Editorial Board

How to Curb Chinese Cyberattacks

Although the word China doesn’t appear in the title of the “Strategy to Mitigate the Theft of U.S. Trade Secrets” that the White House introduced Feb. 20, it was written between the lines in bold type.

And that’s a good thing: The recent escalation in Chinese cyberattacks against U.S. targets is a threat to businesses and to the stability of diplomatic relations. It illustrates why Congress must take stronger action to bolster defenses against digital intrusions, and why the rules of cyberwarfare must evolve out of their current state of dangerous ambiguity into something approaching international norms. And the White House’s newly assertive stance is a welcome start.

The administration’s initiative follows the Feb. 19 release of a study by the computer-security company Mandiant Corp. on a group of Chinese hackers (profiled by Bloomberg Businessweek last August) that had infiltrated 141 companies in 20 industries and stolen “hundreds of terabytes of data” since 2006. Mandiant’s extensive investigations into the attacks suggest close links, if not an exact match, to Unit 61398 of the Chinese People’s Liberation Army, based in Shanghai.

Alarmingly, some of the attacks weren’t aimed at stealing corporate secrets. They targeted the industrial-control systems that operate critical American infrastructure, such as power grids and gas pipelines. One infiltration that Mandiant noted, first reported in September 2012, took aim at Telvent Canada Ltd., which provides software that enables energy companies to access their systems remotely. The perpetrators were able to plant malware and steal files before being detected.

First Step

The first step in mitigating this threat is for Congress to pass mandatory cybersecurity standards for companies that operate critical infrastructure, to be overseen by the Department of Homeland Security. As we’ve argued before, these standards should be applied in ways that maximize flexibility and harness competitive energy. Many of them are simply common sense, such as requiring employees to change their passwords frequently, restricting new applications, and keeping up with security updates and software patches. Tax incentives might also help ensure companies in critical fields continually upgrade their ability to detect intrusions. Those that don’t endanger not just their bottom line, but all of us.

An executive order signed by President Barack Obama last week took steps in the right direction by expanding information-sharing between the government and the private sector, bolstering privacy provisions and ordering the creation of a cybersecurity framework for addressing such risks. It was better than nothing, but addressing the cybersecurity threat more substantively requires Congress to act.

The five-pronged program rolled out Feb. 20 builds on that effort. It starts with turning U.S. diplomacy up to 11 on cybertheft with China and other trading partners, including through the use of “trade policy tools” -- a veiled reference that could encompass sanctions. And it seeks to promote voluntary best practices by private industry, boost domestic law enforcement, strengthen domestic legislation and increase public awareness.

As the line blurs between espionage, militant hostility and outright warfare in cyberspace, though, the U.S. needs to work toward creating international standards of acceptable behavior.

That process will be painfully slow, given endemic mistrust and competing values. (Look at how even allies such as the U.S. and the European Union argue over Internet privacy rules.) China is itself a target for official and unofficial cyberintrusions originating in the U.S. The U.S. government doesn’t practice corporate espionage, but it has demonstrated in Iran that its ability to disrupt critical infrastructure isn’t hypothetical.

Path Forward

A path forward might start with more cooperation on stopping cyberactivity that almost all states agree are harmful (child pornography and human trafficking, for example). It could move to a greater exchange of information about threats emanating from criminal groups and terrorists and eventually toward sharing national cyberwar doctrines.

In recently defining “critical infrastructure” in its executive order, the Obama administration also created a basis for discussions on setting bounds for the use of cyberattacks. In this realm, Cold War analogies can be useful up to a point -- the U.S. and the U.S.S.R., for instance, devised some ground rules for espionage, and both climbed a steep nuclear-strategy learning curve. A hotline between cybercommands, along the lines of the Cold War nuclear model, could be a valuable first step, especially in preventing unintentional escalations.

Ultimately, as cybersecurity expert James Lewis has argued, the goal should be to fully apply international law, particularly the laws of armed conflict, to cyberspace. Countries such as China and Russia need to accept real-world responsibility for any virtual activity that originates within their territories, state-sponsored or not.

Getting them to do so won’t be easy. But the White House’s increasingly aggressive commitment to this issue is a good way to start keeping them honest.