Is the Specter of a 'Cyber Cold War' Real?

By James McGregor
googlechina.jpgA cleaner sweeps the logo of Google China outside its company headquarters in Beijing, January 19, 2010. (Alfred Jin/Reuters)

"How do I screen when hiring Chinese employees?"

I was asked that question the other day by a senior executive at one of America's most prominent tech companies who is worried about Chinese employees stealing the company's trade secrets. The epidemic of cyber-burglary and trade secret theft coming out of China is leading many technology and industrial multinationals to not only ask this question but to discuss avoiding hiring Chinese scientists, engineers and executives for key positions -- or at least determine ways to isolate them from core company systems. Some companies are already doing both of those things.

I was immediately and sadly reminded of the late-1990s Chinese spy mania in the U.S. ignited by then House Speaker Newt Gingrich's attempt to connect a scandal involving Clinton campaign contributions with accusations that American companies with ties to Clinton were sharing sensitive U.S. space technology with China. In the end, as is usual with Newt's political nonsense, the smoke led to barely a flicker of fire.

But Chinese American scientist Wen Ho Lee at the Department of Energy's highly classified nuclear laboratory at Los Alamos, Mexico, ended up badly burned. And, for a while, so were the career prospects of Chinese immigrants with technology and science expertise studying and working in the U.S. After being charged with 59 criminal counts, shackled in leg irons, incarcerated in solitary confinement, and pilloried by press leaks, Lee pled guilty to one count that amounted to bringing classified materials home to work on. The judge who accepted Lee's plea said that his prosecution had "embarrassed our entire nation." During this time, I ran into more than a few Chinese scientists and technologists in China who had returned home because they saw their future in America limited.

***

A couple hours after the screening question, I received the CNN email alert about the death of Lu Lingzi, the 23-year-old Boston University student from Shenyang, China killed in the Boston marathon bombing. She was the same age as my daughter Sally, who was also born and raised in China and speaks Chinese. It is impossible for parents to fathom how a child's life and dreams can be destroyed by senseless criminal violence. As her classmate Zheng Minhui said at Lingzi's Boston University memorial service: "Her dream was very simple. She wanted a not necessarily rich life, but a peaceful life, with a stable job, a happy family, and a lovely dog."

Lingzi was one of the 200,000 mainland Chinese currently studying in the U.S. -- and nearly 1 million who came before her -- whose big dreams and bright futures depend on mutual understanding, clear communications and real trust between the U.S. and China as nations and as people. I chair the advisory board of a student group called Global China Connection with branches on some 60 U.S. campuses and a membership that mixes students from China with American and international students interested in China. The group's mission statement is clear: Global China Connection is a student-run organization dedicated to fostering deep and trusting personal relationships among Chinese and non-Chinese university students. I believe the future of the U.S.-China relationship depends on these young people to help us overcome the inevitable friction between a rising global power and a reigning global power. When I travel on business in the U.S., I stop by campuses and talk with these students. I have met many, many like Lu Lingzi over the years. Sincere, decent and diligent Chinese who love their homeland but have great curiosity about and affection for America -- and dreams and ambitions that involve both countries.

The fantastic Internet cyber world that has brought the globe together in so many ways is now endangering those dreams. The fallout for Chinese in the U.S., and those working for American multinationals in China, during the Wen Ho Lee fiasco was serious but short lived. The accusations were aimed at an individual who had resided in the U.S. for some 35 years at the time of his arrest. But today's accusations and a large body of detailed and credible evidence point at Chinese state-sponsored cyber hacking and trade secret theft involving a Who's Who of American multinationals.

Most Chinese officials and business people I meet are completely unaware of the scope of the problem.

Whenever American business talks about China with the U.S. government these days, this is topic number one. Most Chinese officials and business people I meet are completely unaware of the scope of the problem. The news and evidence is blocked by Internet censors. The Chinese government's response so far has been to deny and dissemble, calling the accusations of state-sponsored Chinese cyber-theft "groundless accusations" with "ulterior motives." After Secretary of State John Kerry and Treasury Secretary Jack Lew visited China in April and raised the cyber-hacking issue repeatedly, Qian Xiaoqing, deputy director of the state Internet Information Office told Reuters: "Lately people have been cooking up a theory of a Chinese internet threat, which is just an extension of the old 'China threat' and just as groundless." 

  ***

Here is a quick overview of what has become public.

Google closed down its self-censored mainland China search engine in March 2010 due to cyber-hacking of Google source code and attempts to steal the passwords of hundreds of Gmail accounts, including U.S. officials, journalists and Chinese activists. At the time,Google was one of some three dozen multinationals hacked from China . Except for Google, the other companies clammed up, lest they anger China and damage their China business. The problem continued to get worse, but few would talk about it publicly. The U.S. government didn't want to reveal what it knew and how it knew it. Companies built stronger defenses and kept quiet.

