The Great Chinese Cyber War Dragon

or Just another day at on the cyber beat?

Hold on to your cyber boogeyman beliefs because this is going to go against everything the sensationalist media and certain agency warnings would have you believe about the Great Chinese Cyber Threat that is supposedly ruining our country and causing our slide from greatness. I will argue that the threat from the Chinese hacking efforts are undoubtedly a concern that requires the attention of the US government, but that it may be overblown for specific reasons and pales in comparison to the threat private industry faces from sophisticated cyber criminals who are attacking everyday and are only in it for the money.

Thanks to the sensationalist media, most Americans now believe that the Chinese government is behind the majority of cyber intrusions being reported on a daily basis. Supposedly, our state secrets are being stolen at uncontrollable speed through intrusions that are either acts of cyber war or espionage conducted by Chinese state-sponsored actors to provide a competitive advantage for the Chinese state. But is it possible that the threat being depicted as Chinese government cyber-super hackers is being overblown by government entities that are more interested in budgetary gain than truth in reporting?

You want sensationalism? How about the 2012 Wall Street Journal article which quoted former DHS Secretary Chertoff and former ODNI McConnell as claiming that Chinese national policy calls for large-scale economic espionage, predominately through cyber attacks and “insider” theft of intellectual property and that the Chinese government has decided it is more efficient to steal corporate secrets and produce products faster and cheaper than possible in the US. Or, how about the often-repeated 2012 speech by Secretary of Defense (and former CIA Director) Leon Panetta in which he predicted an oncoming “cyber pearl harbor” which threatens our nation’s security. This type of hyperbole has become the norm rather than the exception.

But what do unbiased experts and comprehensive studies say? Cyber War? Noted cyber security expert Marcus Ranum disputes cyber war as being unattainable by definition. He agrees that cyber attacks could marginally support kinetic attacks but the goals of war are not attainable through cyber means. Additionally, he believes the military has promoted cyber war so they could lay claim to cyberspace as a battle space and “anyone talking about cyberwar is trying to increase their influence”. Ranum also points out that “there is a growing concern that sooner or later, someone is going to ask, “why do you have all this expensive cyber security stuff, when you keep getting owned by 14-year-old kids?”Lest you think Ranum is an outlier, consider that such notables in the cyber security field as Martin Libicki, Erik Gartzke, M.E. O’Connell and Ross Anderson have all have joined in the chorus warning that militarizing cyberspace is the wrong approach.

Ok, so cyber war is questionable? How about the cyber espionage that is ruining our country’s economic outlook?

Consider the annual Verizon Data Breach Study, which draws upon 15 years worth of data drawn from over 50 international CERT and cyber security teams, private industry, and law enforcement sources, and is considered one of the most comprehensive studies of its kind. In over 63,000 cyber incidents reported, only 27% are classified as cyber espionage whereas almost 60% were classified as financially motivated cyber crimes. Or how about the June 2014, CSIS/McAfee report which estimates the worldwide cost of cyber crime at $445B-$575B for loss, cost of defense and recovery. Even the ODNI, in his 2014 Worldwide Threat Assessment ranked cyber crime as the number 1 threat to the nation, above even terrorism, espionage and WMD. Who am I to argue? We have a cyber crime problem.

And how do you fix a crime problem? Do you let your intelligence agencies to collect intel on criminals? No. Let them concentrate on true spying. Even elementary school kids know that you should ask law enforcement professionals to investigate, indict and arrest the attacker or deter them from committing crimes in the first place. Those operations have obviously had a deterrent effect. If elementary school kids know that, how come we can’t figure it out?