China and U.S. grapple over red lines for cyberattacks

SHANGHAI -- Tucked away on a commercial street in the Pudong district of China's most populous city is a plain beige building with a dark history.

There, a hacker using the alias "UglyGorilla" is said to have broken into U.S. computer systems, spying on energy networks and bagging corporate secrets in recent years.

The Chinese national accused of being behind the keyboard -- People's Liberation Army officer Wang Dong -- was indicted by a Pennsylvania grand jury in May on claims that he stole nuclear plant designs along with reams of other sensitive data.

The Federal Bureau of Investigation splashed photos of Dong and four other alleged accomplices across Wild West-style "Wanted" posters, straining the already fraught security ties between the United States and China (EnergyWire, May 20).

China's foreign ministry has denied involvement in cyberattacks on U.S. companies and critical infrastructure. But President Obama said earlier this month that it is "indisputable" that Beijing engages in cybertheft, just a few weeks after Navy Adm. Michael Rogers, director of the National Security Agency, said China and "probably one or two other" nations had the capability to shut down parts of the U.S. power grid with a cyberweapon (EnergyWire, Nov. 21).

Security experts, academics and business leaders in both countries doubt the United States or China would let attacks on the other's computer networks escalate into anything approaching war. There's an assumption on either side of the Pacific that shared economic interests run too deep for a cyberconflict to spin out of control.

"These countries will each have their own defenses, [but] we know where the bottom lines lie -- we know things we would never try or never do," said Guo Guangchang, chairman of the Chinese investment giant Fosun International, in Shanghai last month. "We need to discuss these problems more and more. Chinese [people] are not monsters. They are not trying to launch a new world war."

But recent events -- including a brazen cyberattack on Sony Pictures last month that may have been routed through China -- have stoked confusion about what, precisely, launching a new war would even look like in cyberspace.

Top officials in the United States and China have voiced their hopes of finding a peaceful resolution to thorny differences over cybersecurity. But that would entail setting and respecting clear "red lines" in cyberspace, a deal that seems unlikely, given the icy state of U.S.-China Internet relations.

Beijing withdrew from a high-level cyber working group earlier this year in response to the hacking indictments brought by the Justice Department. In 2013, former NSA contractor Edward Snowden leaked documents showing the United States had penetrated key computer networks in China, scuttling hopes that President Obama and President Xi Jinping could reach an agreement over cybersecurity during Xi's visit to the Sunnylands retreat in Rancho Mirage, Calif., that summer.

A senior administration official, who agreed to speak on U.S.-China cybersecurity relations on the condition of anonymity, said there were some "pretty serious" differences between the two countries, particularly in the realm of intellectual property theft. The U.S. government has claimed that, unlike China, it does not steal trade secrets to feed to domestic companies for a competitive advantage.

"Unless we actually figure out a way to have some better, more open dialogue on that, those issues could really begin to cause problems in the bilateral relationship," the U.S. official said, declining to speculate on what specific problems could emerge.


"It's not something that we want. We want to figure out a way to be able to avoid those," the official added. "But it will cause problems unless they're addressed."

China's tangled cybersecurity strategy

In February 2013, cybersecurity firm Mandiant made a bombshell announcement: It had traced thousands of advanced, persistent attacks on U.S. networks to a Chinese military building in Shanghai, allegedly carried out under the aegis of Unit 61398 of the People's Liberation Army. This, according to Mandiant, was UglyGorilla's workplace.

"It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively," wrote Dan McWhorter, Mandiant's managing director of threat intelligence, at the time.

Mandiant's report cleared the way for U.S. authorities to bring charges this year against some Chinese military officers tied to Unit 61398, over Beijing's objections.

But experts point out that there is much more to China's cyber policy -- and much more to its potential for attacking infrastructure -- than the PLA.

Amy Chang, a technology and security research associate at the Center for a New American Security, pointed out in a recent report that China's cybersecurity strategy is tangled up in a web of military, civilian and industrial groups that sometimes find themselves competing for the Chinese Communist Party's attention and resources. These include China's many state-owned enterprises, the domestic Ministry of State Security, and the various military academies and research institutes affiliated with the government.

She claimed that China's priority in cyberspace is to preserve Communist Party rule. That means U.S. goals of getting China to stop censoring websites like Google and Facebook may be less likely to gain traction in China than military agreements over which cyberattacks on information or industrial systems would demand a counterstrike.

"If you're threatening the regime stability of the Chinese Communist Party by promoting an open Internet, obviously China's not going to accept that," Chang said.

While the Obama administration may have an easier time hashing out acceptable military behavior in cyberspace, Chang warned U.S. leaders not to show their cards quickly.

She pointed to Defense Secretary Chuck Hagel's trip to Beijing this April. Just before the official visit, Chang said, the United States briefed the Chinese military on key parts of the Defense Department's cyber protocol, such as command and control procedures, "expecting they would reciprocate -- which they did not."

"We need to be smarter and more tactful in how we try to elicit info from China," she said. "We shouldn't compromise on asking them to be more transparent about their military."

