Tag: cyber

Cyber-Espionage (Not Necessarily Implicating U.S. Agencies) Returns to the Headlines

The Washington Post reported this morning that the U.S. government is “charging members of the Chinese military with conducting economic cyber-espionage against American companies.”  According to the story, Attorney General Eric Holder will “announce a criminal indictment in a national security case,” naming members of the People’s Liberation Army.

If you will recall, cyber-security, cyber-espionage, and cyber-theft of trade secrets and other intellectual property belonging to American businesses started becoming prominent sources of friction in the U.S.-China relationship about 18 months ago before suddenly dropping off the front pages 11 months ago to make way for revelations of domestic spying by the U.S. National Security Agency.  Somehow, the notion that Chinese government-sponsored cyber-theft broached a red line lost some of its luster after Americans learned what Edward Snowden had to share about their own government.

But today the issue of Chinese cyber-transgression is back on the front pages.  Never before – according to the Washington Post – has the U.S. government leveled such criminal charges against a foreign government.  The U.S. rhetoric has been heated and, just this afternoon, the Chinese government responded by characterizing the claims as “ungrounded,” “absurd,”  “a pure fabrication,” and “hypocritical.”

While the U.S. allegations may be true, given well-publicized U.S. cyber-intrusions, it isn’t too difficult to agree with the “hypocritical” characterization either.  Perhaps that’s why the U.S. government is attempting to distinguish between cyber-espionage, which is conducted by states to discern the intentions of other governments – and is, from the U.S. perspective, fair play – from “economic” cyber-espionage, which is perpetrated by states or other actors against private businesses and is, from the U.S. perspective, completely unacceptable.  It’s not too difficult to understand why the United States has adopted that bifurcated position. The Washington Post quotes a U.S. government estimate of annual losses due to economic cyber espionage at $24-$120 billion.

Huawei, ZTE, and the Slippery Slope of Excusing Protectionism on National Security Grounds

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. —Benjamin Franklin

Chinese telecommunications companies Huawei and ZTE long have been in the crosshairs of U.S. policymakers. Rumors that the telecoms are or could become conduits for Chinese government-sponsored cyber espionage or cyber attacks on so-called critical infrastructure in the United States have been swirling around Washington for a few years. Concerns about Huawei’s alleged ties to the People’s Liberation Army were plausible enough to cause the U.S. Committee on Foreign Investment in the United States (CFIUS) to recommend that President Bush block a proposed acquisition by Huawei of 3Com in 2008. Subsequent attempts by Huawei to expand in the United States have also failed for similar reasons, and because of Huawei’s ham-fisted, amateurish public relations efforts.

So it’s not at all surprising that yesterday the House Permanent Select Committee on Intelligence, yesterday, following a nearly year-long investigation, issued its “Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE,” along with recommendations that U.S. companies avoid doing business with these firms.

But there is no smoking gun in the report, only innuendo sold as something more definitive. The most damning evidence against Huawei and ZTE is that the companies were evasive or incomplete when it came to providing answers to questions that would have revealed strategic information that the companies understandably might not want to share with U.S. policymakers, who may have the interests of their own favored U.S. telecoms in mind.

Again, what I see revealed here is inexperience and lack of political sophistication on the part of the Chinese telecoms. It was Huawei—seeking to repair its sullied name and overcome the numerous obstacles it continues to face in its efforts to expand its business in the United States—that requested the full investigation of its operations and ties, not anticipating adequately that the inquiries would put them on the spot. What they got from the investigation was an ultimatum: share strategic information about the company and its plans with U.S. policymakers or be deemed a threat to U.S. national security.

Now we have the House report—publicly fortified by a severely unbalanced 60 Minutes segment this past Sunday—to ratchet up the pressure for a more comprehensive solution. We’ve seen this pattern before: zealous lawmakers identifying imminent threats or gathering storms and then convincing the public that there are no alternatives to their excessive solutions. The public should note that fear imperils our freedoms and bestows greater powers on policymakers with their own agendas.

Granted, I’m no expert in cyber espionage or cyber security and one or both of these Chinese companies may be bad actors. But the House report falls well short of convincing me that either possesses or will deploy cyber weapons of mass destruction against critical U.S. infrastructure or that they are any more hazardous than Western companies utilizing the same or similar supply chains that traverse China or any other country for that matter. And the previous CFIUS recommendtions to the president to block Huawei acquisitions are classified.

