Criminal Justice & the Rule of Law Cybersecurity & Tech Foreign Relations & International Law

Disconcerting U.S. Cyber Deterrence Troubles Continue

Jack Goldsmith
Tuesday, September 15, 2015, 8:53 AM

Two weeks ago the newspapers were filled with leaked threats that the U.S. government was “developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cyber theft of valuable U.S.

Published by The Lawfare Institute
in Cooperation With

Two weeks ago the newspapers were filled with leaked threats that the U.S. government was “developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cyber theft of valuable U.S. trade secrets.” At the time I wrote that I was “skeptical that we will see anything more than symbolic or nominal sanctions, if that,” and showed that for years “the administration has considered and threatened sanctions against China for its cybertheft,” but “little if anything ever happens.”

This morning several sources report that the U.S. government has once again decided not to impose sanctions on China or its companies for their massive public and private cyber thefts. The excuse this time is Xi Jinping’s upcoming visit, plus some supposed progress between the countries on unnamed cybersecurity issues. But the real problem, quite obviously, is that the government still cannot figure out how to impose sanctions against identified perpetrators without causing more pain to U.S. interests than to our adversaries. Our adversaries are well aware of this. They are well aware because the U.S. government has been publicly flailing in its inability to respond to dozens and dozens of very harmful episodes in recent years. As DNI Clapper acknowledged just last week, the United States in cyber lacks “both the substance and the psychology of deterrence.”

David Sanger reports that President Obama recently had this to say about the matter:

“There comes a point at which we consider this a core national security threat.” If China and other nations cannot figure out the boundaries of what is acceptable, “we can choose to make this an area of competition, which I guarantee you we’ll win if we have to.”

We haven’t yet reached the point where this is a core national security threat? I keep using the word “embarrassing” to describe the U.S. position on these issues. But this statement takes the cake. Six and a half years ago, the President claimed that digital theft was a “matter of public safety and national security,” stated that the “cyber threat is one of the most serious economic and national security challenges we face as a nation,” and claimed that protecting the digital infrastructure “will be a national security priority.” Three and a half years ago the government claimed to be “considering a raft of options to more aggressively confront China over cyberspying.”

I don’t know what more China needs to do to the United States to make its digital activities in the United States a core national security threat to the United States. Listed below in Appendix A are some (only some) of the more significant reported episodes of China’s related cyber intrusions into public and private U.S. networks since the President’s speech in 2009. Look at all the digital episodes for which China has been deemed responsible or probably responsible, and imagine all of the dozens, probably hundreds, of major digital intrusions by China that are undiscovered or unreported. Listed in Appendix B are a few selected quotations, only since 2013, from U.S. officials complaining, in one form or another, about China’s extensive cyberintrusions.

In light of these episodes and statements, and in light of the government’s failure once again to impose any meaningful sanctions on China, ask yourself: Why is the U.S. government not treating the China digital threat as a core national security interest? Why has it not yet chosen to make this (in the President’s words) “an area of competition” with China? And why can’t it come up with a credible deterrence strategy? The answer to these questions can only be that despite the many, many losses the United States has suffered, the government thinks the nation would lose more – economically, politically, diplomatically, militarily, and/or in intelligence – if it fights back hard. Our adversaries understand this. And so we should expect the losses to continue until they become so bad that the calculus of retaliation and sanctions finally makes sense for the United States. One wonders, one fears, what extreme event or events will have to occur for us to reach that point.

A. Select China-Attributed Cyber Intrusions Since 2009

  • August 2015, American Airlines and Sabre (airline reservation system). “A group of China-linked hackers that has mowed through the databanks of major American health insurers and stolen personnel records of U.S. military and intelligence agencies has struck at the heart of the nation’s air-travel system, say people familiar with investigations of the attacks. Sabre Corp., which processes reservations for hundreds of airlines and thousands of hotels, confirmed that its systems were breached recently, while American Airlines Group Inc., the world’s biggest carrier, said it is investigating whether hackers had entered its computers.”

  • July 2015: United Airlines. “United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers . . . . Among the cache of data stolen from United are manifests -- which include information on flights’ passengers, origins and destinations.”

  • June 2015, Office of Personnel Management. “U.S. officials suspect that hackers in China stole the personal records of as many as four million people in one of the most far-reaching breaches of government computers. The Federal Bureau of Investigation is probing the breach, detected in April at the Office of Personnel Management. The agency essentially functions as the federal government’s human resources department, managing background checks, pension payments and job training across dozens of federal agencies. Investigators suspect that hackers based in China are responsible for the attack, though the probe is continuing, according to people familiar with the matter. On Thursday, several U.S. officials described the breach as among the largest known thefts of government data in history.”

