Recently, a $100 million U.S.-based cyber-security firm – Mandiant -
released a very detailed report (link) tracing numerous and long-running cyber
incursions and data infiltrations into and from the U.S. back to a specific
building in China, the home of an elite People’s Liberation Army (PLA) cyber
unit.
What made this Report stand out from other such documents issued in the
past – like security firm McAfee’s infamous “Shady Rat” report from 2011 (link)
– was its remarkable forensic focus, right down to identifying three unique
individual hackers.
Both the Mandiant and McAfee Reports labeled China the chief
perpetrator, and both Reports spotlighted the U.S. as by far the most
significant victim. Both Reports cite tera- and petabytes of information
exfiltrated from U.S. networks and companies, referencing a potential transfer
of wealth unlike anything that has occurred in human history.
I personally assume that - likely as not - there is some truth to these Reports' general
depiction of Chinese Government-sponsored cyber activity. Why would they not
'fess up? I dunno, why did Clinton lie
about getting a hummer in the Oval Office? Go figure...
The U.S. cannot hold itself out as somehow innocent of
cyber-malevolence – witness Stuxnet and Flame – but, select U.S. Government
officials have quite clearly stated that U.S. Government-sponsored cyber
activity does not extend to the theft and transfer of valuable intellectual
property, or trade, operational, procedural or transaction-related secrets.
I personally assume that these U.S. Government officials are sincere in
their representations that the U.S. limits its cyber-warfare to disruption and
non-commercial espionage.
So where does this leave us?
Based on the preponderance of available evidence, we can assume with
great confidence that governments are actively and passively supporting cyber
incursions into other countries’ networks and businesses. From a track record
perspective, it would appear (at least from public accounts) that China is
leading in the theft of IP, and the U.S. has the upper hand in terms of demonstrated
cyber-disruptive capability.
So what next?
We can trust that the brief flurry of media and hyperbolic political
attention to the Mandiant Report release was only the first wave. U.S.
Sinophobes will ratchet up the tension with China and the Chinese Government
will continue to deny, obfuscate and otherwise seek to maintain the effective
status quo.
What’s wrong with this picture?
In the name of “fear,” we’re poised to give up more stuff. Jobs,
investment, peace of mind, and, yes, civil liberties.
With respect to everything but the latter point (other than to say that
our surrender of rights and liberties in the wake of 911 did not stop then -
law enforcement, intelligence and other authorities are increasingly empowered
to tap, surveil, track, imprison and even, in the most outrageous of
circumstances, kill us –and increasingly without warrant or accountability) ,
since the dawn of the Cold War, ours has increasingly been a fear-based
society. With all best intent (more often than not anyway), the U.S. Government
has time and again tipped the scales towards fear in setting policy.
Yes, when the Wall fell and the Internet blossomed, we experienced a
brief almost decade-long respite. But hope was dashed and fear returned when
the dotcom bubble burst and the WTC towers fell.
And now, with our subsequent mis-adventures in Iraq and Afghanistan -
in part well-intended, in greater part, perhaps not –seemingly almost played
out (although we will almost certainly one day reap a bitter harvest from the
seeds we’ve sown in those countries), we move on to new chapters in fear: Cyber
and China (and, increasingly, Iran, which is an utter quagmire, and, frankly,
given our history in that country, we cannot hope for much beyond containment
at this point).
Cyber threats (most specifically, for now, China-based) are the new
platform for Government reactionaries to monger fear around, supplanting
terrorism, just as terrorism filled the gap left at the end of the Cold War
(following that brief and blissful gap of the post-Soviet-Internet-boom 90’s).
Are the threats real? Yes. Must they be addressed? Yes.
But, they should be addressed in the context of the globalized world in
which we live, and in an economic era defined by an ever-elusive recovery. In
other words, heralding Aebbe the Younger (as introduced in a blog post late
last year), we ought not cut off our economic nose to spite our cyber face.
Consider: In December of last year, The Rhodium Group (www.rhg.com) - a
well-respected U.S.-based economic research house with a regular focus on China
and Chinese outbound investment – released a Note on “Chinese FDI in the United
States in 2012“ which highlighted that “Chinese firms completed U.S. deals
worth $6.5 billion, a 12% increase from the previous record of $5.8 billion in
2010. This new record reflects both the growing determination of Chinese firms
to expand overseas and the attractiveness of U.S. markets and assets to these
investors.”
Good stuff. Our economy needs such injections of capital and jobs.
Yet, just this month, Rhodium issued a Paper on “Chinese Investment:
Europe vs. the U.S.” which spotlighted that “After a similar take-off phase in
Chinese investment in 2008, patterns diverged in the past two years with Europe
receiving almost twice as much investment as the US… Chinese telecommunications
equipment firms…spent more than three times as much in Europe than in the US,
where ...firms have seen their business prospects diminished by intervention
from US government officials, members of Congress and the security community.”
Ugh. So in the name of cyber-fear, we sacrifice investment, jobs,
innovation and more affordable broadband. Are we cyber-safer for the
sacrifice? Nope. Do we know something the Europeans don’t?
Nope, not that either - we’re just tipping the scales to fear again.
Balance in our approach is absent, and very much in demand. In yet another previous blog post – some
months ago – I suggested that the U.S. and China had reached a MAD point ala
the U.S. and the Soviets half a century ago, except in terms of cyber rather
than nukes. I continue to believe (and hope) that the two countries will
convene around some agreement defining lowest common denominator acceptable
cyber-behavior (e.g. we’ll steal secrets from each other but won’t crash any
planes or markets), and then multilateralize it.
Would such an initiative undo the cyber (and other) tensions between
the U.S. and China? Of course not. But it would be a step towards a rational
policy solution that might balance fear with the all-too-real realities of
globalization.
Stay tuned…
No comments:
Post a Comment