China cyber-hacking news hit the headlines this January when The New York Times and The Wall Street Journal revealed that they had been hacked from China. Bloomberg BusinessWeek, in mid-February cover story entitled "Yes, the Chinese Army is Spying on You," exposed a network of hackers, digging all the way down to a vacation photo of a People's Liberation Army professor from Zhengzhou who had exposed his real identity by launching a small telecom side business that allowed investigators to connect his real name with his cyber-identity. The magazine followed the trail of Joe Stewart, director of malware research at Dell SecureWorks, who said he tracks 24,000 Internet domains "that Chinese spies have rented or hacked for the purpose of espionage."

Days later, Mandiant, an American private cyber security company, issued an explosive report on Chinese hacking. The company said it had traced "one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen" to the neighborhood of a PLA building in Shanghai that houses an intelligence organization known as Unit 61398. The individual hackers tracked by Mandiant at 61398 included those such online monikers as "UglyGorilla" and "SuperHard."

If Congress continues down this road Americans may soon revert to manual typewriters and talking into tin cans with strings stretched between them.

Mandiant said the group was one of more than 20 Advanced Persistent Threat (APT) groups it had been tracking in China. Mandiant said that in a seven year period, the Shanghai group - which it dubbed APT1 -- had "systematically stolen hundreds of terabytes of data from at least 141 organizations" by periodically revisiting "the victim's network over several months or years" to "steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations' leadership." Mandiant added that the companies targeted by APT1 "match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan."

The "2013 Data Breach Investigations Report," issued in recent days by Verizon's RISK Team in conjunction with 18 others including the U.S. and other governments, for the first time separated hackers with financial motives from state-sponsored cyber-theft of intellectual property. Of the 120 occurrences of state-connected IP cyber-theft discussed in the report, 96     percent came from China. "We don't think there was a super spike in that kind of [cyber-espionage] activity," Wade Baker of the RISK team told the Washington Post. "It's more about our ability to find them."

The "Administration Strategy on Mitigating the Theft of U.S. Trade Secrets" published by the White House in February labels China a "persistent collector" and cites a long list of trade secret theft prosecutions involving Chinese employees of multinationals in the U.S. The cases include: Space shuttle secrets from Boeing; Trading platform source code from the CME Group; Light emitting diodes from DuPont; Hybrid technology from GM; Car designs from Ford; Food component information from Cargill; Military technology from L-3 Communications; and paint formulas from Valspar. "China's intelligence services, as well as private companies and other entities, frequently seek to exploit Chinese citizens or persons with family ties to China who can use their insider access to corporate networks to steal trade secrets using removable media devices or e-mail," the report states. "Of the seven cases that were adjudicated under the Economic Espionage Act -- both Title 18 USC § 1831 and § 1832 -- in Fiscal Year 2010, six involved a link to China."

***

Congress is searching for ways to respond. Mike Rogers, a Michigan Republican and chairman of the House Permanent Select Committee on Intelligence, is focused on making China pay a price. "Right now there is no incentive for the Chinese to stop doing this," Rogers told The New York Times in February. "If we don't create a high price, it's only going to keep accelerating."

Unfortunately, Congress failed to do an inventory of U.S.-China trade before setting its first price. Congress in March added sanctions to the continuing resolution that funds the federal government through September. The sanction provision bars NASA, Commerce, Justice and other federal departments from purchasing information technology systems "produced, manufactured or assembled" by entities "owned, directed, or subsidized by the People's Republic of China" unless the purchase is determined to be "in the national interest of the United States."

If Congress continues down this road Americans may soon revert to manual typewriters and talking into tin cans with strings stretched between them. Here is the state of U.S.-China trade today: China sells America laptops, servers, routers, phones and televisions. America sells China beans, bits, Boeings and garbage. It would do House leaders good to read their own November 2012 report: Patterns in U.S.-China Trade Since China's Accession to the World Trade Organization by the U.S.-China Economic and Security Review Commission, a body mandated and appointed by Congress.

10 years ago, Chinese exports to the United States were dominated by toys and games, footwear, textiles and apparel. Today, atop the list are all types of electronic exports, which increased to $145 billion in 2011 from $25 billion in 2000. Many of the components come from America. U.S. chips now account for about 90 percent of advanced technology products exported to China. Since 2008 soybeans have been the single largest export to China. The export of American scrap metals, waste paper and industrial leftovers to China has increased to $11.5 billion in 2011 from $740 million in 2000. "Yes, that's right," Clyde Prestowitz of the Economic Strategy Institute wrote in 2010. "We're swapping garbage for computers with China."

To complicate matters further, the electronics arriving in the U.S. are nearly all manufactured by foreign invested enterprises in China. In testimony to the Commission, economists estimated that some 60 percent of all Chinese exports to the U.S., and more than 90 percent of advanced technology product exports, come from foreign invested firms in China.

