U.S., British officials target Chinese as source of cyberattacks

High-ranking officials in the United Kingdom and the United States have for the first time publicly identified the Chinese government as the source of cyberattacks, warning that China has penetrated both government and business networks with potentially disastrous consequences.

Jonathan Evans, director-general of MI5, the U.K.'s counterintelligence and security service, told British companies last week that they were under attack by "Chinese state organizations," The Times of London reported Saturday.

Marine Gen. James Cartwright, the vice chairman of the Joint Chefs of Staff, has portrayed the effects of large-scale Chinese-backed denial-of-service attacks against U.S systems and networks as potentially having an effect equal to "the magnitude of a weapon of mass destruction." The characterization came in a little-noticed report to Congress released by the U.S.-China Economic and Security Review Commission late last month.

Security analysts said the comments of Cartwright and Evans mark the first time that high-level officials in either the United States or the U.K. have publicly identified the Chinese government as the source of widespread cyberattacks.

Antivirus software company McAfee stated in its annual Virtual Criminology Report released last week that 120 nations worldwide have started to develop cyberattack commands, with China well ahead of the others.

The Times of London said Evans told British companies doing business in China that they are being targeted by the Chinese army, which is using the Internet to steal confidential commercial information that can be used to benefit Chinese companies.

Evans' alert was posted on the Web site of the UK's Centre for the Protection of the National Infrastructure. The Times said Evans used the site to warn companies "about the possible damage to U.K. business resulting from electronic attacks sponsored by Chinese state organizations, and the fact that the attacks are designed to defeat best practice IT security systems." Access to secure parts of the CPNI Web site is limited to companies and organizations that make up the U.K. critical infrastructure, including banks, telecommunication firms, energy companies and utilities.

Alan Paller, director of research at the SANS Institute, a provider of information security training, certification and research, called the MI5 warning "the most vibrant example of how the British are doing a better job of cybersecurity leadership. You cannot ask people to act unless they understand the problem. The British have consistently been willing to speak the truth."

In contrast, Paller said the United States has relied on a failed paperwork policy built around the Federal Information Security Management Act and "vapid guidance" from the National Institute of Standards and Technology.

Attacks Could Cause 'Cataclysmic Harm'

Cartwright testified before the U.S.-China Economic and Security Review Commission in March, when he was still head of the U.S. Strategic Command, which has responsibility for information operations in the Defense Department. He told the commission that China currently has a larger capability to conduct denial-of-service attacks than any other country, and such attacks have "the potential to cause cataclysmic harm if conducted against the United States on a large scale."

He testified that the Chinese are making "plans to use this type of capability in a military context." He added, "I don't think the [United States] has gotten its head around this issue yet, but I think we should start to consider that the regret factors associated with a cyberattack could, in fact, be in the magnitude of a weapon of mass destruction."

China also is "actively engaging in cyber reconnaissance" by probing the computer networks of U.S. government agencies as well as private companies, Cartwright said. The data collected from these probes, he told the commission, could be used to identify weak points in U.S. networks, discover the communications patterns of government agencies and obtain valuable information stored throughout networks.

Despite reports of Chinese attacks this fall against government and military networks in the United States and U.K. as well as Australia, Germany and New Zealand, top leaders in those countries have not publicly identified China as the culprit until now. Bruce Schneir, a security consultant with BT Counterpane, said he found it significant that both Evans and Cartwright decided to identify China as a serious cyber threat.

"We're not used to seeing the head of MI5 and a top general saying that China is the problem," Schneir said. Maybe, he said, "they decided enough is enough." He said he believed that Cartwright was engaging in hyperbole when he warned of a cataclysmic effect on the United States from a large-scale Chinese denial-of-service attack. The country, he noted, managed to weather an electrical outage that crippled much of Northeast in 2004.

Paller said he found Cartwright's comments on the Chinese capability to launch massive denial-of-service attacks particularly significant, because this scenario has never been publicly discussed by such a high-ranking official.

The Latest Cyberwar Technology

The McAfee report also fingers the Chinese government as the source of widespread cyberattacks. James Mulvenon, director of the Center for Intelligence Research and Analysis at the Defense Group Inc. in Washington, told McAfee that "the Chinese were the first to use cyberattacks for political and military goals….Whether it is as battlefield preparation or hacking networks used by the German chancellor, they are the first state actor to jump feet first into 21st century cyberwarfare technology. This is becoming a more serious and open problem."

China does not stand alone in its military exploitation of cyberspace, according to the McAfee report. Peter Sommers, a computer security expert at the London School of Economics, said there are signs that intelligence agencies around the world are constantly probing government networks for signs of weakness, and countries he did not identify "are gearing themselves up to launch all-out online attacks."

McAfee predicted that over the next few years, governments will pursue "punitive action" against cyberattackers and "will … go after them, regardless of their location." That's the approach advocated by the Defense Science Board in a recent report, which said that the United States "should link cyber defensive and offensive operations to its broader national strategies … treating adversarial operations that damage U.S. information systems and networks as events warranting a balanced, full-spectrum response."

Earlier this year, Cartwright advocated a similar strategy in testimony before the House Armed Services Committee. He said that if "we apply the principle of warfare to the cyber domain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.