The threat of Chinese espionage is so critical that the commander of our military cyber defenses has called it the “the biggest transfer of wealth through theft and piracy in the history of mankind.”
But the threat is not bad enough to go on the record about the threat, to take risks to share needed information, or even to be willing to tell the Chinese to back off.
These are the government’s Three Silences. Added together I fear they are driving us to defeat.
First: Silence about the threat we face. Government officials seem keen to leak information on how bad Chinese espionage is, but rarely willing to actually tell us. If espionage is such a problem, how come we have to hear about it from the press or from private sector experts?
The government has begun to find their tongue, but these are mentions or accusations, without convincing particulars. While worthwhile, this namedropping pales before the problem. Why can’t the government say more? Usually the excuse is one of the following:
- We are sharing. Didn’t you see those sentences in that one report?
- I have no opinion and can’t discuss this: it is classified way above my pay grade.
- We would like to but it is caught up in the interagency.
- We can’t prove it’s really China.
- If we say China is doing it, they may get angry and stop lending us money.
- There’s nothing illegal about spying; after all, we do it!
- If we declassified what we knew of the threat, people would panic.
- The private sector isn’t sharing with us, so why should we share with them?
- If we discussed this, it wouldn’t matter since the Chinese would not change their behavior.
- It’s a wilderness of mirrors. If we discussed this, then the Chinese would know that we know.
- If we talk, then our intelligence take won’t be as good.
None of these reasons, singly or in combination, are sufficient given how badly we’re losing. We will never make progress by treating this problem as a state secret, even from those under attack, as the bureaucrats hunt for their classification stamps when the words “China,” “cyber” and “espionage” are used together. Worse, our familiar counterintelligence game is one our adversaries do not even know. We are not facing a single, monolithic KGB but a splash of non-state hacker groups loosely affiliated with many different official organs of the Chinese state.
What must be done? The government must follow the example of the US China Commission and be clear about the depth of the problem and name the country involved: China. This requires repeated speeches from senior officials, not just occasional sound bites; not just one report, but a slew of them; not just leaks to media, but interviews. The frequency and seriousness of their statements need to match the crisis at hand and this should start from the White House.
Second: Silence about practical information which could help the private sector.
In cyber conflict, the offense already begins with a head start. To beat them, the defenders need to increase the bad guys’ work factor significantly more than their own. While the government has started projects, most notably the Defense Industrial Base cyber pilot to share NSA’s signatures of malicious software, these require security clearances and secure facilities, do not scale, and increase our own work factor more than our adversaries’.
The fix is to shift the government’s mindset. In cyber conflict, the private sector is usually the “supported command” not the “supporting command.” They are the targets, the ones fighting in the trenches every day and they need more help. As just one example of how to do this, we should simply declassify the signatures which will would bolster, not supplant, the existing and capable security monitoring market.
This leads us to the last silence: Silence to the Chinese about our increasing fury.
By drawing on a range of discussions over the years, some successful and some not, our non-proliferation negotiators have had success influencing Chinese behavior. They have discovered the Chinese government is more willing to limit proliferation to some countries but not others. Sometimes, they were able to succeed with a discrete word behind closed doors, while other times public shaming was needed.
Despite this experience and the ongoing onslaught of Chinese espionage, however, the United States government appears to have not yet told the Chinese leadership in any similar fashion that we are upset with their activities. We have mentioned it to them, but rarely more.
How can this be? Is it true the United States is willing to square off against China on tire imports and rare earths, but not on “the biggest transfer of wealth through theft and piracy in the history of mankind” in General Alexander’s words?
We don’t need to pick an international fight (or perhaps we do) but at least, let’s start the official dialog. We should raise it at every opportunity – every JCCT, every Strategic and Economic Dialogue, every dialog with the Chinese. How can we say we are trying to stop their espionage by doing anything less?
We don’t even have to prove beyond doubt that every single espionage case is coming from China or that the Chinese government itself is conducting them. As I argued in a recent Atlantic Council paper, “Beyond Attribution: Seeking National Responsibility in Cyberspace,” the United States can simply decide to not care whether these are sponsored by the Chinese government. Our diplomats and senior leaders can just hold them responsible to make it stop. This approach of “national responsibility” is likely to be far more effective than forcing ourselves to jump over the needlessly high bar of proving technical attribution.
The Administration and Congress are taking cyber espionage seriously, more seriously than they have in years. Yet it is far from clear we are doing enough or heading in the right direction. By refusing to speak, either to our own people or to the Chinese, we are fighting on an asymmetric battlefield of our adversary’s own choosing. Going public, through naming and shaming those involved, is a winning strategy.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. This blog is based on his recent testimony to the US China Commission. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.