Lawmakers and experts on the U.S.-China Economic and Security Review Commission today debated with and quizzed security and legal experts on the best course of action against cyberespionage attributed to China.
The Senate committee heard pros and cons related to a number of possible scenarios ranging from increased economic pressure on the Chinese government to the intricacies of hacking back and learning how intellectual property stolen from American companies is allegedly used by counterparts in China.
The hearing took on added urgency after revelations late on Friday indicated that the Office of Personnel Management (OPM) hack went deeper than originally reported and included security clearance data on military and intelligence operatives, edging the total number of potential victims well beyond initial reports of four million.
The experts—Paul M. Tiao, a partner at Hunton and Williams, a D.C. legal firm; Dennis F. Poindexter, an author; and Jen Weedon, threat intelligence manager at FireEye—explained how China’s alleged hacking activities have fueled the growth of their economy, and how the country plans to extend this strategy into solving national crises around energy and agriculture, for example.
Weedon, for example, pointed out that China’s pollution problem has degraded a significant portion of farmable land, and that the country’s reliance on coal is the primary contributor to its woes. China said that it plans on building 13 nuclear power plants in the next three years, and in unison, wants to restore its farming capabilities and lessen its dependence on imported foods. This, as a result, puts American agricultural, chemical, manufacturing and nuclear industry in the line of fire for China’s APT groups, she said.
Some commissioners, Jeffrey L. Fielder of the International Union of Operating Engineers for one, openly questioned the feasibility and encouraged the possibility of private companies and even the intelligence community hacking back against China’s state-sponsored businesses. The group cited the ineffectiveness of a “naming-and-shaming” strategy as exemplified by the government’s recent indictments of five People’s Liberation Army members allegedly involved in cyberespionage activities.
“I think there is a gap in the law with respect to private right to action and with respect to trade secret theft,” Tiao said, pointing out that the World Trade Forum is likely a better suited entity to bring action against Chinese companies acting in and benefiting from cyberespionage. Additionally, Tiao said, the private companies worry about being forced to disclose intimate details via a SEC 8K disclosure and face possible shareholder action, in addition to damages from the attack.
“One of the great challenges is to show how information that’s been stolen has been used, and place a dollar figure on that,” Tiao said. “That’s why pursuing this in a trade forum is a lower burden.”
Interestingly, the panelists were asked to compare the Sony hack, attributed to North Korea, and the OPM hack, attributed to China, along with the respective responses. The Sony hack not only exposed data belonging to a private enterprise, but the attackers used destructive wiper malware to render hardware useless and force many internal Sony processes offline. It also drew a straight line between industrial espionage conducted on the Internet, and cyberespionage conducted for intelligence gathering.
President Obama promised a proportional response, and within days North Korea’s limited Internet connectivity was gone. The attack on the state was never attributed to the U.S., or the work of independent hackers.
“It’s easier to point fingers at North Korea because there’s less of a backlash directly naming and shaming them versus what happened with China in the past,” Weedon said. “There was destructive malware involved, psychological operations; it was a different type of attack that we found more difficult to wrap our heads around. There were perceptions that a line had been crossed that had not been crossed before. The nature of who did it and what they did makes the two attacks different and not able to compare.”
Poindexter, meanwhile, advocated for a stronger deterrent.
“You have to think it’s going to keep happening until you stop it. We seem to have a belief that when hackers hack you can make them go away,” Poindexter said. “If you don’t have a deterrence that says if you hack us, we do x, then you will have problem with this forever because it’s not going to stop.”