Government officials and contractors yesterday told a government panel that the Chinese government has embraced cyberwarfare and is directing its intrusions at U.S. government and critical infrastructure networks.
The People's Republic of China has concentrated primarily on cyber-reconnaissance, particularly data mining, rather than cyberattacks, Colonel Gary D. McAlum, director of operations for the Joint Task Force for Global Network Operations, told the U.S.-China Economic and Security Review Commission.
Nevertheless, he said the Chinese government wants to achieve "electronic dominance" by 2050, with the ability to disrupt information infrastructures.
While there's no way to accurately attribute security incidents to China, the Department of Defense has seen a 31percent increase in malicious activity on its networks from 2006 to 2007, according to statistics provided to the panel by McAlum.
The Chinese government, said Dr. James Mulvenon, director of advanced studies and analysis for Defense Group, Inc., has plowed considerable resources into developing its cyberwarfare capabilities for two reasons. The first is to gain an asymmetrical advantage over its adversaries to help win future conflicts.
The second is "the attribution problem." Cyberintrusions and attacks are extremely difficult to trace, said Mulvenon, "and provides a layer of plausible deniability for cyberattacks" that don’t necessarily apply to conventional warfare.
Mulvenon calls this the “Tarzana, California, problem” because "in the absence of anything other than log data it's often extremely difficult to tell whether an attack is actually coming from China or whether it's some punk kid in Tarzana, California, who's spoofing off an unsecure server and hacking back into the [Defense] Department's networks."
This allows the Chinese to root around government and critical infrastructure networks hunting for weaknesses they could exploit if open cyber- or real world warfare transpired. Such efforts are in line with an old Chinese stratagem, "Attain victory before the first battle," said Timothy L. Thomas, an analyst at the Foreign Military Studies Office.
Mulvenon said that since the sources of cyberattacks are usually difficult to identify, targeted countries couldn’t know for sure whom to retaliate against. Many panel members wondered when cyberintrusions and attacks constitute outright aggression, as opposed to reconnaissance, and what would be the appropriate response to continued cyberintrusions or attacks.
Citing attacks last spring on Estonia, Commission Co-chairman Peter T.R. Brookes recalled that it wanted to evoke the collective defense clause of the NATO Charter (link no longer goes to this document becasue the document has been moved on the NATO Web site) and said "this is a question of escalation" moving from non-conventional to conventional, i.e. military, responses.
Mulvenon said there's no reason why the United States should restrict itself to trying to deter cyberattacks electronically.
"We should ... begin with the premise that we have all the tools of ... national power, and in many cases it might not be to the U.S. advantage to respond to an electronic or cyberintrusion or cyberattack simply in that realm," he said. "We may, in fact, want to take advantage of escalation dominance that we have in other elements of national power, whether it’s military or economic."
Other commission members worried about vulnerabilities in U.S. critical infrastructure, which is predominately owned by the private sector.
Michael R. Wessel said he fears that the perimeter security methods such as routers and firewalls used to protect against network intrusion are produced overseas, increasingly in China.
"Can we in fact have a secure perimeter," he wondered, "if in fact the Chinese are helping to build that perimeter?"
To defend against embedded vulnerabilities made easier by a global supply chain, Mulvenon said much more attention needs to be paid to code and hardware auditing.
McAlum said that the DoD puts a lot of emphasis on where the software and infrastructure it deploys came from and who has touched it.
Commission Co-chairman William A. Reinsch also voiced concern that little has been achieved over the past decade in public-private partnerships to secure private critical infrastructure.
The biggest problem interfering with such efforts, Mulvenon said, is the "liability problem." Companies fear they'll be held legally responsible for helping the government. U.S. telecommunication companies barely escaped litigation for cooperating with President Bush's warrantless wiretapping program after 9-11. Due to that fear, said Mulvenon, infrastructure vendors are more comfortable handling their own network security.
To help secure its own networks, DoD has begun to reduce the number of access points its network has to the Internet without creating information choke points. Currently tens-of-thousands of access points exist between government networks and the Internet, said McAlum.
One idea floated by Mulvenon to help increase information security is to hold Internet service providers (ISPs) responsible for the information sent out over their network. A service provider that violated security rules could be punished by denying it access to the wider Internet. "It creates a market dynamic whereby if you want to continue to have access to other networks around the world for your business model, you need to self-police yourself to be able to make sure hostile packets aren't leaving your network."
McAlum said holding ISPs accountable is a "great way to go," but he said what ISPs are liable for preventing would have to be "well-defined up-front."