The momentum (or rhetoric machine?) has built up to the point where everyone is pointing fingers at China as the ultimate “cyberscourge,” while China continues to refute those claims. In just the past few days, Sen. Carl Levin sent a letter to President Obama voicing his opinion that the US should raise cybersecurity in talks with China, Washington Post reporter Ellen Nakashima broke a story on a classified government report related to China cybertheft, and an independent commission reported on China’s activities related to IP theft.
In a New York Times article earlier in May, David Sanger and Nicole Perlroth reported China had resumed its cyberattacks on U.S. targets after going ‘quiet’ following the Mandiant APT1 report and other public attention, with some companies being hit repeatedly. Various security experts (particularly those in the financial services industry) have raised questions about why and how China could hit a company multiple times. While no single answer exists, fortifying oneself can often depend on several different solutions that may include technology from multiple third parties and in-house solutions involving a combination of physical, administrative, and technical controls. Effective fortification can only happen, if an entity recognizes a problem and decides to take action. This seems like common sense, well-known entities, both large and small, have been attacked, learned of the attack, and yet refused to do anything meaningful about it (a ‘head-in-the-sand’ approach).
Most experts agree these attacks will continue. Given their deliberate approach and views of computer network operations described in the OSD Annual Report to Congress on Military and Security Developments Involving the PRC 2013, it’s possible that when their main set of attacks were discovered, the Chinese reverted to an alternative campaign. After all, the Pentagon report states that Chinese writings suggest they see information operations “as a tool to permit China to fight and win an information campaign, precluding the need for conventional military action.” They also believe “potential Chinese adversaries, in particular the United States, are seen as ‘information dependent.’”
Companies and other targets may want to consider three things to deal with these attacks. First, continue to improve their defenses by fixing old, well-known exploits. Second, talk with other entities about other ways companies can protect themselves (including information sharing and active cyber defense). Third, develop and pursue new policy ideas that could better align the cyber interests of both China and the U.S.