Experts wary of Pentagon cybersecurity report fingering China

A recent Pentagon report blaming the Chinese military for cyberattacks on U.S. government computers and defense contractors marks an escalation in rhetoric, but offers no surprises, experts say.

The report, released Monday, marked the first time the Obama administration had directly accused the Chinese government and the People's Liberation Army of using cyberweapons to steal intellectual property and gain a military and economic advantage.

The Pentagon said the Chinese government views electronic warfare as a way to counter U.S. military superiority by making it possible to cut the flow of information during a time of crisis.

While the report upped the ante in U.S. efforts to curtail Chinese cyberattacks, its findings did not shock experts, who already assumed a lot of what the Pentagon disclosed.

"This isn't earthshaking, as I have thought this has been the case since 2003," said Murray Jennex, an associate professor at San Diego State University and an expert in information systems security. "However, it does signify that mainstream decision makers in the U.S. government are willing to publicly state it is so."

Because of the difficulty in tracing the origin of cyberattacks, China's involvement has always been suspected, but not proven, Jennex says. The report indicates that the U.S. government now has the evidence.

The question is whether the report indicates the government is willing to launch its own cyberoperations against China? Ã'Â "I think it does and I wonder how that will translate into other actions, such as trade restrictions," Jennex says.

The advantage of having high-level administration officials discuss the problem publicly is it builds awareness among private industry, said Ron Gula, chief executive of network security company Tenable and a former penetration tester in the National Security Agency. Many companies do not direct enough resources toward security, unless to meet regulatory requirements.

"You would expect security to be the number one thing for people, but it's not," Gula said.

The Chinese government has denied any involvement in cyberattacks against the U.S. government or private industry. In a briefing following the release of the report, a spokeswoman for China's Foreign Ministry said the Pentagon offered nothing but "groundless accusations" and "hype," Reuters reported.

China is not alone in building cyberweapons or conducting electronic spying. The U.S. spends billions of dollars each year on cyberdefense and on developing cyberweaponry. Gen. Keith Alexander, director of the NSA and commander of the military's Cyber Command, has told Congress that he is developing a dozen offensive cyberunits to launch attacks against foreign computer networks, if needed, according to The Times.

[Also see: Rising cyberthreats set backdrop for latest cybersecurity bill]

Whether built by China or the U.S., there's no guarantee cyberweapons will be effective, given the newness of the technology and the complexity of getting it into the right computer systems and having it perform correctly without being discovered, Gula said.

"With cyberweapons, until you know what they are, until they come out and say what they are, it's science fiction," he said. "It's not like we have 50 years of cyberweapon terminology and practices and things like that."

Despite U.S. protests, cyberespionage on the part of China and many other countries is unlikely to stop and does not violate international laws. Where China crosses the line is in sharing that intelligence with private industries, in order give them a competitive advantage.

"It creates unfair market competition when governments conduct espionage and provide that information to private companies," said Jacob Olcott, a principal at cybersecurity consultancy Good Harbor and a former counsel for Sen. John D. Rockefeller, D-W.Va. "That's a distinction that's important and worth making."

He also believes the U.S. spends too much on cyberweapons and not enough on cyberdefense. "The spending is way out of line and it's certainly valid for other countries to look at what we're doing and want to escalate their own practices too," Olcott said.

In February, President Barack Obama took a step toward bolstering the nation's cyberdefenses by issuing an executive order that established a framework for sharing information between government and private industries. A proposal that would make sharing of cyberattack data mandatory passed the House last month and is currently in the Senate.Ã'Â

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Tags cybercrimelegalsoftwareapplicationsData Protection | MalwareChina hacking2012 Cyber Security ActSan Diego State University

Show Comments