America's counterintelligence czar, Dr. Joel F. Brenner, painted
an alarming picture of economic espionage in 2006, albeit in the
objective tones and neutral parlance of the intelligence community.
He reported to Congress that "foreign collection efforts have hurt
the United States in several ways":
- Foreign technology collection efforts have "eroded the US
military advantage by enabling foreign militaries to acquire
sophisticated capabilities that might otherwise have taken years to
develop."
- "[M]assive" industrial espionage has "undercut the US economy
by making it possible for foreign firms to gain a competitive
economic edge over US companies."
Dr. Brenner characterizes China as "very aggressive" in
acquiring U.S. advanced technology. "The technology bleed to China,
among others, is a very serious problem," he said in March 2007,
noting that "you can now, from the comfort of your own home or
office, exfiltrate information electronically from somebody else's
computer around the world without the expense and risk of trying to
grow a spy."
On November 15, 2007, the bipartisan, congressionally chartered
U.S.-China Economic and Security Review Commission (USCC) put a
finer point on it: "Chinese espionage activities in the United
States are so extensive that they comprise the single greatest
risk to the security of American technologies."
Cyberpenetration is by far China's most effective espionage tool,
and it is one that China's spy agencies use against America's
allies almost as much as against U.S. targets.
Targeting America. The U.S. military has been the primary
target of Chinese cyberattacks, followed closely by the Departments
of State, Commerce, and Homeland Security. Academic, industrial,
defense, and financial databases are also vulnerable. Regrettably,
American officials tend to be very sensitive to China's feelings
and refrain from public allegations that the attacks are launched
by Chinese agents, even though, as one U.S. cybersecurity expert
points out, "the Chinese are in half of your agencies' systems"
already.
In fact, Chinese cyberwarfare units have already penetrated
the Pentagon's unclassified NIPRNet (Unclassified but Sensitive
Internet Protocol Router Network) and have designed software to
disable it in wartime. One general officer admitted that "China
has downloaded 10 to 20 terabytes of data from the NIPRNet already"
and added, "There is a nation-state threat by the Chinese."
Richard Lawless, then Deputy Under Secretary of Defense for
Asia-Pacific affairs, told a congressional committee on June 13,
2007, that the Chinese are "leveraging information technology
expertise available in China's booming economy to make significant
strides in cyber-warfare." Lawless noted that the Chinese
military's "determination to familiarize themselves and dominate to
some degree the Internet capabilities...provide[s] them with a
growing and very impressive capability that we are very mindful of
and are spending a lot of time watching."
Chinese People's Liberation Army's cyberwarfare units now have
the source codes for America's ubiquitous office software--provided
to the Chinese government as a condition of doing business in
China. This means that they essentially have a skeleton key to
almost every networked government, military, business, or private
computer in America that is accessible through the Internet.
What the Administration and Congress Should Do.Recent
cyberattacks on the United States and its allies combined with
warnings from the Defense Science Board and the U.S.-China Economic
and Security Review Commission emphasize the seriousness of this
growing threat to U.S. national security. To address this threat,
the Administration and Congress should:
- Identify China as an intelligence risk. The Office of
the National Counterintelligence Executive, the Department of
Justice, and the FBI should follow the USCC's lead and identify
China as the top spy threat. Congress should hold public
hearings on the problem.
- Address the legal impediments to criminal prosecution of
cyberspies. Current U.S. criminal laws are vague about
assisting unknown foreign actors to penetrate secure networks for
information-gathering purposes.
- Closely examine Chinese commercial investments in cyber
companies. The Treasury Department's Committee on Foreign
Investment in the United States should closely examine any attempt
by Chinese military or intelligence to gain access to U.S.
cybertechnology operations via commercial investments.
- Require software companies to patch vulnerabilities
quickly. Software firms should be required to give first
priority to the most critical vulnerabilities and should coordinate
with U.S. government cybersecurity offices in identifying,
assessing the risks from, and patching and/or mitigating
vulnerabilities.
- Require "trustworthiness" in critical information technology
(IT) systems. Components for defense-critical IT systems--from
chips to storage devices--must come only from trusted and certified
firms. Congress must address the disappearance of an industrial
capacity to manufacture trusted IT equipment for defense needs over
the long term.
- Strengthen America's engineering and scientific
competitiveness. At a minimum, Congress should offer "national
service" incentives, including scholarships and internships, to
students in information science and technology fields. Congress
should also urge the defense and intelligence agencies to leverage
competition among the U.S. national laboratories to sustain peak
innovation in IT research and development on highly classified
systems.
Conclusion.America's vulnerability to cyberattacks is a
critical threat to national security. If the Administration and
Congress do not address these problems and implement the 2005
recommendations of the Defense Science Board, the fix will become
prohibitively expensive and/or America's national security will be
irreversibly compromised.
John J. Tkacik, Jr., is
Senior Research Fellow in China, Taiwan, and Mongolia Policy in the
Asian Studies Center at The Heritage Foundation.