The US Department of Defense’s latest assessment of China leaves little to the imagination about which country’s it thinks is the greatest cyber threat to US private sector and defense industry organisations.
While no one has, with 100 percent certainty, pinned the Chinese Government for cyber-attacks on US government and Western companies, in its 2012 report, “Military and Security Developments involving the People’s Republic of China” the US Secretary of Defense considers it likely that, “Beijing is using cyber-network operations as a tool to collect strategic intelligence.”
“In 2011, computer networks and systems around the world continued to be targets of intrusions and data theft, many of which originated within China,” the report notes.
It later notes that Chinese actors “are the world’s most active and persistent perpetrators of economic espionage”.
The report raises China’s unwillingness to acknowledge the “Laws of Armed Conflict”, which the Pentagon last year determined did apply to cyberspace.
Robert Clark, operational attorney for the U.S. Army Cyber Command told Australian delegates at the AusCERT conference last week how the Laws of Armed Conflict in cyberspace might work internationally to determine when a country can claim self-defence and how they should measure a proportionate response.
One problem with it was highlighted by Iran, following the Stuxnet attack on its uranium enrichment facility in Natanz, which never declared the incident a cyber-attack.
Air Force Colonel Gary Brown, an attorney for US Cyber Command, in March this year detailed dozens of reasons why Iran, in the context of the Laws of Armed Conflicts in cyberspace, didn’t declare it an attack. This included that difficulties remain in attributing such an attack to a single state.
Concerns in the US over China not recognising the Law of Armed Conflict in cyberspace heightened after China and Russia proposed the “Code of Conduct for Information Security” to the UN last September.
Under that code, “governments exercise sovereign authority over the flow of information in cyberspace”, the report notes.
Policy analysts at the Council on Foreign Relations have drawn the conclusion that while US policy makers would likely welcome the code’s recognition that internet security was a global challenge, the emphasis on “information” as opposed to “cyber” security would jar with support for the protection of freedom of speech.
The US appears to be hopeful that China’s continued expansion will force it to see things the American way.
“China has not yet accepted that existing mechanisms (such as the Law of Armed Conflict), apply in cyberspace. However, China’s thinking in this area may evolve as its own exposure increases through greater investment in global networks.”