The view from Pyongyang

China's cybersecurity strategy is directed at the highest levels of the Communist Party, according to reports, but that doesn't make the malicious traffic flowing out of the country any simpler to attribute.

Experts say the widespread use of pirated software and computer equipment has left holes in domestic cybersecurity there, making it easy for outside hackers to route their attacks through China as a disguise.

A recent security briefing from technology giant Hewlett-Packard Co. concluded that North Korea has cyberattack units "that conduct operations from within China" (EnergyWire, Sept. 8).

"Many [North Korean] regime-sponsored attacks are launched from cells based in China, U.S., South Asia, Europe, and even South Korea," HP said.

The cyberthreat posed by North Korea has garnered international attention this month following the methodical destruction and cybertheft of thousands of internal emails, documents and unreleased films at Sony Pictures. The FBI attributed the cyberattack to North Korea on Friday, saying it "reaffirms that cyber threats pose one of the gravest national security dangers to the United States."

North Korean dictator Kim Jong Un's regime praised the Sony attack but has denied responsibility.

Confusion and fear in the wake of the Sony hack have raised questions about whether and when such attacks demand a response from U.S. Cyber Command or other government agencies.

The FBI said it would help "identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests," but U.S. officials have not specified how they might respond.

President Obama said in a press conference Friday that the United States would "respond proportionally" to the attack, but the U.S. administration has not yet specified what that response would look like in practice.

While experts have raised doubts about the extent of North Korea's attacking abilities in cyberspace, the country's aggression and unpredictability highlight the United States' uncertainty.

After Sony's hackers threatened theaters planning to show "The Interview" -- a film depicting the assassination of North Korean leader Kim -- the studio canceled the movie's Dec. 25 release.

Sen. John McCain (R-Ariz.) said in a statement that the decision to pull the film last week was "profoundly troubling."

"By effectively yielding to aggressive acts of cyber-terrorism by North Korea, that decision sets a troubling precedent that will only empower and embolden bad actors to use cyber as an offensive weapon even more aggressively in the future," he said.

Loose norms

The cyberattack on Sony is expected to cost the studio tens of millions of dollars.

But it did not result in any loss of life, nor did it damage U.S. infrastructure such as manufacturing, oil pipelines and power plants.

Those critical areas are regularly targeted by hackers, yet determining how to respond to intrusions into such sensitive networks is hardly a perfect science.

Robert Lee, who researches critical infrastructure cybersecurity at King's College London, said computer-based attacks on industrial control system networks have blurred the lines between military action and cyber espionage.

"We are in a place right now where we're all accepting very loose international norms -- for example, bringing down a nuclear facility in China would run afoul of international norms, and therefore they wouldn't do it with [the United States]," he said. "But the problem with norms is that they go out the window at the first sign of conflict."

But Lee also said the prospect of a real war with China is such a "doomsday-type scenario that we shouldn't be focused on it."

"China, Russia and the U.S. might posture to take down infrastructure [with cyberattacks], but I believe that they would not take down critical infrastructure without military, physical conflict," he said.

Still, he noted that organizations such as the North American Electric Reliability Corp. -- which oversees cybersecurity standards for the U.S. grid -- should not be satisfied with the steps taken so far to secure such networks.

That's because vulnerabilities in the power grid leave open the chance that North Korea, Iran or even less-predictable terrorist groups could develop the resources and expertise to damage an electric utility or disable other critical infrastructure.

A hacker could also route a dangerous cyber weapon through an intermediary such as China, hoping the attack gets misattributed by U.S. officials. That could set off a damaging cyber escalation.

'All natural'

Two weeks ago, the cybersecurity firm Cylance Inc. warned that "Iran is the new China" in a report that chronicled allegedly Iranian hackers' attempts to crack U.S. energy systems (EnergyWire, Dec. 4).

Eric Cornelius, director of critical infrastructure and industrial control systems at Cylance and a former Department of Homeland Security official, told EnergyWire that the attackers possessed "the sophistication to cause physical damage if they were so inclined."

Despite such threats and vulnerabilities, no U.S. electric utility, refiner or pipeline company has ever reported a damaging cyberattack. Deterrence may play a role -- China, the United States, Russia and even Iran often rely on the same industrial technologies. A major flaw in the control software for a GE or Siemens wind turbine, for example, might not be such a tempting target if also it jeopardized systems in the attacking country. China is taking cyberthreats to its own critical infrastructure seriously -- earlier this month, the government unveiled a new national engineering lab devoted to researching information security for industrial control systems, according to Chinese media reports.

Few experts believe China would launch a destructive cyberattack without a major provocation. But cyberespionage -- even if it involves prising into critical networks or stealing intellectual property -- is seen as fair game.

Professor Shen Dingli, who researches China-U.S. security relations as associate dean of international studies at Fudan University in Shanghai, said it is "all natural" that China would engage in cyberespionage, and that he "assume[s] America is doing the same; it's probably doing more."

He criticized the U.S. Justice Department's decision to indict Chinese military officers, suggesting it would do nothing to change the geopolitical and economic calculus driving both countries' spies to their computer keyboards.

At first glance, the indictments seemed "right," he said, "because someone stole your stuff -- why not do it?"