***

While Congress stumbles, others are exploring a wide array of alternatives.

The Heritage Foundation suggests that Chinese State Owned Enterprises (SOEs) that benefit from state cyber-burglary be charged with "trafficking in stolen goods" and have their offshore assets seized. Dan Blumenthal of the American Enterprise Institute suggests that Congresscreate a cyber-attack exception to the Foreign Sovereign Immunities Act as was done with terrorism. That Act prevents foreign states from facing civil suits in U.S. courts. The terrorism exemption allows such suits and the collection of damages if the country has been designated as a state sponsor of terrorism by the State Department. Then there is George Mason University law professor Jeremy Rabkin and scholar Ariel Rabkin's Hoover Institution study that proposes the U.S. "think about cyber conflict in more imaginative ways." One of them is creating a cyber-militia by reaching back 200 years when the U.S. and others signed "letters of marque" to "privateers" who were commissioned to attack pirates ships and allowed to keep a percentage of what they seized.

A more mundane approach comes from defense consultant and author James Farwell. He wrote in the National Interest in March that Chinese hacking should be taken to the WTO. While espionage is not against international law, he says, the theft or infringement of intellectual property is. Farwell suggests that the U.S. should initiate a case under the Trade Related Aspects of Intellectual Property Rights (TRIPS) agreement. "An internationally-recognized ruling, handed down in legal proceedings that found China guilty of intellectual-property theft or infringement, could render it liable for billions of dollars in compensation, expose it to multinational economic sanctions and cause it to be branded a 'pirate state'," Farwell wrote. "As a nation whose strategic thinking focuses on playing for psychological advantage, China would find that result uncomfortable." 

Real progress can only start with the separation of sleuthing and shoplifting. The U.S. and China should lead a global discussion of acceptable behaviors and protocols for cyber-spying and cyber-warfare. Those discussions could take years to become meaningful. But they at least open communications channels to avoid accidents, or a "Cyber Pearl Harbor" as Defense Secretary Leon Panetta put it as he headed into retirement. Even a cursory look at published studies makes it clear that both countries are cyber probing for ways to shut down each other's financial markets, electric grids, telecom networks and transport systems in the event of conflict. China certainly took note in March when U.S. National Security Agency and Cyber Command chief Gen. Keith Alexander told Congress that 13 of the new 40 CYBERCOM teams being assembled would focus on offensive operations.

Even a cursory look at published studies makes it clear that both countries are cyber probing for ways to shut down each other's financial markets, electric grids, telecom networks and transport systems in the event of conflict.

The Obama administration's approach so far is to enlist allies and engage China in quiet talks about cyber-security, much like was done with some success when China was publicly denying mounting evidence of its nuclear proliferation. In the end, China realized that such proliferation was against its own interests. A cyber security working group between the U.S. and China is now being organized as a result of the recent visits to Beijing by Secs. Kerry and Lew and others. Public statements from Chinese officials appear to accommodate this. "Cyberspace needs rules and cooperation, not wars," Foreign Ministry spokesman Hua Chunying said in mid-March. "China is willing, on the basis of the principles of mutual respect and mutual trust, to have constructive dialogue and cooperation on this issue with the international community including the United States to maintain the security, openness, and peace of the Internet."

Even the Global Times, the Doberman of the Party propaganda press, suggested a good idea in a February editorial claiming the "insane U.S. accusations" reflected American intentions of "cyber hegemony." The Global Times said that "China should confront the U.S. directly. China should gather, testify, and publish evidence of the U.S.' Internet intrusions."

That would be helpful as both countries could know who is doing what to whom. Many facts as the U.S. sees them are already on the table. If China has evidence showing that the U.S. government is stealing trade secrets from Chinese companies -- or the companies of any country for that matter -- that should be exposed and stopped. After all, the White House's own February report on mitigating cyber hacking mentions a press report citing France's Central Directorate for Domestic Intelligence calling China and the United States the leading hackers of French businesses.

As talks begin, both the U.S. and China need to step back and assess where this could be heading. Do the leaders of either nation really think a Cyber Cold War would benefit anybody? The longer this cyber-mess festers, the more distrust builds up, the more American companies question the trustworthiness of Chinese employees, the more China questions market access for American firms.

The victims I most worry about are our children, growing up in the age of globalization but in danger of being divided by distrust. Lu Lingzi's father, Lu Jun, gave an eloquent and inspired eulogy to his precious daughter in front of 1,200 mourners at her Boston University memorial this week. He cited a Chinese proverb: "Every child is actually a little Buddha that helps their parents mature and grow up."

The leaders of the U.S. and China may consider listening to Mr. Lu and manage this issue like mature grown ups who care about the world their kids will inherit.

This article available online at:

http://www.theatlantic.com/china/archive/2013/04/is-the-specter-of-a-cyber-cold-war-real/275352/