Cyber Attacks an unprecedented threat to U.S. National Security

Here are excerpts from this 75-page document, some of which I’ve paraphrased [brackets], consolidated, or shortened.  Read this document for a greater, more nuanced, understanding.


Hearing before the subcommittee on Europe, Eurasia, and emerging threats of the Committee on Foreign Affairs. House of Representatives 113th Congress 2nd session   MARCH 21, 2013

Mr. Rohrabacher: The type of targets hackers assault are often placed in 2 categories:

1) Strategic targets attacked by military means in a war such as transportation systems, power grids, defense industries, communications, and government centers.

2) Commercial warfare. The scale upon which it is being conducted is beyond anything we have experienced and far exceeds traditional espionage. [Last month the Mandiant report identified a military unit of the Chinese People’s Liberation Army that has been conducting commercial warfare since 2006, hacking business and industry targets.  These attacks cost the American economy $250 billion per year and affect our economy and the balance of power.]

Over the last 10 years the United States trade deficit in goods with China was over $2.4 trillion. Entire industries have been moved across the Pacific to create what we see as the rise of China. We cannot just rely on technology to defend against these type of attacks. We must use diplomacy to deter them by telling Beijing and others in clear terms that we will not allow their hacking to continue without retaliation. We should sanction states that support hacking just as we sanction states that support terrorism or engage in other hostile actions. This war will not just be waged in cyberspace, but across every front and using every lever of American power to defeat an aggressor and to take the profit out of attacking our businesses, our defenses, and yes, our country.

There have been several Congressional hearings on cyber warfare, but most have concentrated on the technology involved and how we can devise defenses to block hackers from breaking into our government and business computer networks. The greatest dangers to our nation are not, however, really about technology. It is about international relations. Foreign governments that employ cyber warriors to attack other countries, or which “allow” hackers to attack other countries should be considered as hostile as governments which support terrorism. These are acts which put our country in severe jeopardy and must be met with the same national security and diplomatic measures that we use to meet any other external threat.

Chinese firms are dominated by state-owned enterprises with ties to Communist Party officials and their families. It is a matrix that not only serves to grow the wealth and power of China but also the personal fortunes of its leaders. The transfer of wealth by the theft of technology and other information vital to the development of industry is then used to gain a competitive advantage in world trade, which brings even more wealth to China.

The people of China are being cheated in that the apparatus that has been set up to protect them is being used to enrich the elite, and at the same time put China into a hostile relationship with the United States and other free countries of the world. And on top of that, the elite in China are using this not to protect China, not to make it more prosperous, but also to repress their own people.  The elite in China, their vanity and their desire for more wealth and power has led China down a wrong path, and I would urge those people in China, which is the vast majority, the people of goodwill there, to push this elite that is running their country that is raping their country and putting us on a path to conflict, to push them out of power.

Yesterday, several banks and broadcast outlets in South Korea were attacked, and apparently the assumption was that the cyber attacks were from North Korea. However, the news this morning is that South Korea is claiming that these attacks were located, the attacker was located in China. [This] raises questions as to whether China and North Korea are cooperating in cyber warfare against people that they think are their enemies.

Duncan: The director of National Intelligence on 12 March, James Clapper, said “there is a remote chance of a major cyber attack against U.S. critical infrastructure systems during the next 2 years that will result in a long-term, wide-scale disruption of services such as regional power outage.’’

If they are stealing the plans of an F–35 and so we have to send F–35s against a comparable aircraft, that is taking some of that competitive advantage away that we have militarily to protect this country.

Mr. STOCKMAN. My district encompasses everything from NASA to petrochemical plants. We were touring some of the plants, and they said they were getting very little cooperation from the government to help deter cyber attacks, which could cripple our nation. Just by turning off a few valves a plant could be blown up.  One plant alone in my district produces about 600,000 barrels a day. If that were to be taken off the market you would see a quick crisis occur. And if you took off several plants it would shut down the United States.

