In justifying U.S. involvement in Libya, the Obama administration cited the "responsibility to protect" citizens of other countries when their governments engage in widespread violence against them. But in the realm of cyberspace, the administration is ignoring its primary responsibility to protect its own citizens when they are targeted for harm by a foreign government.
Senior U.S. officials know well that the government of China is systematically attacking the computer networks of the U.S. government and American corporations. Beijing is successfully stealing research and development, software source code, manufacturing know-how and government plans. In a global competition among knowledge-based economies, Chinese cyberoperations are eroding America's advantage.
The Chinese government indignantly denies these charges, claiming that the attackers are nongovernmental Chinese hackers, or other governments pretending to be China, or that the attacks are fictions generated by anti-Chinese elements in the United States. Experts in the U.S. and allied governments find these denials hard to believe.
Three years ago, the head of the British Security Service wrote to hundreds of corporate chief executive officers in the U.K. to advise them that their companies had in all probability been hacked by the government of China. Neither the FBI nor the Department of Homeland Security has issued such a notice to U.S. executives, but most corporate leaders already know it.
Some, like Google, have the courage to admit that they have been the victims of Chinese hacking. We now know that the "Aurora" attack (so named by the U.S. government because the English word appears in the attack software) against Google in 2009 also hit dozens of other information technology companies—allegedly including Adobe, Juniper and Cisco—seeking their source code. Aurora wasn't an isolated event. This month Google renewed its charge against China, noting that the Gmail accounts of senior U.S. officials had been compromised from a server in China. The targeting of specific U.S. officials is not something that a mere hacker gang could do.
The Aurora attacks were followed by systematic penetrations of one industry after another. In the so-called Night Dragon series, attackers apparently in China went after major oil and gas companies, not only in the U.S. but throughout the world. The German government claims that the personal computer of Chancellor Angela Merkel was hacked by the Chinese government. Australia has also claimed that its prime minister was targeted by Chinese hackers.
Recently the computer-security company RSA (a division of EMC) was penetrated by an intrusion which appears to have stolen the secret sauce behind the company's SecureID. That system is widely used to protect critical computer networks. And this month, the largest U.S. defense contractor, Lockheed, was subject to cyberespionage, apparently by someone using the stolen RSA data. Cyber criminals don't hack defense contractors—they go after banks and credit cards. Despite Beijing's public denials, this attack and many others have all the hallmarks of Chinese government operations.
In 2009, this newspaper reported that the control systems for the U.S. electric power grid had been hacked and secret openings created so that the attacker could get back in with ease. Far from denying the story, President Obama publicly stated that "cyber intruders have probed our electrical grid."
There is no money to steal on the electrical grid, nor is there any intelligence value that would justify cyber espionage: The only point to penetrating the grid's controls is to counter American military superiority by threatening to damage the underpinning of the U.S. economy. Chinese military strategists have written about how in this way a nation like China could gain an equal footing with the militarily superior United States.
What would we do if we discovered that Chinese explosives had been laid throughout our national electrical system? The public would demand a government response. If, however, the explosive is a digital bomb that could do even more damage, our response is apparently muted—especially from our government.
Congress hasn't passed a single piece of significant cybersecurity legislation. When the Chinese deny senior U.S. officials' claims (made in private) that Beijing is stealing terabytes of data in the U.S., Congress should not leave the American people in doubt. It should demand answers to basic questions:
What does the administration know about the role of the Chinese government in cyberattacks on public and private computer networks in the United States?
If there is widespread Chinese hacking of sensitive U.S. networks and critical infrastructure, what has the administration said about it to the Chinese government? Specifically, did President Obama raise concerns about these attacks with Chinese President Hu Jintao at the White House this spring?
Since defensive measures such as antivirus software and firewalls appear unable to stop the Chinese penetrations, does the administration have any plan to address these cyberattacks?
In private, U.S. officials admit that the government has no strategy to stop the Chinese cyberassault. Rather than defending American companies, the Pentagon seems focused on "active defense," by which it means offense. That cyberoffense might be employed if China were ever to launch a massive cyberwar on the U.S. But in the daily guerrilla cyberwar with China, our government is engaged in defending only its own networks. It is failing in its responsibility to protect the rest of America from Chinese cyberattack.
Mr. Clarke was a national security official in the White House for three presidents. He is chairman of Good Harbor Consulting, a security risk management consultancy for governments and corporations.
Saturday, April 20, 2013
Richard Clarke: China's Cyberassault on America - WSJ.com