  • May 2015, Penn State. “Penn State University, which develops sensitive technology for the U.S. Navy, disclosed Friday that Chinese hackers have been sifting through the computers of its engineering school for more than two years. One of the country’s largest and most productive research universities, Penn State offers a potential treasure trove of technology that’s already being developed with partners for commercial applications. The breach suggests that foreign spies could be using universities as a backdoor to U.S. commercial and defense secrets. . . . The investigation and remediation efforts have already cost Penn State millions of dollars, said Nicholas Jones, the university provost.”

  • March 2015, Premera Blue Cross. “Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are indicators that this intrusion is once again the work of state-sponsored espionage groups based in China. In a statement posted on a Web site set up to share information about the breach — — the company said that it learned about the attack on January 29, 2015.”

  • February 2015, Anthem (health insurance). “Investigators of Anthem Inc.’s data breach are pursuing evidence that points to Chinese state-sponsored hackers who are stealing personal information from health-care companies for purposes other than pure profit, according to three people familiar with the probe. The breach, which exposed Social Security numbers and other sensitive details of 80 million customers, is one of the biggest thefts of medical-related customer data in U.S. history. The attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group -- defense contractors, government workers and others . . . .”

  • January 2015, DoD and Defense Industrial Base. “A NSA briefing slide labeled ‘Top Secret’ and headlined ‘Chinese Exfiltrate Sensitive Military Data,’ states that the Chinese have stolen a massive amount of data from U.S. government and private contractors. . . . For the F-35, according to NSA the Chinese were able to obtain digital design information on several different types of radar modules used by the fighter.Northrop Grumman, the jet’s manufacturer, built the AN/APG-81 active, electronically scanned array radar for the F-35. The high-tech radar uses small, solid-state transmitter and receiver modules that allow the jet to avoid detection by enemy radar, a key stealth feature. . . . By learning the secrets, the Chinese were able to include the design and technology in Beijing’s new stealth jet, the J-20. The secret also could allow Chinese air defenses to target the F-35 in a future conflict. . . . China also stole data on the U.S. Transportation Command’s Single Mobility System. The network system is used by Transcom to plan missions for sending military troops and equipment by aircraft, ship, road, and rail in military operations. . . . In all, the NSA concluded that the Chinese compromised key weapons systems including the F-35, the B-2 bomber, the F-22 fighter-bomber, the Space Based Laser, and other systems.”

  • November 2014, “Back in late November, was hacked. If cyber security firms are right, Chinese hackers are to blame, but there’s not enough evidence to guarantee attribution just yet. The hackers tinkered with the Adobe Flash widget that delivers the Thought of the Day page that visitors to are taken to when they visit the site. The attackers did this to send specially-chosen visitors to a hacker-controlled site that would serve up an exploit against a zero-day vulnerability in Flash and, if it was needed, another flaw in Microsoft MSFT -2.38%’s Internet Explorer.”

  • August 2014, Community Health Systems. “Hackers might have stolen the personal data of approximately 4.5 million people, hospital group Community Health Systems disclosed Monday. . . . Data included patient names, addresses, Social Security numbers, birth dates, and telephone numbers, but did not include patient credit or health information, CHS said.”

  • July 2014, Office of Personnel Management. “Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances. The hackers gained access to some of the databases of the Office of Personnel Management before the federal authorities detected the threat and blocked them from the network, according to the officials. It is not yet clear how far the hackers penetrated the agency’s systems, in which applicants for security clearances list their foreign contacts, previous jobs and personal information like past drug use. . . . One senior American official said that the attack was traced to China, though it was not clear if the hackers were part of the government.”

  • January 2013, The New York Times. “For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. . . . The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings. Security experts hired by The Times to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached The Times’s network.”

  • September 2012, Telvent.Canada Ltd. “A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts say digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests. . . . In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced ‘smart grid’ technologies.”

  • July 2012, Pacific Gas & Electric and Wiley Rein (law firm). “Working together in secret, some 30 North American private security . . . . [T]he group succeeded in breaking into the computer network of at least one facility, Diablo Canyon nuclear plant, next to the Hosgri fault north of Santa Barbara, . . . . Last August, the plant’s incident management team saw an anonymous Internet post that had been making the rounds among cybersecurity professionals. It purported to identify web domains being used by a Chinese hacking group, including one that suggested a possible connection to Diablo plant operator Pacific Gas & Electric Co . . . . Around the time the hackers were sending malware-laden e-mails to U.S. nuclear facilities, six people at the Wiley Rein law firm were ushered into hastily called meetings. In the room were an ethics compliance officer and a person from the firm’s information technology team, according to a person familiar with the investigation. The firm had been hacked, each of the six were told, and they were the targets.”

