Every businessman that I know has experienced serious cyber attacks on his/her company. One CEO told me recently his company gets 60,000 attacking emails a day. Most companies do not want to discuss it because it invites unwelcome press attention and too often club-footed government oversight.
And in recent years, the words “cyber attacks” and “China” have become virtually linked. Cyber criminals are everywhere, but China has become the bogey man of cyber insecurity. It is becoming a genuine source of instability in Sino-American relations.
Several years ago, CSIS started a quiet dialogue with Chinese security elements on the cyber security problem. No one is naïve about this. Neither China nor the United States is prepared to forego spying on each other using cyber tools. Neither country will deny itself the ability to use cyber-attack tools if we get into a war with each other. God knows a war with China would be enormously destructive and counterproductive, but we and China will always reserve cyber-attack tools for future use if we need to. No one is naïve about this.
But that doesn’t mean that we can’t find tangible areas where we can cooperate. Neither country would want to let a third country propel us into a war or serious tension through cyber techniques. It is quite easy for cyber attackers to masquerade their identity by capturing an unwitting computer in another country to launch attacks. One of my nightmares is that a hostile foreign intelligence service would design a clever attack against a US public utility—the famous “turn out the lights in Chicago scenario”—but mask the attack by launching it from China. Indeed, when the United States experienced the frightening attack using anthrax against US Senators, the letters containing the anthrax were crudely designed to suggest that the attack came from Muslim terrorists. Our Chinese counterparts are just as concerned on this front as are we.
Neither China nor the United States wants to let criminal gangs in our respective country attack the other country’s banking system. We are inextricably linked in a network of daily financial transactions that are highly beneficial to both countries. We don’t want that put at risk by criminal gangs or hostile intelligence forces.
Neither country wants to let its computers be used by terrorists acting against the other country or against a third country.
In short, there many areas where we genuinely share common interests in dealing with cyber insecurity, even when as sovereign nations we reserve the right to harm the other for national purposes.
The great problem, of course, is the ambiguous status of attackers who have working ties with government entities. When an American firm finds it has lost the design of important products to a foreign hacker, was that attack an act of a government intelligence-gather or of criminal theft of intellectual property for financial gain? There are several countries in the world where you can’t tell the difference, honestly, including China.
But I believe that there are opportunities to work more creatively with China to lessen this great problem. In one sense, it is not entirely unlike the problems we endured for many years—and still do for that matter—where Chinese private sector elements stole the design of American products—or simply created counterfeited labels of American products on containers of adulterated local products for sale to gullible Chinese consumers. Ten years ago this was a rampant and rising problem. It is now significantly better because American companies directly confronted Chinese political leaders, demanding action. And there has been action to lessen the problem. It is by no means solved, but it is moving in the right direction. And American companies have become smarter in protecting their product lines, and have captured handsome market shares in China because their products are known for safety and effectiveness.
As I said, no one is naïve about the massive problem we face. Yelling at China is no substitute for American companies and private citizens doing a much better job protecting their computer networks. Computer experts say that fully half of the computers on the world-wide internet have no effective security features. This is a problem that has been vividly before us for more than a decade. And, yes, US Government officials do need to challenge China to bring discipline to cyber space within China’s control. These activities are becoming serious impediments to closer relations.
But I also believe that we have an opportunity for genuine dialogue and constructive work with Chinese counterparts on problems that we do share. The problem is exceptionally hard, but it is not hopeless.
John J. Hamre is the President and CEO of the Center for Strategic and International Studies (CSIS).