But "should China announce we are indicting the director of the NSA or his main staff? It's ridiculous," he added.

IP theft

While Chinese and U.S. government officials have pointed fingers at each other, few major energy firms have publicly called out China for sponsoring computer hacking or industrial sabotage.

"In terms of reporting IP theft, I think it's very difficult if you want to stay in [China]," said Chang of CNAS.

She added that companies must conduct a "cost-benefit calculation" before bringing evidence against Chinese state-owned enterprises, such as the case brought by Massachusetts-based clean energy firm American Superconductor Corp. (AMSC).

In 2011, a former AMSC employee was jailed in Austria after pleading guilty to turning over proprietary software codes to Sinovel, China's largest wind turbine manufacturer. AMSC went on to seek more than $1 billion in damages through the Chinese judicial system, a rare step for a foreign company doing business with Beijing.

"China has very strong control over who comes in and is able to play in the Chinese market, and over the past few years you've seen a lot of instances where, if the company is not behaving the way China wants it to behave, they'll launch an anti-monopoly suit, or scrutiny in various other forms," Chang said.

Lester Ross, partner in charge at the Beijing office for law firm WilmerHale, said there is "an element of hypersensitivity" to China's interactions with foreign companies, particularly due to its desire to control information flowing into and out of the country.

"China regards itself as being besieged by foreign espionage from the United States -- it also regards itself as being constrained geopolitically by the U.S.," he said.

Beijing's concern about its cyber weaknesses "extends beyond what other jurisdictions might regard as areas of vulnerability," he noted.

He pointed to an unpublished list of about 60 industries deemed "national security-oriented" that he said had posed surprises for his firm's clients in the past, including a medical services company that spent several weeks convincing Chinese authorities that a simple diagnostic tool the firm wanted to sell "had nothing whatsoever to do with national security."

Collateral damage?

For its part, the U.S. government hasn't always made the leap across the Pacific easy on Chinese companies.

Cybersecurity concerns led the U.S. government to oppose purchases of telecommunications equipment from Chinese firms Huawei Technologies and ZTE.

A 2012 report by the U.S. House Permanent Select Committee on Intelligence concluded that in those two companies' cases, "the task of finding and eliminating every significant vulnerability from a complex product is monumental."

"If we also consider flaws intentionally inserted by a determined and clever insider, the task becomes virtually impossible," the report said.

A year before, the U.S.-China Economic and Security Review Commission similarly found that Huawei's gravitation toward network security could have the side effect of "an increased risk for compromised network security products to be implemented unnoticed in sensitive infrastructures."

William Plummer, Huawei's vice president of external affairs, said the company had fallen victim to outmoded ideas about the threat from China and attempts by the U.S. government to preserve domestic market share for U.S.-based companies.

"There's not a company in this industry that is more or less vulnerable than any other based on their geography of headquarters -- period, end of story," he said, dismissing claims that Huawei's home base, Shenzhen, made its equipment susceptible to cyber flaws or back doors.

"Putting up the walls in what is a borderless world may be to some a short-term benefit, but in the long term, you fragment this industry," he added.

In 2003, Huawei was the target of a lawsuit -- dropped a year later -- brought by competitor Cisco Systems Inc. over allegations of "systematic copying" of Cisco's routers.

Plummer noted that now Huawei is a major holder of intellectual property in the telecommunications industry, and sought to dispel the perception that business in China is "all about theft and corruption."

"While network and data integrity is a critical priority for us, it is all the more so because of the spotlight that we've come under," Plummer said.

New standards

The U.S. administration official expressed cautious optimism that the United States and China could come together over issues like IP theft.

"The U.S.-China relationship is an incredibly broad one -- it's deep, and it's complex, and there are going to be issues that we're not likely to see eye to eye on easily or very quickly," the official said. "But that doesn't mean we can't figure out ways to talk about them."

The official cited law enforcement and information sharing between the countries' Computer Emergency Readiness Teams as possible areas of near-term cooperation.

"Certainly the Department of Defense is interested in having a greater dialogue on military doctrine and policy with respect to cyberspace, although that has been going slower than we would like," the official said.

Allan Friedman, a research scientist at George Washington University's Cyber Security Policy and Research Institute and co-author of "Cybersecurity and Cyberwar: What Everyone Needs to Know," suggested that the long run will see a "normalization" settle between the two countries.

"Eventually, there will be a point where China realizes that its domestic innovation process is being hurt by rampant espionage practice," he said. "That will lead to a domestic cultural norm against this, which I think can extend to an international approach."

In the meantime, he said, the United States should not expect much international sympathy, given its historical economic dominance and the effect the Snowden leaks have had on U.S. businesses' reputations.

"The United States has found it hard to win a global audience feeling sorry for American companies," he said.

Twitter: @BlakeSobczak | Email:

Like what you see?

We thought you might.

Start a free trial now.

Get access to our comprehensive, daily coverage of energy and environmental politics and policy.



Latest Selected Headlines

More headlinesMore headlines

More headlinesMore headlines

More headlinesMore headlines

More headlinesMore headlines