This reminds me of 9/11 when we knew about the Philippines. We picked up documents which showed that they wanted to use planes as weapons, yet we ignored all the signs. I feel like we are ignoring all the signs.  I have plant managers telling me their concerns and I am asking you, is there any kind of game plan to help critical infrastructure?   

The Mandiant report on Chinese APT1-unit cyber attacks

APT1 has:

  • systematically stolen hundreds of terabytes of data from at least 141 organizations, and can steal from dozens of organizations simultaneously.
  • targeted industries China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.
  • a well-defined attack methodology, honed over years and designed to steal large volumes of valuable intellectual property.
  • revisited victim’s network over several months or years to steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.
  • used tools and techniques not yet observed being used by other groups including two utilities designed to steal email
  • maintained access to victim networks for an average of 356 days and up to nearly 5 years
  • stolen 6.5 terabytes of compressed data from a single organization over a ten-month time period.
  • Compromised at least 17 new victims operating in 10 different industries the first month of 2011 .
  • compromised organizations across a broad range of industries in English speaking countries. Of the 141 APT1 victims, 87% of them are headquartered in countries where English is the native language.
  • maintained an extensive infrastructure of computer systems around the world.
  • controls over thousands of systems in support of their computer intrusion activities.

[And much more is in this document, or see the full Mandiant report]

Mr. Autry: These attacks are not an isolated case of industrial espionage but rather part of an integrated military-economic-cultural assault on America, a nation that China views not as a benefactor and valued trading partner, but rather as an ideological adversary who must be subdued by any means necessary. Chinese senior military strategists have discussed such multidimensional warfare for years. While the Chinese economic assault on the U.S. manufacturing base is painfully visible to our unemployed, the Mandiant report shows that China views this as a military operation. In the process China has debased the Internet, a gift to the world developed at U.S. taxpayer expense.

Why are the Chinese being allowed to get away with this?

I think that the problem is that a lot of American corporations are co-opted by the Chinese regime. They have such a huge interest in the production capabilities and the ability to exploit Chinese labor and the Chinese environment to lower their costs, and they are chasing the delusional promise of this giant market that they are someday actually going to be given access to that they don’t dare offend their Chinese host. They are like the abused partner in an abusive spousal relationship. They are not going to call the cops on the Chinese, and they are really not going to do it when they know that the cops don’t show up and that the cops don’t have any guns, which is the situation that we are in now. This is not a technical challenge, it is a military one. No amount of locks or alarms could protect your home if there was no belief that the police would show up or that the prosecutors would do anything if you had burglars working in broad daylight against whatever security you had put in place.

We should have a ban on the import of any Chinese networking hardware, and specifically I mean Huawei. We need to stop the revolving door at the State, Treasury, and Commerce Departments where officials from those Departments come directly from doing business with China or look forward to doing business with the Chinese as soon as they get out of government service.

Finally, we need to stop educating our adversary. Our computer science departments and engineering departments are full of mainland Chinese students, the majority of whom return to mainland China. Why are we educating these students of a country who are using that technology that we are handing them to oppose our interests?

How does an economist estimate the cost of Chinese cyber warfare?

The evidence suggests these revelations are merely the tip of the iceberg. The FBI admits, “As a result of the inability to define and calculate losses, the best that the government and private sector can offer are estimates.” A full accounting of the damage done to the U.S. is impossible to compile, because most of the victims will never detect the Chinese intrusions or will decline to admit to their losses. The discrepancy between expert estimates and the value of crimes actually reported makes this under reporting obvious. For instance, Symantec estimated 2011 individual and small business cybercrime losses at $388 Billion, while the FBI’s IC3 summary of actual reports that totaled a mere $485million. McAfee even tossed out a $1 Trillion estimate a few years ago. Using the more conservative number only a little more than a tenth of one percent (0.0125%) of these crimes by cost were reported. Even if Symantec overstated the problem by an order of magnitude we still have more than 98% of cybercrimes going unreported.