Vulnerabilities in communications networks are ever-present and susceptible to insidious code, back doors, and malicious spyware regardless of where the components are manufactured. At best, shunning these two companies will provide a false sense of security.

What should raise red flags is that none of the findings in the House report have anything to do with specific cyber threats or cyber security, but merely reinforce what we already know about China: that its economy operates under a system of state-sponsored capitalism and that intellectual property theft is a larger problem there than it is in the United States.

And the report’s recommendations reveal more of a trade protectionist agenda than a critical infrastructure protection agenda. It states that CFIUS “must block acquisitions, takeovers, or mergers involving Huawei and ZTE given the threat to U.S. national security interests.” (Emphasis added.) What threat? It is not documented in the report.

The report recommends that government contractors “exclude ZTE or Huawei equipment in their systems.” U.S. network providers and systems developers are “strongly encouraged to seek other vendors for their projects.” And it recommends that Congress and the executive branch enforcement agencies “investigate the unfair trade practices of the Chinese telecommunications sector, paying particular attention to China’s continued financial support for key companies.” (Emphasis added.) Talk about the pot calling the kettle black!

Though not made explicit in the report, some U.S. telecom carriers allegedly were warned by U.S. policymakers that purchasing routers and other equipment for their networks from Huawei or ZTE would disqualify them from participating in the massive U.S. government procurement market for telecom services. If true, that is not only heavy-handed, but seemingly strong grounds for a Chinese WTO challenge on the grounds of discriminatory treatment.

Before taking protectionist, WTO-illegal actions—such as banning transactions with certain foreign companies or even “recommending” forgoing such transactions—that would likely cause U.S. companies to lose business in China, the onus is on policymakers, the intelligence committees, and those otherwise in the know to demonstrate that there is a real threat from these companies and that they—U.S. policymakers—are not simply trying to advance the fortunes of their own constituent companies through a particularly insidious brand of industrial policy.

Cyberphobia

The Wall Street Journal reports that the Pentagon will soon release a policy document explaining what cyberattacks it will consider acts of war meriting military response. Christoper Preble and I warn against this policy in an op-ed up at Reuters.com:

The policy threatens to repeat the overreaction and needless conflict that plagued American foreign policy in the past decade. It builds on national hysteria about threats to cybersecurity, the latest bogeyman to justify our bloated national security state. A wiser approach would put the threat in context to calm public fears and avoid threats that diminish future flexibility.

Reuters headlined our piece: “A military response to cyberattacks is preposterous.” Actually, our claim is not that we should never use military means to respond to cyberattacks. Our point instead is that the vast majority of events given that name have nothing to do with national security. Most “cyberattackers” are criminals: thieves looking to steal credit card numbers or corporate data, extortionists threatening denial of service attacks, or vandals altering websites to grind personal or political axes. These acts require police, not aircraft carriers.

Even the cyberattacks that have affected our national security do not justify war, we argue. There is little evidence that online spying has ever done grievous harm to national security, thinly sourced reports to the contrary notwithstanding. In any case, we do not threaten war in response to traditional espionage and should not do so merely because it occurs online.

Moreover, despite panicked reports claiming that hackers are poised to sabotage our “critical infrastructure” — downing planes, flooding dams, crippling Wall Street — hackers have accomplished nothing of the sort. We prevent these nightmares by decoupling the infrastructure management system from the public internet. But even these higher-end cyberattacks are only likely to damage commerce, not kill, so threatening to bomb in response to them seems belligerent.

The Stuxnet worm shows that cyberattacks may indeed do considerable harm, perhaps someday killing on a scale akin to small arms. Attacks like that might indeed merit military response. But they remain hypothetical here.

Vague terms like “cyberattack” and the alarmist rhetoric that surrounds them confuse common nuisance attacks with theoretical tragic ones. The danger is militarized responses to criminal acts, foolish regulation, wasteful spending, or even needless war.

To learn about the exaggeration of cyberthreats, read these two articles from the Mercatus Center. For a good discussion of the policy options for dealing with the various cyberharms, see this 2009 congressional testimony from Jim Harper.