WASHINGTON – If you work in Washington, you’ve probably been hacked. If you work at a major American company, you’ve probably been hacked. The penetration of U.S. computer networks by Chinese hackers has been going on for more than three decades. It’s good that it is finally getting attention. But with that spotlight have come exaggeration and myths that need to be discarded.
1. We are in a cyber cold war with China.
There have been none of the threats, denouncements or proxy conflicts that characterize a cold war. In fact, the Obama administration appears to be omitting any mention of the Chinese military in recent high-profile speeches on Chinese hacking. After Treasury Secretary Jack Lew met recently with top Chinese officials, he told reporters there that cyberattacks and cyberespionage are a very serious threat to our economic interests.
Cyberattack is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions, China has not used force against the United States in cyberspace. What it has been doing is spying. And spying is not an attack or grounds for war, even if military units are the spies.
Trying to cram Chinese hackers into antiquated Cold War formulas doesn’t help, either. America’s relationship with China is very different from the one it had with the Soviet Union, in which contacts were extremely limited and there was no economic interdependence.
2. China’s hackers are unstoppable cyberwarriors.
The problem isn’t that the Chinese are so skilled; it’s that U.S. companies are so inept. A survey I published last month found that more than 90 percent of corporate-network penetrations required only the most basic techniques and that 85 percent went undetected for months – another sign of lax security. (One more sign: They were usually discovered by an outsider rather than the victimized company.)
There is debate within the U.S. intelligence community about whether the Chinese have more sophisticated cyberattackers in the wings or whether we’ve seen the best they can do. But they haven’t had to bring their A game to break into our networks.
3. China is poised to launch crippling attacks on crucial U.S. infrastructure.
Obama’s State of the Union address included a line about how our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic-control systems. Similarly, a recent report by the security firm Mandiant suggested that China’s hackers are increasingly focused on companies with ties to critical U.S. infrastructure.
In peacetime, however, China is no more likely to launch a cyberattack on American infrastructure than it is to launch a missile at us. It has no interest in provoking a war it couldn’t win or in harming an economy it depends on. Even in wartime, China would want to avoid escalation and would be more apt to launch cyberattacks on the Pacific Command or other deployed U.S. forces than on domestic American targets.
China would attack civilian infrastructure only in extremis – if the survival of its regime were threatened.
4. Cyberespionage is causing the greatest transfer of wealth in history.
This claim has been repeated by the likes of the head of U.S. Cyber Command. It’s a dramatic way to describe the theft, mainly by China, of American intellectual property, but it doesn’t make economic sense.
Putting a dollar value on the loss from cyberespionage is very difficult, and many estimates are wild guesses. A reasonable assessment would be that it costs the United States no more than $100 billion a year and perhaps much less – what some economists would describe as a rounding error in our $15 trillion economy. This probably isn’t even slowing the U.S. economy.
Even when China steals intellectual property, it can take years to turn it into a competitive advantage. The right technical skills and manufacturing base are needed to turn advanced designs into high-end competitive products. China is still lagging in many high-tech arenas.
The one area where this is not true is military technology. Chinese espionage has led to rapid improvements in that country’s stealth, submarine quieting, nuclear weapons and sensor technologies. While the economic risk from cyberespionage is generally overstated, the United States has probably underestimated the damage to its lead in military technology.
5. America spies on China, too, so what can we complain about?
Chinese officials portray their country as a victim of hacking. Meanwhile, some American scholars question whether the United States is in a position to criticize, since it also engages in cyberespionage. Perhaps the complaint is that the Chinese are doing better against our government networks than we are against theirs, law professor Jack Goldsmith wrote. That misstates the issue.
The Internet has been a tremendous boon for spying. Every major power has taken advantage of this, but there are unwritten rules that govern espionage and China’s behavior is out of bounds. Where Beijing crosses the line is in economic espionage: stealing secrets from foreign companies to help its own. China also outmatches all other countries in the immense scale of its effort.
The United States, by contrast, does not engage in economic espionage. As one Chinese official put it in recent talks at the Center for Strategic and International Studies: In America, military espionage is heroic and economic espionage is a crime, but in China the line is not so clear.
The United States and other nations need to make that line clearer and discourage China from crossing it.