Cyber-Alarm!

Shane Harris’ National Journal cover story on the Chinese “cyber-invasion” is meant to alarm us. The story claims that Chinese hackers doing their government’s bidding are stealing our secrets and maybe felling our power grids. It quotes US officials comparing the consequences of cyber-attacks to those of nuclear weapons. The cover depicts a red dragon crawling on to an American shore. A subtitle sees “a growing threat.”

Don’t burn your wireless card yet though. There may be a US cyber-panic, but the Chinese cyber-threat is overblown.*

The most shocking and least plausible claim in the article is that Chinese hackers caused the massive blackout in 2003 and a recent power outage in Florida. I’m not an expert on cyber-security, so I’ll leave it to Bruce Schneier and Wired blogger Kevin Poulsen to attack this theory.

But anyone can see dodgy sourcing. Harris’ blackout scoop comes from the former president of something called the Cyber Security Industry Alliance who claims that he heard it from intelligence sources. In support of this contractor’s claim, the article quotes a bunch of federal officials paid to combat cyber-threats. They say, essentially, “Yes, it’s possible the Chinese did this, but we can’t say more.” Technical details aren’t included. It’s a secret, we’re told. The article only briefly discusses the very plausible explanations for both blackouts that don’t involve Chinese hackers. In the 2003 case, at least, that multi-causal story is backed by extensive investigations on the public record.

Another problem is the article’s uncritical acceptance of the claim that the Chinese government employs a hacker militia to attack US websites. No evidence is offered beyond the assertions of an intelligence official employed to combat cyber-threats, a security contractor who works for such officials, and one consultant / analyst. No doubt there are lots of Chinese hackers breaking into US networks. After all, there are lots of Chinese. But why should we believe that these hackers are agents of the Chinese state rather than bored teenagers in internet cafés? However malicious its intent, why would the Chinese government want to outsource its espionage to a bunch of underemployed programmers?

The story also reports on several Chinese efforts to steal information from US corporate executives and government officials. These stories are plausible – but two caveats could have been highlighted. First, our military and intelligence agencies almost certainly hack into Chinese networks and steal information. Second, there is no official claim in this story or elsewhere, despite all the sound and fury, that Chinese hackers have broken into classified US networks and gathered useful information.

Finally, the story should have quoted someone pointing out the absurdity of the claim made by Vice Chairman of Joint of Staff Gen. James Cartwright that cyber-attacks are comparable to weapons of mass destruction attacks, which means nuclear explosions, among other things. By most definitions, cyber-attacks have been going on a long time. They have killed either no one or almost no one. Yes, one can imagine scenarios where hackers trigger mass casualties. But equating these outlandish what-ifs to a nuclear weapon is either an assault on the meaning of “mass destruction” or threat inflation of first order. (I say this despite an article/ heroic epic in the same magazine depicting General Cartwright as a kind of cross between Napoleon and Jack Welch.)

I keep reading about the cyber-war we’re supposed to be fighting with China. Reading this story, I don’t see it. There are evidently a lot of Chinese hackers (not necessarily government-sponsored), and a bunch of Chinese electronic espionage (not necessarily successful). That’s a problem, not a war.

For a sober take on these matters, read James Lewis of the Center for Strategic and International Studies.

*I’m usually a fan of the National Journal and Shane Harris’ writing in it, so I chalk this up to an off-week.