ASU global security strategist: Improve U.S. defenses instead of fixating on China

By

Robert Morast

Chinese President Xi Jinping is in the United States this week. When he meets with President Barack Obama on Thursday, the agenda is expected to include economic and security issues, as well as the concerns over cyberattacks and acts of espionage over the Internet. 

The U.S. Senate has accused China of hacking into the computers of transportation companies hired by the Pentagon and of planting malicious software into military airline computer systems.

China has denied involvement, and President Xi said Tuesday that China would work with the U.S. to stop cyber crime.

Regardless of fault, it is an important topic facing the world's two biggest economies. To offer some perspective, Jamie Winterton, director of Strategic Research Initiatives with Arizona State University’s Global Security Initiative, offered her thoughts on U.S. and China relations and a look at how to combat future cyberattacks.

Question: How important — how necessary ­— is it for the U.S. and China to make an agreement to reduce cyberattacks and address other cybersecurity issues?

Answer: Geographic boundaries are barely relevant in cyberspace. Attackers rout malicious Internet traffic through a complex global network, which thoroughly obfuscates its origin. This is why attribution is such a difficult problem. It would be almost impossible to enforce an agreement – however, if the U.S. and China can publicly agree on standards in cyberspace, that could set precedent for a larger global discussion on cyberattacks, which could have real impact.

Q: If this does not happen now, do you expect the U.S. to pursue sanctions, particularly after cyberattacks on federal agencies earlier this year?

A: If no agreement is reached, I expect an increase in tough rhetoric, but not sanctions. Sanctions are a big step, with real economic impact for us. It’s also much more difficult to prove with absolute certainty who’s behind a cyberattak than, say, who’s just invaded Ukraine. With regard to federal agencies — Office of Personnel Management was barely protecting itself. It makes more sense to substantially improve our own security posture before we employ sanctions.

Q: How difficult is it to put in place a system that can both withstand future attacks and identify their source?

A: Cyber defense is already difficult, but state-sponsored hacking groups (like Chinese Unit 61398) have immense resources and incredibly powerful capabilities — above and beyond other hacking organizations that don’t have nation-state sponsorship. No system is “unhackable,” so creating resilient systems that can adapt during a cyberattack will become more and more important.

Q: Many major U.S. tech companies, including Google and Facebook, are seeking to expand their presence in the lucrative, and protected, Chinese market. Do such economic realities influence the U.S. government’s willingness to forgive China’s behavior?

A: There’s another very expensive economic reality — that of electronically stolen intellectual property. The cost is hard to measure, but it’s estimated in the hundreds of billions per year, affecting a wide range of industries, from defense contractors to software companies to mining operations. Industries will be free to pursue Chinese markets, but the U.S. government is unlikely to forgive or forget the high cost of stolen trade secrets.

Q: How do you expect the U.S.-China relationship on cybersecurity matters to evolve in the next few years?

A: The U.S.-China relationship on cybersecurity will depend in large part on the tech industry and the fight over encryption standards. If industry wins — and I think they will — and strong encryption is implemented as the norm, the cost of cyber-espionage will go up considerably, and we’ll be less vulnerable to attack. If the U.S. government is able to press for broken encryption, or “exceptional access,” then not only is there a built-in weakness to exploit, but what’s to prevent China from lobbying for the same access?