U.S., British officials target Chinese as source of cyberattacks

High-ranking officials in the United Kingdom and the United States have for the first time publicly identified the Chinese government as the source of cyberattacks, warning that China has penetrated both government and business networks with potentially disastrous consequences.

Jonathan Evans, director-general of MI5, the U.K.'s counterintelligence and security service, told British companies last week that they were under attack by "Chinese state organizations," The Times of London reported Saturday.

Marine Gen. James Cartwright, the vice chairman of the Joint Chefs of Staff, has portrayed the effects of large-scale Chinese-backed denial-of-service attacks against U.S systems and networks as potentially having an effect equal to "the magnitude of a weapon of mass destruction." The characterization came in a little-noticed report to Congress released by the U.S.-China Economic and Security Review Commission late last month.

Security analysts said the comments of Cartwright and Evans mark the first time that high-level officials in either the United States or the U.K. have publicly identified the Chinese government as the source of widespread cyberattacks.

Antivirus software company McAfee stated in its annual Virtual Criminology Report released last week that 120 nations worldwide have started to develop cyberattack commands, with China well ahead of the others.

The Times of London said Evans told British companies doing business in China that they are being targeted by the Chinese army, which is using the Internet to steal confidential commercial information that can be used to benefit Chinese companies.

Evans' alert was posted on the Web site of the UK's Centre for the Protection of the National Infrastructure. The Times said Evans used the site to warn companies "about the possible damage to U.K. business resulting from electronic attacks sponsored by Chinese state organizations, and the fact that the attacks are designed to defeat best practice IT security systems." Access to secure parts of the CPNI Web site is limited to companies and organizations that make up the U.K. critical infrastructure, including banks, telecommunication firms, energy companies and utilities.

Alan Paller, director of research at the SANS Institute, a provider of information security training, certification and research, called the MI5 warning "the most vibrant example of how the British are doing a better job of cybersecurity leadership. You cannot ask people to act unless they understand the problem. The British have consistently been willing to speak the truth."

In contrast, Paller said the United States has relied on a failed paperwork policy built around the Federal Information Security Management Act and "vapid guidance" from the National Institute of Standards and Technology.

Attacks Could Cause 'Cataclysmic Harm'

Cartwright testified before the U.S.-China Economic and Security Review Commission in March, when he was still head of the U.S. Strategic Command, which has responsibility for information operations in the Defense Department. He told the commission that China currently has a larger capability to conduct denial-of-service attacks than any other country, and such attacks have "the potential to cause cataclysmic harm if conducted against the United States on a large scale."

He testified that the Chinese are making "plans to use this type of capability in a military context." He added, "I don't think the [United States] has gotten its head around this issue yet, but I think we should start to consider that the regret factors associated with a cyberattack could, in fact, be in the magnitude of a weapon of mass destruction."

China also is "actively engaging in cyber reconnaissance" by probing the computer networks of U.S. government agencies as well as private companies, Cartwright said. The data collected from these probes, he told the commission, could be used to identify weak points in U.S. networks, discover the communications patterns of government agencies and obtain valuable information stored throughout networks.

Despite reports of Chinese attacks this fall against government and military networks in the United States and U.K. as well as Australia, Germany and New Zealand, top leaders in those countries have not publicly identified China as the culprit until now. Bruce Schneir, a security consultant with BT Counterpane, said he found it significant that both Evans and Cartwright decided to identify China as a serious cyber threat.

"We're not used to seeing the head of MI5 and a top general saying that China is the problem," Schneir said. Maybe, he said, "they decided enough is enough." He said he believed that Cartwright was engaging in hyperbole when he warned of a cataclysmic effect on the United States from a large-scale Chinese denial-of-service attack. The country, he noted, managed to weather an electrical outage that crippled much of Northeast in 2004.

Paller said he found Cartwright's comments on the Chinese capability to launch massive denial-of-service attacks particularly significant, because this scenario has never been publicly discussed by such a high-ranking official.

The Latest Cyberwar Technology

The McAfee report also fingers the Chinese government as the source of widespread cyberattacks. James Mulvenon, director of the Center for Intelligence Research and Analysis at the Defense Group Inc. in Washington, told McAfee that "the Chinese were the first to use cyberattacks for political and military goals….Whether it is as battlefield preparation or hacking networks used by the German chancellor, they are the first state actor to jump feet first into 21st century cyberwarfare technology. This is becoming a more serious and open problem."

China does not stand alone in its military exploitation of cyberspace, according to the McAfee report. Peter Sommers, a computer security expert at the London School of Economics, said there are signs that intelligence agencies around the world are constantly probing government networks for signs of weakness, and countries he did not identify "are gearing themselves up to launch all-out online attacks."

McAfee predicted that over the next few years, governments will pursue "punitive action" against cyberattackers and "will … go after them, regardless of their location." That's the approach advocated by the Defense Science Board in a recent report, which said that the United States "should link cyber defensive and offensive operations to its broader national strategies … treating adversarial operations that damage U.S. information systems and networks as events warranting a balanced, full-spectrum response."

Earlier this year, Cartwright advocated a similar strategy in testimony before the House Armed Services Committee. He said that if "we apply the principle of warfare to the cyber domain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care


When you download a report, your information may be shared with the underwriters of that document.