to prevent cyber from moving to the kinetic, meaning digital assaults that trigger some physical damage or attack. 鈥淩ight now there are no rules about what behavior is acceptable in cyberspace.鈥
But Hom pointed out that there's significant momentum at the United Nations and other international organizations to forge norms of behavior, that would also apply to how countries should treat civil society and online speech.
鈥榃e鈥檝e always been targeted by attacks.鈥 - Sharon Hom
鈥淭he debates primarily on norms in the cyberspace realm have been about economic espionage and about military espionage and about national security interests,鈥 said Hom. But rights groups and civil society need to be a major part of the discussion, too, she said. 鈥淎t least there鈥檚 a discussion and a trend and development that brings human rights into the discussion where it belongs.鈥
But until then, Hom asked what kind of digital response could the West exact on China that would send a clear message that its actions in cyberspace won鈥檛 be tolerated. What would a serious, proportionate look like, she asked. Could the US or hacktivists poke holes in the Great Firewall, for instance, disrupting China鈥檚 system for massive Internet censorship. That would send a clear message, said Hom. 鈥淲hat if there was some serious proportionate appropriate response.鈥
Segal pointed out that, according to , someone in the government is already thinking about about breaching China鈥檚 digital cloak. 鈥淚f we want to go after something that the Chinese leadership would understand 鈥 and be afraid of 鈥 then one of the things we might do is target the great firewall.鈥
Improving defences
Figuring out how to improve security in the digital world, and dissuading nation-state or criminal groups from attacking either for political or financial gain, is incredibly frustrating, said Michael Sulmeyer of Harvard鈥檚 Belfer Center. 鈥淭he reason why this is frustrating 鈥 thinking about what to do about Chinese activity in cyberspace 鈥 is because it鈥檚 frustrating to figure out what to do about about China鈥檚 activity across the board. It is not just a cyber problem that the US has with China.鈥
But until there鈥檚 any kind of truce or calming to the hostilities that all nations, companies, and organizations face online, the key is to bolster cyberdefences, said Mr. Sulmeyer, formerly the director for plans and operations for cyber policy in the Office of the Secretary of Defense.
鈥淭he state of defences is really bad,鈥 he said. 鈥淚 fear we are still largely in a situation where the state of defenses is so bad that it鈥檚 just too easy for adversaries.鈥 While international talks and agreements are worthwhile pursuits, said Sulmeyer, shoring up defense goes a long way to deterring attackers. 鈥淚f the statistics are true that over 70 percent of hacks are perpetrated over known vulnerabilities,鈥 he said, 鈥淚 don鈥檛 know how you have a conversation about what to do about it without talking about defense.鈥