CAPITOL HILL: To rephrase Doctor Johnson for the 21st century, there’s nothing that concentrates the mind so wonderfully as the prospect of being hacked. In cyberspace, though, that threat goes both ways. While Americans are outraged over Chinese theft of US secrets both commercial and military, a leading expert told Congress yesterday, the Chinese are plenty frightened by US offensive cyber capabilities.

The good news is we can exploit that fear to make China rein in its military’s wholesale theft of commercial secrets, James Lewis explained to me after a hearing of the House Foreign Affairs subcommittee on Asia. But he stressed to the congressmen that “there is no military solution to cybersecurity.” If we want to avoid a backlash against the US, he repeatedly said during the hearing, we must speak very, very softly to China while we carry our big digital stick.

That argument was not an easy sell for Lewis, director of the technology program at the Center for Strategic and International Studies. Subcommittee chairman Rep. Steve Chabot, seemed amenable to a speak-softly strategy, calling in his opening statement for “confidence-building measures that foster trust and reliability with nations that have become Wild West havens for cyber criminals.” But Republican Rep. Scott Perry and Democratic Rep. Gerry Connolly pushed back hard from both sides of the aisle.

“All the warnings, all the announcements, seem futile,” Perry said. If we really want to change Chinese behavior, he suggested, “should it be our policy to hit them where it hurts” by undermining the Great Firewall of China to “open up the internet to free information for the Chinese people?”

Besides, given how thoroughly China has offended us in cyberspace, asked Rep. Connolly, why should we worry about offending them? “Why should we care?” Connolly said. Chinese hackers, many affiliated with the People’s Liberation Army, are stealing American intellectual property “from Starbucks Coffee to software,” he said. “It’s breathtaking [and] it’s systematic, it’s not rogue elements…. This is actually headquartered in a military compound.”

“We need to persuade the Chinese to change their behavior; we can’t coerce them, they’re too big,” Lewis replied. “There are factions within China that want to work with us. We need to encourage them.” Leaning too hard on Beijing, by contrast, could unite the Chinese against us. After 200 years of conflict with Western powers, Lewis warned, “the Chinese are paranoid.”

“The Chinese respect power,” countered Rep. Connolly. “I am arguing for much tougher enforcement and teeth.”

“We don’t have to scare them. They’re already afraid,” Lewis told Connolly. “They look at us and know we’re infinitely more capable than them. We’re all over their networks.”

It’s not that Lewis objects to strong-arm tactics altogether. He told the subcommittee the US might do well to impose sanctions on specific Chinese individuals and entities, for example banning them from banking with US institutions or even putting them on the no-fly list. But he told me when I cornered him after the hearing that we need to put the heat on the PRC very carefully and with an eye on China’s complex internal politics.

Too much mutual fear can lead to escalating overreactions and self-fulfilling prophecies of conflict, “but the flip side of that is when both sides are afraid, you’ve got grounds for negotiation,” Lewis told me. “If one side didn’t care, there’d be no chance for a getting a deal – and now both sides care.”

The problem isn’t so much China’s civilian leaders, Lewis argued, so much as the People’s Liberation Army, which has long supplemented its official budget with distinctly dodgy enterprises. “The party leadership doesn’t really want a conflict with the US when their economy’s in trouble,” he said. “It’s the PLA doing it. The PLA makes money off it, and they’ll have to stop the PLA.”

“It’s a domestic political problem and that’s one of the things that will slow it down,” Lewis said. Reining in the generals “is going to be a challenge for Xi [Jinping],” China’s president, he told me. But on the bright side, he added, “there’re people in the PLA that want it to be a professional force that doesn’t do this. It’s not a hopeless situation, but it is going to be hard.”

Back in the 1990s, Lewis said, the US and its allies successfully pressured China to shut down an earlier PLA for-profit venture, the proliferation of weapons technology worldwide. Since then, the Chinese leadership has eased the PLA out of one business after another.

“‘PLA Incorporated,’ they used to call it, where they made cars and grew mushrooms and all sorts of weird stuff,” Lewis told me. (Chinese security forces have also reportedly run brothels). “They were forced to get out of that, and now the last business line they have left is the cyber stuff.”

“The way they [the civilian leadership] got them out of the market the last time was they said, ‘we’ll pump up your budget and we’ll give you an aircraft carrier,’” Lewis said. This time around, he went on wryly, “we’ll have to figure out what the payoff will be. Maybe a second carrier.”

“It’ll be a good test,” Lewis told me. “If we can’t get the Chinese to agree on cybersecurity, they’re not going to agree on anything. But I think they’re worried enough that we might be able to get a deal.”

So what would such a deal look like? Lewis and his fellow witnesses downplayed the prospect of a formal treaty setting out cyber codes of conduct.

“One warning is the Russians are the guys proposing a global treaty. That alone should be enough to tell us it’s a bad idea,” Lewis told the subcommittee. (“The Russians are at the top of the league” in cybercrime, he said, “and one of the reasons you see China in the paper all of the time and not Russia is the Russians are better at not being caught.”) But, Lewis went on, “[while] we can’t get a treaty, we can get an agreement on norms and confidence building measures.”

