USCC Releases Report on Chinese Capabilities for Cyber Operations and Cyber Espionage
“It's getting harder and harder for China's leaders to claim ignorance and innocence as to the massive electronic reconnaissance and cyber intrusions activities directed by Chinese interests at the U.S. government and our private sector.” Those were the words of Michael Wessel, Commissioner of the U.S.-China Economic and Security Review Commission in a report prepared by Northrop Grumman for the Commission and released today.
The report, entitled, “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage”, details how China is advancing its cyber attack and exploitation capabilities, and examines the potential risks associated with such cyber-capabilities to U.S. national security and economic interests.
“The United States suffers from continual cyber operations sanctioned or tolerated by the Chinese government," said Commission Chairman Dennis Shea. "Our nation's national and economic security are threatened, and as the Chinese government funds research to improve its advanced cyber capabilities these threats will continue to grow.”
The lengthy 136-page report suggests that Chinese capabilities in computer network operations have advanced far enough to pose "genuine risk to U.S. military operations" in the event of a conflict. Furthermore, the report states, “The People’s Liberation Army (PLA) leaders have embraced the idea that successful warfighting is based on the ability to exert control over an adversary’s information and information systems.”
Concerningly, in the United States there is currently no policy in place to easily determine appropriate response options to a large-scale attack on U.S. military or civilian networks when definitive attribution is lacking.
But having such capabilities doesn’t mean the United States is in danger of any unprovoked cyber attack by China anytime soon.
In an RSA Conference panel last week in San Francisco, experts said that countries with the most capability don’t necessarily have the most interest in launching massive cyber attacks against the United States.
“There are nation-states that absolutely have the capability, but they don’t have the intent – mostly because it wouldn’t be in their own interest, and the spillover effects would be very damaging to the world economy and a lot of other things,” said Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense, during the discussion. “The other reason is, that type of attack, contrary maybe to what the conventional wisdom is, I think would be very difficult to disguise.”
But espionage is a different matter.
Fingers have been pointed at China for a number of incidents related to cyber-espionage, most notably in attacks against Lockheed-Martin and RSA in 2011. While many experts agree that China is certainly the “go-to” culprit for a number of recent attacks and breaches on U.S. interests, it’s easy for any country to hide behind an IP address or server in China and let the blame fall accordingly.
The report identifies specific doctrinal intent as well as financial support for government- sponsored cyber espionage capabilities. “There's clear and present danger that is increasing every day,” Wessel said.
Today's report is a follow-up to a 2009 report also prepared by Northrop Grumman for the Commission on the “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation.”
U.S. Critical Infrastructure and Supply Chains Vulnerable
“Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report notes.
“Potential effects include providing an adversary with capabilities to gain covert access and monitoring of sensitive systems, to degrade a system’s mission effectiveness, or to insert false information or instructions that could cause premature failure or complete remote control or destruction of the targeted system.”
Moreover, the report suggests that the close relationship between China’s military and Chinese telecom firms has created an avenue for state sponsored or directed penetrations of U.S. supply chains for electronics supporting military, government, and civilian industry. Such capabilities give “the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” according to the report.
Earlier this week, “The Open Group,” a consortium of supply chain experts, published a preview of standards meant to improve the security of the global supply chain for commercial software and hardware products. "With the increasing threats posed by cyberattacks worldwide, technology buyers at large enterprises and government agencies across the globe need assurance the products they source come from trusted technology suppliers and providers who have met set criteria for securing their supply chains," said David Lounsbury, chief technology officer of The Open Group, in a statement.
"The modern supply chain depends upon a complex and interrelated network involving the movement of goods, services, funds, and information across a wide range of global participants, making it vulnerable to increasingly sophisticated cyberattacks and an ever increasing range of breaches and disruptions," said Andras Szakal, vice president and chief technology officer, IBM U.S. Federal. "Standards like O-TTPS are critical in helping to ensure the integrity and security of data, and giving customers peace of mind."
The U.S. Department of Defense has showed awareness of these supply-chain risks, and has initiated a Supply Chain Risk Management (SCRM) policy and strategy to address the vulnerabilities. “A pilot program is under way, with the objective of live application by FY 2016, to implement “a SCRM capability that integrates program protection planning, enterprise architecture, counterintelligence, information assurance, systems engineering, procurement, enhanced test and evaluation, and other measures to mitigate supply chain risk,” a U.S. Department of Defense report (DTM 09-016) from March 2010 notes.
“This report is timely as the United States Congress is currently considering cybersecurity legislation, and the Commission hopes that this work will be useful to the Congress as it deliberates on how to best protect our networks," Shea opined.
The U.S.-China Economic and Security Review Commission was created by Congress in 2000 to report on the national security implications of the bilateral trade and economic relationship between the United States and China.
Related: China’s Cyber Threat Growing