Fidelis Blog


Taming the Tiger: Domestic and foreign policy complexities in curbing China’s cyber-espionage campaign

For years China has engaged in a systematic process to extract intellectual property and state secrets from the United States in direct support of their five-year plans.

A Brief History

Given the United States’ economic reliance on China, at this point there’s probably nothing short of a kinetic response that is going to stop the Chinese from performing the operations. Consider this timeline:

Meanwhile, dozens of high profile cyber espionage operations were being conducted by China against US commercial interests and most recently: critical Federal agencies  (CSIS has a great list of significant breaches since 2006, check it out here.)

For years China has engaged in a systematic process to extract intellectual property and state secrets from the United States in direct support of their five-year plans.

Rumors of White House Sanctions

Now it’s September 2015 and Xi Jinping is set to come to the United States. There have been rumblings that the White House plans to put sanctions  in place, as early as this week prior to Xi’s visit. Many have speculated how deep the sanctions may go, and whether they will be against Chinese corporations suspected to have benefited from cyber-espionage campaigns or if they will be targeted against China itself. I believe it will probably be the former.

Sanctions that directly target China could hurt the US economy. With the US presidential election heating up and the economy continuing a slow recovery,  deep-cutting sanctions are unlikely AND their potential impact is questionable (I’ll explain).

There have been talks in the past about the United States making a formal complaint to the World Trade Organization. Political and legal experts argue that this would be preferable to US-imposed sanctions.

China Trade By The Numbers

China is a cornerstone to the US economy.  According to data supplied by US Census Bureau, the United States imported more than $466B worth of goods from China in 2014, up from $243B in 2005. This represents a compound annual growth rate of 7.5%. In other words, every year Americans are expanding their purchases of Chinese goods.  Compare this with the 12.99% of US exports that went to China over the same period. Visually, here’s the historical data from 1985 to 2014 I threw into Tableau for a little eye candy:

China imports exports graph

China Imports and Exports in Billions via U.S. Census Bureau

US imports from China outrank every other nation in the world.  When it comes to exports, China ranks #3, behind Canada and Mexico.  Suffice to say, China is pivotal to the success and stability of our economy.  I haven’t even scratched the surface about the effect that US-China trade has on the global economy, but this was evident during the market correction of August 2015.

Sanction Effectiveness

In the book Economic Sanctions Reconsidered by Gary Clyde Hufbauer et al. Mr. Hufbauer analyzes sanctions and provides some insights about their effectiveness. See the US sanctions analysis from this Financial Times article by John McDermott. According to this data, US sanctions were somewhat more effective from 1990-2000 but still only succeeded 57% of the time. If the proposed sanctions against China are only designed to affect “modest policy changes”, we may have a shot…but if it’s classified as “disruption of military adventures,” we are in trouble. Sanctions of that type haven’t been successful since the 1950s and 60’s.

Tactical Response

The US needs to figure out how to accelerate (and encourage) government agencies and commercial organizations to bolster their cyber-defense (NOT cyber-defense prevention) capabilities.

IT skills shortage graph

This boils down to two main areas:

1. Invest in people.  There is a major cyber security skills shortage.  Today, security is more about the knowledge and experience of individuals, than having the latest and greatest technology. While appropriate technology can enhance an organization’s posture, you still need people to back it up. Technology should work for people, not the other way around.

One way the government and commercial organizations can close the infosec skills shortage gap is to focus on our youth. Organizations like 1nterrupt and CyberPatriots have sprung up and seek to educate and train high school kids on hacking and response techniques.

2. Focus on detection and response. In our industry, the term “dwell time,” refers to the time an attacker spends in a network before they are discovered. According to Mandiant, in 2014 the median dwell time for targeted attacks was 229 days. Every analyst and responder’s job should be to reduce the time from the initial compromise to the discovery.

If large corporations and governments that spend millions on security continue to be compromised, perhaps it is time to adopt a new model. Organizations need to assume they are in a state of continuous compromise. That is, they need to assume they are constantly being breached. Then, they need to invest in detection and response technology rather than adding redundant preventive measures.

It is clear from the report to Congress on the Target breach  that the problem is bigger than technology alone. Target spent millions of dollars on security infrastructure. But without a similar focus on people and an effective detection/response strategy it’s not surprising to see organizations repeatedly compromised.

Final Thoughts

There is no easy solution that will compel China to stop systematically vacuuming intellectual property out of private organizations.  Or as General Keith Alexander has said, we’re experiencing “the greatest transfer of wealth in history“.

Whether the US turns to Mexico, Brazil, India or looks within its own borders it needs to focus on becoming less dependent on China for cheap Walmart goods, and technology manufacturing.  If the US doesn’t do it for the purpose of diversifying economic imports, it should at least do it for national security’s sake.

-Justin Harvey

Stay up to date on all things security

Subscribe to the Threat Geek Blog