Experts wary of Pentagon cybersecurity report fingering China

A recent Pentagon report blaming the Chinese military for cyberattacks on U.S. government computers and defense contractors marks an escalation in rhetoric, but offers no surprises, experts say.

The report, released Monday, marked the first time the Obama administration had directly accused the Chinese government and the People's Liberation Army of using cyberweapons to steal intellectual property and gain a military and economic advantage.

The Pentagon said the Chinese government views electronic warfare as a way to counter U.S. military superiority by making it possible to cut the flow of information during a time of crisis.

While the report upped the ante in U.S. efforts to curtail Chinese cyberattacks, its findings did not shock experts, who already assumed a lot of what the Pentagon disclosed.

"This isn't earthshaking, as I have thought this has been the case since 2003," said Murray Jennex, an associate professor at San Diego State University and an expert in information systems security. "However, it does signify that mainstream decision makers in the U.S. government are willing to publicly state it is so."

Because of the difficulty in tracing the origin of cyberattacks, China's involvement has always been suspected, but not proven, Jennex says. The report indicates that the U.S. government now has the evidence.

The question is whether the report indicates the government is willing to launch its own cyberoperations against China? Ã'Â "I think it does and I wonder how that will translate into other actions, such as trade restrictions," Jennex says.

The advantage of having high-level administration officials discuss the problem publicly is it builds awareness among private industry, said Ron Gula, chief executive of network security company Tenable and a former penetration tester in the National Security Agency. Many companies do not direct enough resources toward security, unless to meet regulatory requirements.

"You would expect security to be the number one thing for people, but it's not," Gula said.

The Chinese government has denied any involvement in cyberattacks against the U.S. government or private industry. In a briefing following the release of the report, a spokeswoman for China's Foreign Ministry said the Pentagon offered nothing but "groundless accusations" and "hype," Reuters reported.

China is not alone in building cyberweapons or conducting electronic spying. The U.S. spends billions of dollars each year on cyberdefense and on developing cyberweaponry. Gen. Keith Alexander, director of the NSA and commander of the military's Cyber Command, has told Congress that he is developing a dozen offensive cyberunits to launch attacks against foreign computer networks, if needed, according to The Times.

[Also see: Rising cyberthreats set backdrop for latest cybersecurity bill]

Whether built by China or the U.S., there's no guarantee cyberweapons will be effective, given the newness of the technology and the complexity of getting it into the right computer systems and having it perform correctly without being discovered, Gula said.

"With cyberweapons, until you know what they are, until they come out and say what they are, it's science fiction," he said. "It's not like we have 50 years of cyberweapon terminology and practices and things like that."

Despite U.S. protests, cyberespionage on the part of China and many other countries is unlikely to stop and does not violate international laws. Where China crosses the line is in sharing that intelligence with private industries, in order give them a competitive advantage.

"It creates unfair market competition when governments conduct espionage and provide that information to private companies," said Jacob Olcott, a principal at cybersecurity consultancy Good Harbor and a former counsel for Sen. John D. Rockefeller, D-W.Va. "That's a distinction that's important and worth making."

He also believes the U.S. spends too much on cyberweapons and not enough on cyberdefense. "The spending is way out of line and it's certainly valid for other countries to look at what we're doing and want to escalate their own practices too," Olcott said.

In February, President Barack Obama took a step toward bolstering the nation's cyberdefenses by issuing an executive order that established a framework for sharing information between government and private industries. A proposal that would make sharing of cyberattack data mandatory passed the House last month and is currently in the Senate.Ã'Â

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags San Diego State UniversitycybersecurityapplicationsData Protection | Malwarelegal2012 Cyber Security Actsoftwaredata protectionChina hackingcybercrime

More about National Security AgencyNSAReuters Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts