CAPITOL HILL: To rephrase Doctor Johnson for the 21st century, there’s nothing that concentrates the mind so wonderfully as the prospect of being hacked. In cyberspace, though, that threat goes both ways. While Americans are outraged over Chinese theft of US secrets both commercial and military, a leading expert told Congress yesterday, the Chinese are plenty frightened by US offensive cyber capabilities.
The good news is we can exploit that fear to make China rein in its military’s wholesale theft of commercial secrets, James Lewis explained to me after a hearing of the House Foreign Affairs subcommittee on Asia. But he stressed to the congressmen that “there is no military solution to cybersecurity.” If we want to avoid a backlash against the US, he repeatedly said during the hearing, we must speak very, very softly to China while we carry our big digital stick.
That argument was not an easy sell for Lewis, director of the technology program at the Center for Strategic and International Studies. Subcommittee chairman Rep. Steve Chabot, seemed amenable to a speak-softly strategy, calling in his opening statement for “confidence-building measures that foster trust and reliability with nations that have become Wild West havens for cyber criminals.” But Republican Rep. Scott Perry and Democratic Rep. Gerry Connolly pushed back hard from both sides of the aisle.
“All the warnings, all the announcements, seem futile,” Perry said. If we really want to change Chinese behavior, he suggested, “should it be our policy to hit them where it hurts” by undermining the Great Firewall of China to “open up the internet to free information for the Chinese people?”
Besides, given how thoroughly China has offended us in cyberspace, asked Rep. Connolly, why should we worry about offending them? “Why should we care?” Connolly said. Chinese hackers, many affiliated with the People’s Liberation Army, are stealing American intellectual property “from Starbucks Coffee to software,” he said. “It’s breathtaking [and] it’s systematic, it’s not rogue elements…. This is actually headquartered in a military compound.”
“We need to persuade the Chinese to change their behavior; we can’t coerce them, they’re too big,” Lewis replied. “There are factions within China that want to work with us. We need to encourage them.” Leaning too hard on Beijing, by contrast, could unite the Chinese against us. After 200 years of conflict with Western powers, Lewis warned, “the Chinese are paranoid.”
“The Chinese respect power,” countered Rep. Connolly. “I am arguing for much tougher enforcement and teeth.”
“We don’t have to scare them. They’re already afraid,” Lewis told Connolly. “They look at us and know we’re infinitely more capable than them. We’re all over their networks.”
It’s not that Lewis objects to strong-arm tactics altogether. He told the subcommittee the US might do well to impose sanctions on specific Chinese individuals and entities, for example banning them from banking with US institutions or even putting them on the no-fly list. But he told me when I cornered him after the hearing that we need to put the heat on the PRC very carefully and with an eye on China’s complex internal politics.
Too much mutual fear can lead to escalating overreactions and self-fulfilling prophecies of conflict, “but the flip side of that is when both sides are afraid, you’ve got grounds for negotiation,” Lewis told me. “If one side didn’t care, there’d be no chance for a getting a deal – and now both sides care.”
The problem isn’t so much China’s civilian leaders, Lewis argued, so much as the People’s Liberation Army, which has long supplemented its official budget with distinctly dodgy enterprises. “The party leadership doesn’t really want a conflict with the US when their economy’s in trouble,” he said. “It’s the PLA doing it. The PLA makes money off it, and they’ll have to stop the PLA.”
“It’s a domestic political problem and that’s one of the things that will slow it down,” Lewis said. Reining in the generals “is going to be a challenge for Xi [Jinping],” China’s president, he told me. But on the bright side, he added, “there’re people in the PLA that want it to be a professional force that doesn’t do this. It’s not a hopeless situation, but it is going to be hard.”
Back in the 1990s, Lewis said, the US and its allies successfully pressured China to shut down an earlier PLA for-profit venture, the proliferation of weapons technology worldwide. Since then, the Chinese leadership has eased the PLA out of one business after another.
“‘PLA Incorporated,’ they used to call it, where they made cars and grew mushrooms and all sorts of weird stuff,” Lewis told me. (Chinese security forces have also reportedly run brothels). “They were forced to get out of that, and now the last business line they have left is the cyber stuff.”
“The way they [the civilian leadership] got them out of the market the last time was they said, ‘we’ll pump up your budget and we’ll give you an aircraft carrier,’” Lewis said. This time around, he went on wryly, “we’ll have to figure out what the payoff will be. Maybe a second carrier.”
“It’ll be a good test,” Lewis told me. “If we can’t get the Chinese to agree on cybersecurity, they’re not going to agree on anything. But I think they’re worried enough that we might be able to get a deal.”
So what would such a deal look like? Lewis and his fellow witnesses downplayed the prospect of a formal treaty setting out cyber codes of conduct.
“One warning is the Russians are the guys proposing a global treaty. That alone should be enough to tell us it’s a bad idea,” Lewis told the subcommittee. (“The Russians are at the top of the league” in cybercrime, he said, “and one of the reasons you see China in the paper all of the time and not Russia is the Russians are better at not being caught.”) But, Lewis went on, “[while] we can’t get a treaty, we can get an agreement on norms and confidence building measures.”
“Home runs are hard to come by,” agreed Karl Rauscher, who facilitates semi-official “Track II” talks on cybersecurity for the EastWest Institute. “Consistently getting singles… is still a great strategy.” The US and China should quietly give up on areas where they have gaping disagreements, at least for now, he argued, and go after modest, manageable, step-by-step gains in areas where their interests coincide.
In the meantime, nobody had better let their guard down. “Our networks… they’ll always be attacked,” said Phyllis Schneck, CTO for public sector security at cybersecurity giant McAfee. One alarming example is this spring’s “Dark Seoul” incident, aka Operation Troy, which erased tens of thousands of hard drives at South Korean banks, media outlets, and other businesses on March 20. McAfee’s investigation into “Dark Seoul” concluded it was in part the culmination of a cyber espionage campaign that had been stealing secrets since 2009: “This has been going on for about four years,” Schneck said.
Schneck declined to speculate on who might have been behind Dark Seoul – “we see the question of attribution as a distraction,” she told reporters after the hearing, “we’re not trained for that” – but other experts point fingers at North Korea, a not-quite-ally of China’s which Beijing has repeatedly failed to rein in. So even if the US can get a deal with China, which is by no means certain, there will be plenty of lesser hackers left to worry about.