White House: No Cyber Attack Pact with China, For Now

In this Nov. 12, 2014 file photo, U.S. President Barack Obama, right smiles as a group of children wave flags and flowers during a welcome ceremony held by Chinese President Xi Jinping at the Great Hall of the People in Beijing, China.

AP / ANDY WONG

AA Font size + Print

In this Nov. 12, 2014 file photo, U.S. President Barack Obama, right smiles as a group of children wave flags and flowers during a welcome ceremony held by Chinese President Xi Jinping at the Great Hall of the People in Beijing, China.

The Chinese president’s visit to Washington will highlight how far apart the two nations are on cyber issues.

During his visit to Washington, D.C., this week, Chinese President Xi Jinping was expected to sign an historic “cyber arms agreement” with the United States, under which each would agree to adhere to U.N.-established norms of online behavior, the most important of which was not to  attack the other’s infrastructure during peacetime, the New York Times reported on Saturday. But in a conference call with reporters today, an Obama administration spokesman scaled back expectations for that agreement, considerably.

“I don’t want to suggest that, you know, we’ve reached an arms control agreement here,” said Ben Rhodes, the White House deputy national security advisor for strategic communications.

The sentiment was seconded by Dan Kritenbrink, the senior director for Asian affairs at the National Security Council. “I would be reluctant to raise expectations about an agreement along the lines of what you just described,” he said. “That would be a long-term goal. We’re a long ways from getting there.”

That’s fine and good since any such agreement was purely “symbolic” in its value, wrote James Andrew Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies. Neither “China nor the United States intends to attack the other’s critical infrastructure in peacetime,” he wrote in an op-ed on ths CSIS site.

The agreement would have been nearly impossible to verify anyway, Harvard Law School professor Jack Goldsmith argued at Lawfare. . Unlike planes and aircraft carriers, offensive cyber capabilities are developed in secret, with carefully hidden budgets.

Even the symbolic value of the deal was limited; the U.S. wouldn’t have committed to much that it hasn’t already. Adm. Michael Rogers, the head of U.S. Cyber Command, the outfit charged with creating cyber offensive capabilities, has publically said that United States would follow the rules of war in using offensive cyber weapons. “Remember, anything we do in the cyber arena … must follow the law of conflict. Our response must be proportional, must be in line with the broader set of norms that we’ve created over time. I don’t expect cyber to be any different,” he said in April.

Defining ‘Critical Infrastructure’

At least one analyst doubted that the sides might even have been able to agree on the scope of its core issue. Shannon Tiezzi, writing for The Diplomat, wrote that “such a deal is unlikely to actually spell out a definition of what constitutes ‘critical infrastructure.’ That lack of clarity also plagued a 2015 report from the United Nations Group of Governmental Experts on Information Security (GGE), which included a list of “norm, rules, and principles’ for state behavior in cyberspace.”

In many ways, “critical infrastructure” remains a catch-all for everything from water treatment plants to banks to manufacturing. And potential attacks on it have preoccupied Washington since then-Defense Secretary Leon Panetta first uttered “cyber Pearl Harbor.”

It’s a tradition that NSA head Admiral Michael Rogers continued last November when he testified, “There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability to do that. To enter our systems, to enter those industrial control systems, and to shut down, forestall our ability to operate, our basic infrastructure,” he said, “It enables you to shut down very segmented, very tailored parts of our infrastructure.”

To date, China appears to have no history of staging such attacks. Indeed, the most famous cyber-physical infrastructure hack remains the Stuxnet attack on Iran’s Natanz nuclear facility, widely attributed to but never claimed by the United States.

So how big a threat to critical infrastructure is China, really? Jonathan Pollet, founder of Red Tiger Security, says: too big to ignore, too small to panic over.

“China poses a very significant threat to U.S. critical infrastructure — but I say that with an asterisk,” Pollet told Defense One in an email. “At the present time, most security analysts don’t foresee China deliberately using its cyber capabilities to disrupt services in the U.S. or cause physical harm. For now, they are actively mapping our networks within the power grid, industrial facilities, oil/gas facilities, etc. They are doing this for multiple reasons, but the two main ones are to put them in a better position for any future military conflict with the U.S. and to steal U.S. R&D and other competitive information.

“However, given China’s moves in the South China Sea, we should discount the possibility of a future military conflict with China — or one of its proxies. Were this to happen it is highly likely they would utilize their cyber assets.”

Pollet has written that a Chinese attack on infrastructure would be difficult, but hardly impossible. Yet it is unlikely, he wrote, if only because it would reveal too much about China’s capabilities.

That sort of behavior is uncharacteristic of the way Chinese actors operate online. Take a look at the OPM breach, and before that, the one against Anthem, the nation’s second-largest insurer, or any of the many industrial espionage incidents that the U.S. has attributed to China. They all share something important: the malware was designed to avoid detection so as to keep stealing data as long as possible.

None of this is to suggest that U.S. infrastructure is secure from online attacks. It isn’t, an issue that represents the single most urgent online security threat facing the nation and one for which there is no single easy fix. But unless a larger war breaks out between the United States and China, Beijing isn’t likely to turn off your lights.

Drama aside, the fact that the White House and Beijing are a “long way” from even a symbolic agreement not to hack each other’s infrastructure says a lot about the distance between the two sides on basic language for what is and what is not normal online behavior.

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • Military Readiness: Ensuring Readiness with Analytic Insight

    To determine military readiness, decision makers in defense organizations must develop an understanding of complex inter-relationships among readiness variables. For example, how will an anticipated change in a readiness input really impact readiness at the unit level and, equally important, how will it impact readiness outside of the unit? Learn how to form a more sophisticated and accurate understanding of readiness and make decisions in a timely and cost-effective manner.

    Download
  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.

    Download

When you download a report, your information may be shared with the underwriters of that document.