China on Friday called on the U.S. government to stop leveling ‘groundless accusations’ against the Chinese government over high-profile hacks like the one recently discovered at the U.S. Office of Personnel Management.
“Maintaining cybersecurity should be a point of cooperation rather than a source of friction between both China and the United States,” Chinese Foreign Ministry spokesman Hong Lei said during a daily news briefing early Friday, according to Reuters.
“We hope that the U.S. stops its groundless attacks against China, start dialogue based on a foundation of mutual respect, and jointly build a cyberspace that is peaceful, secure, open and cooperative.”
Lei’s comments came in response to those made by Director of National Intelligence James Clapper during a House Intelligence Committee hearing Thursday with the heads of FBI, CIA, DIA, NSA and U.S. Cyber Command, where Clapper told lawmakers the U.S. needed a new strategy to deter future acts of cyber aggression by China and other nations.
“Our primary concern are the low to moderate-level cyberattacks from a variety of sources which will continue, and probably expand,” Clapper told legislators Thursday. “This imposes increasing costs … to our businesses, to U.S. economic competitiveness and national security.”
“These cyber threats come from a range of actors including nation states, which fall into, at least in my mind, two broad categories — those with highly sophisticated cyber programs, most notably Russia and China, [and] those with lesser technical capabilities, but more nefarious intent such as Iran and North Korea, who are also more aggressive and more unpredictable.”
Recently the Obama administration has responded to such attacks with economic sanctions, like those imposed against North Korea for its alleged role in the hack of Sony Pictures late last year. Similar sanctions are reportedly being considered against China for its alleged role in OPM, first revealed by Clapper, who said Thursday there was no evidence the Chinese have done anything with the data stolen from more 20 million federal employees.
That strategy isn’t enough to deter future cyber intrusions and attacks, according to agency heads and lawmakers alike, who remarked on the need for a clear line of delineation between what qualifies as an act of cyber espionage and cyber war, and a policy framework for an appropriate response in each case to act as a deterrent to foreign actors.
“So for us, particularly, in the DOD side, I’m pretty comfortable that we’ve got a fairly well-understood characterization of what is defensive in nature, in terms of actions and response,” director of NSA and commander of U.S. Cyber Command Adm. Michael Rogers said during the hearing.
“The bigger challenge, in some ways, is there is still uncertainty about how would you characterize what is offensive and what is authorized. Again, that boils down, ultimately, to a policy decision. And to date we have tended to do that on a case-by-case basis.”
Clapper and Rogers reiterated to lawmakers the importance of noting the differences between a cyberattack like that against Sony, meant to cause damage, cyber theft from private companies meant to gain economic advantage, and cyber espionage like OPM, with the end goal being counterintelligence.
“To date, we’ve tried to be somewhat nuanced, if you will, in how we as a government have responded,” Rogers said, adding it was up to policymakers to decide on a set of acceptable norms in cyberspace.
“We clearly understand nation states use the spectrum of capabilities they have to attempt to generate insights on the world around them. But that does not mean that the use of cyber for manipulative, destructive purposes is acceptable. It does not mean that the use of cyber for the extraction of massive amounts of personally identifiable information is acceptable. And we’re going to have to work our way though how we develop all that in a much more refined way than we have to date.”
Without putting in place a clearly communicated expectation of consequences to global actors, cyber theft, espionage and attack will certainly continue and likely expand, according to Rogers and Clapper.
“A purely reactive defensive strategy is not ultimately, I think, going to change the dynamic where we are now,” Rogers told the committee. “And the dynamic we find ourselves in now, I don’t think is acceptable to anyone.”
Those attacks could eventually escalate into a major cyberattack against critical U.S. infrastructure like financial institutions and power grids, which hackers continue to probe according to documents obtained via the Freedom of Information Act by USA Today this week. According to the documents, hackers penetrated the Department of Energy’s computer system more than 150 times between 2010 and 2014.
“Although we must be prepared for a large, armageddon-scale strike that would debilitate the entire U.S. infrastructure, it’s not our belief that’s the most likely scenario,” Clapper said.
Rogers has previously gone on record saying during his tenure overseeing U.S. Cyber Command he believes such an attack is a matter of “when,” not “if.”
China will host a technology forum in Seattle on Sept. 23 to demonstrate the U.S. economy’s dependance on China in the face of possible sanctions, with Apple’s Tim Cook and representatives from Google expected to attend. Facebook, IBM, Uber and others have also been invited. The forum will coincide with a state visit by Chinese President Xi Jinping.
“China and the United States actually can make cyber security a point of cooperation,” State Councilor Yang Jiechi said in the state-run China Daily Friday.
“We hope China, the United States and other countries could work together to work out the rules for cyber security in the international arena in the spirit of mutual respect, equality and mutual benefit.”