America's counterintelligence czar, Dr. Joel F. Brenner, painted an alarming picture of economic espionage in 2006, albeit in the objective tones and neutral parlance of the intelligence community. He reported to Congress that "foreign collection efforts have hurt the United States in several ways":
- Foreign technology collection efforts have "eroded the US military advantage by enabling foreign militaries to acquire sophisticated capabilities that might otherwise have taken years to develop."
- "[M]assive" industrial espionage has "undercut the US economy by making it possible for foreign firms to gain a competitive economic edge over US companies."
Dr. Brenner characterizes China as "very aggressive" in acquiring U.S. advanced technology. "The technology bleed to China, among others, is a very serious problem," he said in March 2007, noting that "you can now, from the comfort of your own home or office, exfiltrate information electronically from somebody else's computer around the world without the expense and risk of trying to grow a spy."
On November 15, 2007, the bipartisan, congressionally chartered U.S.-China Economic and Security Review Commission (USCC) put a finer point on it: "Chinese espionage activities in the United States are so extensive that they comprise the single greatest risk to the security of American technologies." Cyberpenetration is by far China's most effective espionage tool, and it is one that China's spy agencies use against America's allies almost as much as against U.S. targets.
Targeting America. The U.S. military has been the primary target of Chinese cyberattacks, followed closely by the Departments of State, Commerce, and Homeland Security. Academic, industrial, defense, and financial databases are also vulnerable. Regrettably, American officials tend to be very sensitive to China's feelings and refrain from public allegations that the attacks are launched by Chinese agents, even though, as one U.S. cybersecurity expert points out, "the Chinese are in half of your agencies' systems" already.
In fact, Chinese cyberwarfare units have already penetrated the Pentagon's unclassified NIPRNet (Unclassified but Sensitive Internet Protocol Router Network) and have designed software to disable it in wartime. One general officer admitted that "China has downloaded 10 to 20 terabytes of data from the NIPRNet already" and added, "There is a nation-state threat by the Chinese."
Richard Lawless, then Deputy Under Secretary of Defense for Asia-Pacific affairs, told a congressional committee on June 13, 2007, that the Chinese are "leveraging information technology expertise available in China's booming economy to make significant strides in cyber-warfare." Lawless noted that the Chinese military's "determination to familiarize themselves and dominate to some degree the Internet capabilities...provide[s] them with a growing and very impressive capability that we are very mindful of and are spending a lot of time watching."
Chinese People's Liberation Army's cyberwarfare units now have the source codes for America's ubiquitous office software--provided to the Chinese government as a condition of doing business in China. This means that they essentially have a skeleton key to almost every networked government, military, business, or private computer in America that is accessible through the Internet.
What the Administration and Congress Should Do.Recent cyberattacks on the United States and its allies combined with warnings from the Defense Science Board and the U.S.-China Economic and Security Review Commission emphasize the seriousness of this growing threat to U.S. national security. To address this threat, the Administration and Congress should:
- Identify China as an intelligence risk. The Office of the National Counterintelligence Executive, the Department of Justice, and the FBI should follow the USCC's lead and identify China as the top spy threat. Congress should hold public hearings on the problem.
- Address the legal impediments to criminal prosecution of cyberspies. Current U.S. criminal laws are vague about assisting unknown foreign actors to penetrate secure networks for information-gathering purposes.
- Closely examine Chinese commercial investments in cyber companies. The Treasury Department's Committee on Foreign Investment in the United States should closely examine any attempt by Chinese military or intelligence to gain access to U.S. cybertechnology operations via commercial investments.
- Require software companies to patch vulnerabilities quickly. Software firms should be required to give first priority to the most critical vulnerabilities and should coordinate with U.S. government cybersecurity offices in identifying, assessing the risks from, and patching and/or mitigating vulnerabilities.
- Require "trustworthiness" in critical information technology (IT) systems. Components for defense-critical IT systems--from chips to storage devices--must come only from trusted and certified firms. Congress must address the disappearance of an industrial capacity to manufacture trusted IT equipment for defense needs over the long term.
- Strengthen America's engineering and scientific competitiveness. At a minimum, Congress should offer "national service" incentives, including scholarships and internships, to students in information science and technology fields. Congress should also urge the defense and intelligence agencies to leverage competition among the U.S. national laboratories to sustain peak innovation in IT research and development on highly classified systems.
Conclusion.America's vulnerability to cyberattacks is a critical threat to national security. If the Administration and Congress do not address these problems and implement the 2005 recommendations of the Defense Science Board, the fix will become prohibitively expensive and/or America's national security will be irreversibly compromised.
John J. Tkacik, Jr., is Senior Research Fellow in China, Taiwan, and Mongolia Policy in the Asian Studies Center at The Heritage Foundation.