  • April 2012, (news website reporting on Bo Xilai scandal). “A cyber-attack has crippled a US-based website that has reported extensively on China's biggest political turmoil in was forced to move to a another hosting service on Friday after its previous host said the attacks were threatening its entire business, said the website's manager, Watson Meng. He added that he believed the attacks were ordered by China's security services, but that it was unclear where they were launched from. The assaults on Boxun's server followed days of reporting on Bo Xilai, . . . .”

  • March 2012, NASA. “NASA said hackers stole employee credentials and gained access to mission-critical projects last year in 13 major network breaches that could compromise U.S. national security. . . . The space agency discovered in November that hackers working through an Internet Protocol address in China broke into the -network of NASA's Jet Propulsion Laboratory, . . . . He said the hackers gained full system access, which allowed them to modify, copy, or delete sensitive files, create new user accounts and upload hacking tools to steal user credentials and compromise other NASA systems.”

  • April 2011, RSA (computer security). “The hack last month at RSA Security has been shrouded in mystery. . . . [C]ould the data that was stolen be used to impair its SecurID products, which are used by 40 million businesses that are trying to keep their own networks safe from intruders? . . . [A]n unclassified document from the United States Computer Emergency Readiness Team (US-CERT) obtained by the blogger Brian Krebs revealed three Web addresses used in the intrusion, one of which includes the letters ‘PRC,’ which could refer to the People’s Republic of China — or it could be a ruse.”

  • January 2010, Operation Aurora. “Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. At least 34 companies -- including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical -- were attacked . . . .”

  • April 2009, F-35 Joint Strike Fighter. “Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever . . . . [W]hile the spies were able to download sizable amounts of data related to the jet-fighter, they weren't able to access the most sensitive material, which is stored on computers not connected to the Internet. Former U.S. officials say the attacks appear to have originated in China.”

B. USG Officials’ Statements on Cyber Intrusions Since 2013

  • Tom Donilon, March 11, 2013: “It is in this last category that our concerns have moved to the forefront of our agenda. I am not talking about ordinary cybercrime or hacking. And, this is not solely a national security concern or a concern of the U.S. government. Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale. The international community cannot afford to tolerate such activity from any country. As the President said in the State of the Union, we will take action to protect our economy against cyber-threats. From the President on down, this has become a key point of concern and discussion with China at all levels of our governments. And it will continue to be. The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property. But, specifically with respect to the issue of cyber-enabled theft, we seek three things from the Chinese side. First, we need a recognition of the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.”

  • Chuck Hagel, June 1, 2013: “We are also clear-eyed about the challenges in cyber. The United States has expressed our concerns about the growing threat of cyber intrusions, some of which appear to be tied to the Chinese government and military. As the world’s two largest economies, the U.S. and China have many areas of common interest and concern, and the establishment of a cyber working group is a positive step in fostering U.S.-China dialogue on cyber. We are determined to work more vigorously with China and other partners to establish international norms of responsible behavior in cyberspace.

  • DNI 2014 Worldwide Threat Assessment: “China’s cyber operations reflect its leadership’s priorities of economic growth, domestic political stability, and military preparedness. Chinese leaders continue to pursue dual tracks of facilitating Internet access for economic development and commerce and policing online behaviors deemed threatening to social order and regime survival. Internationally, China also seeks to revise the multi-stakeholder model Internet governance while continuing its expansive worldwide program of network exploitation and intellectual property theft.”

  • Barack Obama, February 13, 2015: “The same information technologies that help make our military the most advanced in the world are targeted by hackers from China and Russia who go after our defense contractors and systems that are built for our troops.”

  • 2015 DNI Worldwide Threat Assessment: “China. Chinese economic espionage against US companies remains a significant issue. The “advanced persistent threat” activities continue despite detailed private sector reports, public indictments, and US demarches, according to a computer security study. China is an advanced cyber actor; however, Chinese hackers often use less sophisticated cyber tools to access targets. Improved cyber defenses would require hackers to use more sophisticated skills and make China’s economic espionage more costly and difficult to conduct.”

  • Ash Carter, April 23, 2015: “Just as Russia and China have advanced cyber capabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyber operations.”

  • Jack Lew at June 23, 2015 Strategic and Economic Dialogue: “On cyberspace, in particular, we remain deeply concerned about Chinese government-sponsored cyber-enabled theft of confidential business information and proprietary technology from U.S. companies. Such activity falls outside of the bounds of acceptable state behavior in cyberspace. A more open, secure, interoperable and reliable cyberspace is critical to free and fair commerce and we look forward to discussing these matters further.”

Jack Goldsmith is the Learned Hand Professor at Harvard Law School, co-founder of Lawfare, and a Senior Fellow at the Hoover Institution. Before coming to Harvard, Professor Goldsmith served as Assistant Attorney General, Office of Legal Counsel from 2003-2004, and Special Counsel to the Department of Defense from 2002-2003.

Subscribe to Lawfare