In any case, how do we place a value on something like Google’s source code? The firm trades at 25 times its annual earnings, suggesting most of its value is in future revenues. Conservatively assuming that half of Google’s market capitalization of $248 billion reflects the value of its technology (other factors might be labor force, brand equity and assets) this implies a property worth $124 billion has been compromised. While assessing the total cost over time has too many unknowns to model, Google has clearly suffered at the hands of its Chinese competitor Baidu. Google has lost $ billions in the Chinese market alone prompting Google’s co-founder Eric Schmidt to brand the Chinese government a “menace.” He has wisely noted that “The disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States at a distinct disadvantage.” In other words we don’t cheat and steal well.

Consider that the economic costs of the September 11 attacks (excluding the military reaction) have been estimated at around $175 Billion. The annual cost of Chinese military hacking to the US economy is therefore in the same range as 9/11. Every $100 billion implies a loss of about 1 million American jobs. Chinese military hacking has left millions of American workers unemployed. And although we’ve been spared the specter of horrible televised deaths, the suicide and death rates for the unemployed are substantially higher than the national average. The statistics would suggest that over the years, Chinese military hacking has killed thousands of Americans.

Technical protections against cyber intrusion have consistently proven to be insufficient because most initial system compromises are achieved via exploitation of human beings with “social engineering” tricks like spear phishing. The criminal consequences of getting caught are minimal.

Victims of Chinese cyber attacks are actually helping to conceal the extent of this problem. They wish to avoid public humiliation, negative stock market reaction and the liability associated with the loss of customer data. What makes the silence more worrisome is that most large American corporations have been, for all practical purposes, coopted by the Chinese government. They are so dependent on low-cost production in China and strategically committed to the promise of the “world’s largest market” that exposing the criminal behavior of their notoriously vindictive host is unthinkable. With the noble exceptions of Google and the New York Times, an American Corporation is no more likely to “call the cops” on China than are the victims of abusive relationships likely to testify against their spouses.

Worse, many officials in the departments of State, Treasury and Commerce upon whom we depend to make China play fair come straight from doing business with China or proceed to do so as soon as they leave government.

We are executing an “Asian Pivot” strategy to confront China’s increasingly belligerent military posture in the Western Pacific, while our consumption of Chinese goods finances a massive PLA arms buildup.

Do we believe that China’s corrupt, state dominated economy is actually beating American private enterprise in a fair contest? While Shanghai booms and Chinese billionaires sprout up like rice in the spring, 25% of Americans are unemployed or underemployed. This is the root of our intractable fiscal dilemma. While we cut and tax, the Chinese government can hardly think of enough new things to do with the vast wealth our consumers and corporations transfer to them – from maglev trains and moon missions to a frightening military buildup. This is what losing a 21″ century war looks like.

On page 44 there are a number of remedies proposed, including:

Encourage U.S. Education in Computer Science: Direct the majority of student aid to STEM majors and specifically graduate degrees in computer science and engineering.

Stop Educating Our Adversaries in Military Technology: Ban the admission of computer science student to the U.S. from nations whose militaries engage in cyber attacks against America and her allies. We are educating a massive pool of Chinese talent in our computer science and engineering schools, where they displace tens of thousands of American citizens and allies.

[I like these solutions because I was a systems engineer/architect for 25 years, and saw many of my colleagues replaced by outsourced workers.  Now these outsourced jobs pay more than what an American worker would cost, because once an outsourcer has a company by the balls, they can charge whatever they please, often far more than what an American computer programmer/engineer would be paid. Most foreign workers came in without the necessary skills and were trained on the job – why couldn’t the same training have been given to American college graduates?   I could also do 3 times as much work as an outsourced worker, because I had years of experience and institutional knowledge].

Protect and Reclaim The Internet: The Internet is an invention of the American government funded by U.S. taxpayers. The U.S. government and the U.S. armed forces are reasonably entitled to demand special privileges in its use. Any attempt to transfer further administrative oversight of the Internet to international regulatory bodies must be most strongly opposed. Any opportunity to regain U.S. control of the Internet would be in the interest of all people, most notably the citizens of China. Specifically ICANN and control of the DNS root must remain in the U.S. Root servers currently in the U.S. must remain there. The location of anycast servers should be restricted to friendly nations.

