There will be plenty to talk about when U.S. National Security Advisor Thomas Donilon arrives in Beijing on May 26. North Korean threats, Iranian nuclear development, trade disputes, and the worsening situation in Syria will no doubt be high on the agenda. But perhaps more than any other subject, cybersecurity is likely to dominate discussions during the three-day visit, coming just before Chinese President Xi Jinping is set to meet President Obama on June 7 in California.
Cyber espionage has become an even more fractious issue following the May 6 release of a Pentagon report to Congress that for the first time officially links the Chinese government to widespread hacking directed at the U.S. “China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors,” the report said. “In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military.”
Donilon is no softy when it comes to speaking out on Chinese cyber espionage, either. He has increasingly made the issue a top priority. Addressing the Asia Society in New York on March 11, he warned that Chinese hacking is a major challenge to bilateral relations. The U.S. is facing “cyber intrusions emanating from China on an unprecedented scale. The international community cannot afford to tolerate such activity from any country,” he said. “We need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.”
Of particular concern is Chinese cyber attacks directed at gaining proprietary technology and business information from companies. Yahoo! (YHOO), Google (GOOG), and Intel (INTC) have all been targeted. More than one-quarter of companies surveyed for a recent American Chamber of Commerce in China (AmCham) report said they had been victims of data theft, while 42 percent said the risks in China were increasing. “Any technology or advanced industrial company, even law and accounting companies, is now a target,” says James McGregor, chairman of Apco Worldwide in China and a former chairman of AmCham in Beijing. “It is leading to distrust across the board with China and Chinese business.”
Why is Beijing willing to hack even as tensions rise with the U.S. government and major American corporations? China needs trade intelligence as it upgrades its economy and Chinese corporations go abroad. One key use of cyber espionage: Chinese oil and gas companies secretly gathering data to help them win foreign acquisition deals, says Nigel Inkster, director of Transnational Threats and Political Risk at the International Institute for Strategic Studies in London. “It gives them an unprecedented capacity to collect huge volumes of information that in the past they might not have had access to,” says Inkster, who is also a former British intelligence officer. “And the benefits so far outweigh the risks.”
Beijing’s response, not surprisingly, has been to point the finger back at the U.S. More than 1.9 million computers and 11,000 Chinese websites were affected by cyber attacks originating overseas in the first two months of 2013, with more than half emanating from the U.S., Chinese authorities announced on March 11. “The Chinese government has not organized hacking attacks. And China recognizes that the U.S. organizes cyber attacks against other countries,” says Shen Dingli, director of the Center for American Studies at Shanghai’s Fudan University. “As we all know, the United States is the real ‘hacking empire,’” said a commentary published in the official People’s Daily newspaper on May 8.
What options are on the table to deal with the threat of cyber attacks? So far there’s been little detail from the Obama administration, although Secretary of State John Kerry announced in April that the U.S. and China plan to set up a cybersecurity working group. Others, however, have not been as reserved. Former U.S. Ambassador to China Jon Huntsman and former Director of National Intelligence Dennis Blair released a report on May 22 advocating a tougher line, including considering changing laws to allow retaliatory attacks by U.S. companies, and even implementing tariffs on all Chinese imports.
If Beijing decides it wants to cooperate on cybersecurity, it won’t be easy. At least four government agencies—including the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, as well as the Chinese military—have authority over cybersecurity. That contrasts with the U.S., where Obama has appointed a special aide to oversee all strategy and policy. Getting the Chinese bureaucracy to agree on how best to manage any joint efforts will be daunting.
“China doesn’t have a single point of coordination for cybersecurity,” says Jimmy Goodrich, director of global policy at the Washington (D.C.)-based Information Technology Industry Council. “There are numerous agencies with overlapping responsibilities. Because of that, cybersecurity protection is hard to ensure.” Adds Liu Deliang, director of the Asia-Pacific Institute for Cyberlaw Studies at Beijing Normal University: “Every organization has its own different responsibility. It is far too complicated.”
That China’s hacking universe extends far beyond just state-supported efforts makes reining in cybercrime extremely difficult. Thousands of young Chinese, mainly male, use their hacking skills for illegal commercial gain, says Wan Tao, once one of China’s most famous patriotic “red hackers.” More than a decade ago he targeted U.S. and Taiwanese government websites but now works as an Internet security engineer. “Chinese hackers have lost their way. They don’t believe any longer in the power of the Internet to change the world, but instead just want to make money,” Wan says. “The cost of doing computer crime in China is too low. It is a terrible situation.”