Yes, The United States Is Guilty of Hacking Too

But China's accusations that the U.S. is the real "hacking empire" ultimately misses the point.


People walk past "Unit 61398", a secretive Chinese military unit, in the outskirts of Shanghai, February 19, 2013. (Carlos Barria/Reuters)

The cyber war between China and the U.S. has spread from computers into the halls of diplomacy. In a report this week, the Pentagon said for the first time that the Chinese government and military have been launching cyber attacks against the U.S. Today, Chinese state media called the U.S "the real hacking empire" and said the country has "an extensive espionage network."

There's a nugget of truth in China's rebuttal. The U.S. has some of the most powerful cyber warfare resources in the world and has long been one of the leading sources of cyber attacks on companies and people. According to cyber security firm McAfee, the U.S. is home to the largest number of botnets in the world, the control servers used to hack computers in the U.S. and elsewhere. Data from Deutsche Telekom shows that far more attacks against its networks come from Russia and the US than China. And according to HostExploit, which tracks malware activity, the U.S. and Russia, not China, have the world's most malicious servers.

These long-awaited reforms are needed to solve a litany of structural problems in the Chinese economy. The current model, reliant on state-led investment and strict controls, has enabled the country's explosive economic growth, but has created a host of unintended side effects that will need to be addressed if China wants truly to transition to a consumer-driven economy and create a vibrant middle class.

In some ways, Beijing is right to argue that China is also a victim, wrote Jason Healy, director of Cyber Statecraft at the Atlantic Council, last month. Between September 2012 and March of this year, 85 Chinese government and company websites were hacked, with 39 of the attacks originating in the U.S., according to Chinese state media. Chinese authorities also said that U.S.-based servers had hosted 73 percent of phishing attacks on Chinese residents during roughly the same period.

Yet, as Healy notes, there's a big difference between state-backed cyber operations -- used to gather intelligence or disrupt infrastructure -- and the attacks cited by Chinese authorities. These U.S.-originated cyber attacks on China are primarily criminal operations carried out by individuals. They typically take advantage of the U.S.'s insecure servers to launch spam, fraud and other petty attacks.

Comparing the state-sponsored cyber operations of China and the U.S. is even more difficult. U.S. military cyber operations are "quiet, coordinated, exceptionally well targeted and under the strict control of senior officers and government executives," Healy writes, citing Stuxnet as an example. By contrast, China's cyber espionage is subject to little oversight or coordination. (One military hacker kept this unflattering blog about his experience).

Efforts by the two countries to address cyber attacks also differ. The U.S. is drafting rules of engagement for "offensive" cyber warfare, whereas China has done little to address concerns directly. After security firm Mandiant accused China of hosting a secret military unit in Shanghai to attack U.S. companies, officials brushed off the allegations as impossible to prove.

China says the U.S. is attempting to "turn black into white and mislead international public opinion." Meanwhile, U.S. lawmakers are calling for ways to punish countries for cyber espionage. What's really needed is clearer international guidelines, especially now that more states are joining the global cyber wars.