"Our government ... is failing in its responsibility to protect the rest of America from Chinese cyberattack."
"At some point, we are going to have to develop a context in which we can actually discuss this and, I would think, draw some red lines around areas that we don't want them [the Chinese government] into and they might not want us into."
These statement are from two interesting cyber security articles published today, one by the Wall Street Journal and the other by Reuters.
The first statement is from an op-ed piece at the WSJ by Richard Clark, the well-known former national security official in the White House under the Bush I, Clinton and Bush II administrations and author of a recent book on cyber warfare. Mr. Clark says that even though the Chinese government vehemently denies it, that:
"Senior U.S. officials know well that the government of China is systematically attacking the computer networks of the U.S. government and American corporations. Beijing is successfully stealing research and development, software source code, manufacturing know how and government plans. In a global competition among knowledge-based economies, Chinese cyber operations are eroding America's advantage."
In addition, Mr. Clarke asks:
"What would we do if we discovered that Chinese explosives had been laid throughout our national electrical system? The public would demand a government response. If, however, the explosive is a digital bomb that could do even more damage, our response is apparently muted - especially from our government."
Mr. Clarke says that the US government should be telling the American people openly what is known about Chinese-government cyber espionage/hacking and what President Obama's administration intends to do about it, especially since at the current time, he states:
"In private, U.S. officials admit that the government has no strategy to stop the Chinese cyber assault."
As if to partially answer the question about what the US government should do about the situation were opinions coincidentally offered by Jon Huntsman, the former U.S. ambassador to China and now presidential candidate and Henry Kissinger, former Secretary of State under Presidents Nixon and Ford, architect of the concept of detente and who helped thaw US-China relations in the 1970s.
Both Ambassador Huntsman, whose made the second statement at the beginning of the post, and Dr. Kissinger, indicated at a Thomson Reuters event (video here) that a "US-China cyber detente" (a Reuters description) was needed. Dr. Kissinger stated that without some overall agreement concerning cyber security between the two countries, relations between them were likely to deteriorate. He was quoted as saying:
"If you take it case by case it will lead to accusations and counteraccusations,"
which is of course already happening.
Ambassador Huntsman agreed with Mr. Clarke in that the extent of Chinese hacking of US IT systems needs to be made public, which I presume also implies - in the spirit of detente - that US hacking of Chinese systems needs to be made public as well.
The Reuters article quoted Chinese Foreign Ministry spokesman Hong Lei as saying yesterday that China is open for discussions on the cyber security issue:
"China has also many times reiterated that we are willing to open up exchanges and cooperation with the international community about Internet security."
Of course, even if you could reach some sort of cyber detente between the US and China, if wouldn't necessarily stop third-party allies of either from acting as proxies to carry on the hacking.
Additionally, the US isn't the only country China is likely hacking, or vice versa. I am not sure how US-China cyber detente would amount to much in the overall scheme of things given that every country is a potential cyber threat. When Dr. Kissinger developed the idea of detente during the Cold War, there were only a few nuclear players that had to be dealt with.
I guess cyber detente is worth a try, but I am skeptical of much coming out of it.
I would like to hear the thoughts of Risk Factor readers on this cyber detente or confrontation issue.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.