Mr. MAZZA. China sees cyber capabilities as a tool of statecraft to use in the pursuit of national interests. The primary goal of the Chinese Communist Party (CCP), is to stay in power. No longer securing its legitimacy on a foundation of Marxist ideology, the Party now relies on delivering economic prosperity and on its claim to a nationalist mantle to ensure its continued rule.

China’s continued rise is crucial if the CCP is to validate its claim that it and it alone can lead the country back to what it sees as its traditional and rightful place atop the Asian hierarchy. To do so, Beijing must restore sovereignty over territory supposedly wrongly taken from it. Doing so would not only allow Beijing to complete what it sees as an historic mission, but to enhance its own security. Controlling islands in the East and South China Seas would grant China greater strategic depth, allow it to more easily safeguard or control sea lanes, and permit it to more easily access the Pacific and Indian Oceans.

But these waters are also home to our partners. Tensions have been running high in this region, where conflict is most likely to break out because U.S. and Chinese interests clash. Differing visions of what Asian and perhaps global order should like have led China and the United States into what is shaping up to be a long-term strategic competition.

For China, cyber capabilities are tools to be used in waging this competition and in securing its interest in the Asia Pacific. China uses cyber capabilities for three related but different purposes.

1)      Chinese hackers will engage in espionage activities in the pursuit of both strategic and tactical intelligence.

2)      The People’s Liberation Army, or PLA, will use cyber warfare as part of its suite of anti-access/area denial capabilities, or A2/AD. The PLA has been developing systems aimed at keeping U.S. forces distant from Chinese shores, complicating in particular the U.S. Navy’s ability to operate freely in the Asia-Pacific Theater and thus making U.S. intervention in the Taiwan Strait or other conflict more difficult. In the event of a conflict, PLA cyber forces would likely aim to disrupt U.S. military command and communications networks, essentially trying to blind, deafen, and silence U.S. forces.

3)      Most worrisome is China’s development of what might be called strategic cyber weapons. Recent revelations of Chinese cyber intrusions into U.S. critical infrastructure are especially troubling. That an attacker a half a world away could threaten our electrical grid, water supply, financial stability or transportation security is frightening and potentially destabilizing.  Because these weapons lack the ugliness of nuclear weapons-there is no radiation and they don’t immediately and directly cause widespread death and destruction-not to mention the fact that their origin may be difficult to trace, Beijing may come to see them as more “useable” than nuclear weapons. And with such weapons likely to be seen as adding an intermediate step on the escalation ladder-one preceding the use of nuclear weapons-Beijing may come to see armed conflict as less dangerous than it otherwise would have. Conflict would become even more likely if Beijing believes that the American response to a strategic cyber attack would be one that China can tolerate.   Meanwhile, effective espionage would allow China to more accurately predict U.S. actions. to gauge U.S. vulnerabilities, and to speed along its own military modernization. At the same time, theft of IP and trade secrets would be making American companies less competitive, putting a drag on the U.S. economy and putting further budgetary pressures on defense spending.

My comments:

It’s really too late to do much security wise, there are too many millions of lines of code to fix on a system that was originally designed to be open.  The visionaries who created it do so as a way to share information among scientists, as well as to make sure that citizens share information and communicate with each other no matter how corrupt their government was.  That was the philosophy of the founders and that philosophy is embedded down to the very roots of the system.

China is the big loser in the end.  They’ve poisoned their land, air, and water for hundreds of thousands of years.  Computer microchips and other complex  information technology will be one of the first to vanish as Liebig’s law of the minimum kicks in at some point when shortages of key resources vanish, supply chains fail, and social unrest, war, and chaos descend as oil declines and not enough food can be grown and delivered to 7 billion people, more fully described in Peak Resources and the Preservation of Knowledge.


This entry was posted in CyberAttacks, Government Reports and tagged , , . Bookmark the permalink.

Comments are closed.