“Home runs are hard to come by,” agreed Karl Rauscher, who facilitates semi-official “Track II” talks on cybersecurity for the EastWest Institute. “Consistently getting singles… is still a great strategy.” The US and China should quietly give up on areas where they have gaping disagreements, at least for now, he argued, and go after modest, manageable, step-by-step gains in areas where their interests coincide.

In the meantime, nobody had better let their guard down. “Our networks… they’ll always be attacked,” said Phyllis Schneck, CTO for public sector security at cybersecurity giant McAfee. One alarming example is this spring’s “Dark Seoul” incident, aka Operation Troy, which erased tens of thousands of hard drives at South Korean banks, media outlets, and other businesses on March 20. McAfee’s investigation into “Dark Seoul” concluded it was in part the culmination of a cyber espionage campaign that had been stealing secrets since 2009: “This has been going on for about four years,” Schneck said.

Schneck declined to speculate on who might have been behind Dark Seoul – “we see the question of attribution as a distraction,” she told reporters after the hearing, “we’re not trained for that” – but other experts point fingers at North Korea, a not-quite-ally of China’s which Beijing has repeatedly failed to rein in. So even if the US can get a deal with China, which is by no means certain, there will be plenty of lesser hackers left to worry about.


  • RedWhiteBlue

    The reality is stranger than fiction.

    Q2 2013 finds the American financial sector again leading all other industries in profits, most of the money made, again, from “trading” – nee reckless gambling at 50 to 1 leverage, in the $700 Trillion derivatives casino.

    That, in combination with Snowden’s disclosure that America together with the UK (another inveterate derivatives gambling nation), have been wholesale tapping into ALL electronic communications around the globe for decades. There is no fiber optics cable between nations that has NOT been tapped by the duo. The massive amounts of data taken (if it were anyone else doing it, you’d call it STEALING for sure) is processed using equally massive supercomputers. Bloomberg also reports that thousands of American companies volunteer to cooperate with this data gathering, and benefit from the reciprocal sharing of confidential info.

    Add to that the fact of the more than US$10 Trillion in American subsidies for the financial industry players since the 2008 debacle. It is clear that gambling with American financial houses is a rigged game, from multiple perspectives. It is like flipping coins with someone who can afford to double down every time the flip is unfavorable.

    It would be almost IMPOSSIBLE to convince anyone that American financials are NOT playing dirty pool in these truly high stakes derivatives gambling deals. It certainly makes the TPP (which insists on the removals of capital controls from host nations so they cannot regulate derivatives gambling) doubly suspicious.

    Beijing has already raised the issue of the unbalanced profits picture. American companies make more than US$100 Billion in PROFITS from and in China each and every year. Profits going the other way to Chinese companies are less than 15% of that. Given the fact that the cost structure is so very unfavorable for American companies (R&D costs in China costs 1/5th that in America, CEOs and senior management in China costs 1/20th to 1/10th that in America), one would have to ask – HOW COME the American companies are still making so much more profits? The answer is clear – they have superior knowledge – and the clear possibility is that the ill-gotten data is a big part of that.

    What is good must be universal. HOW could America be convincing (other than by threatening brute force) in demanding that others stop taking data without permission, when America is doing the same thing at a scale 100,000 times bigger?

  • Don Bacon

    It’s not like it’s a one-way street.

    The U.S. government has been hacking Chinese targets that include the
    nation’s mobile-phone companies and one of the country’s most prestigious universities, former government contractor Edward Snowden alleged in a series of reports published over the weekend by a Hong Kong newspaper.

    “The NSA does all kinds of things like hack Chinese cellphone companies to steal all of your SMS data,” Mr. Snowden told the South China Morning Post, Hong Kong’s leading English-language daily.

    And it’s not like it’s difficult.

    Forget the shady middlemen; never mind the students just a little too eager to find out the particulars of engines and warheads. Today, when foreign spies want to acquire America’s latest weapons technology, they just hack into networks and steal the digital designs. 2012 marked the the first time, overseas intelligence agencies used cyber espionage – rather than the old-fashioned kind — as their number one way to pilfer information on U.S. weapons.

    Edward Snowden’s last employment at the N.S.A . was “infrastructure analyst.” An infrastructure analyst at the N.S.A., like a burglar casing an apartment building, looks for new ways to break into Internet and telephone traffic around the world. Snowden purposely took the job, at a lesser salary, in order to grab the information he later released.

  • Jack

    While Americans are outraged over Chinese theft of US secrets both commercial and military they continue to support American NSA treason and cheer when they see our fascist government hacking every computer in the world.

  • Gregg Bowman

    This isn’t rocket science. First of all the Chinese are never going to back off with the hacking, nor will they slow down or will they actually even consider it and we know it so stop playing these silly games!! The only rational strategy is to surpass them greatly in all of these areas, period. Get on with it. There is no other strategy. It doesn’t exist. Warm regards, Gregg Bowman

  • Adrian C.Y. Fu

    Washington, D.C., back off!

  • ed

    Why should the Chinese try to hack our secrets when we tell them all the want to know?