U.S., British officials target Chinese as source of cyberattacks

High-ranking officials in the United Kingdom and the United States have for the first time publicly identified the Chinese government as the source of cyberattacks, warning that China has penetrated both government and business networks with potentially disastrous consequences.

Jonathan Evans, director-general of MI5, the U.K.'s counterintelligence and security service, told British companies last week that they were under attack by "Chinese state organizations," The Times of London reported Saturday.

Marine Gen. James Cartwright, the vice chairman of the Joint Chefs of Staff, has portrayed the effects of large-scale Chinese-backed denial-of-service attacks against U.S systems and networks as potentially having an effect equal to "the magnitude of a weapon of mass destruction." The characterization came in a little-noticed report to Congress released by the U.S.-China Economic and Security Review Commission late last month.

Security analysts said the comments of Cartwright and Evans mark the first time that high-level officials in either the United States or the U.K. have publicly identified the Chinese government as the source of widespread cyberattacks.

Antivirus software company McAfee stated in its annual Virtual Criminology Report released last week that 120 nations worldwide have started to develop cyberattack commands, with China well ahead of the others.

The Times of London said Evans told British companies doing business in China that they are being targeted by the Chinese army, which is using the Internet to steal confidential commercial information that can be used to benefit Chinese companies.

Evans' alert was posted on the Web site of the UK's Centre for the Protection of the National Infrastructure. The Times said Evans used the site to warn companies "about the possible damage to U.K. business resulting from electronic attacks sponsored by Chinese state organizations, and the fact that the attacks are designed to defeat best practice IT security systems." Access to secure parts of the CPNI Web site is limited to companies and organizations that make up the U.K. critical infrastructure, including banks, telecommunication firms, energy companies and utilities.

Alan Paller, director of research at the SANS Institute, a provider of information security training, certification and research, called the MI5 warning "the most vibrant example of how the British are doing a better job of cybersecurity leadership. You cannot ask people to act unless they understand the problem. The British have consistently been willing to speak the truth."

In contrast, Paller said the United States has relied on a failed paperwork policy built around the Federal Information Security Management Act and "vapid guidance" from the National Institute of Standards and Technology.

Attacks Could Cause 'Cataclysmic Harm'

Cartwright testified before the U.S.-China Economic and Security Review Commission in March, when he was still head of the U.S. Strategic Command, which has responsibility for information operations in the Defense Department. He told the commission that China currently has a larger capability to conduct denial-of-service attacks than any other country, and such attacks have "the potential to cause cataclysmic harm if conducted against the United States on a large scale."

He testified that the Chinese are making "plans to use this type of capability in a military context." He added, "I don't think the [United States] has gotten its head around this issue yet, but I think we should start to consider that the regret factors associated with a cyberattack could, in fact, be in the magnitude of a weapon of mass destruction."

China also is "actively engaging in cyber reconnaissance" by probing the computer networks of U.S. government agencies as well as private companies, Cartwright said. The data collected from these probes, he told the commission, could be used to identify weak points in U.S. networks, discover the communications patterns of government agencies and obtain valuable information stored throughout networks.

Despite reports of Chinese attacks this fall against government and military networks in the United States and U.K. as well as Australia, Germany and New Zealand, top leaders in those countries have not publicly identified China as the culprit until now. Bruce Schneir, a security consultant with BT Counterpane, said he found it significant that both Evans and Cartwright decided to identify China as a serious cyber threat.

"We're not used to seeing the head of MI5 and a top general saying that China is the problem," Schneir said. Maybe, he said, "they decided enough is enough." He said he believed that Cartwright was engaging in hyperbole when he warned of a cataclysmic effect on the United States from a large-scale Chinese denial-of-service attack. The country, he noted, managed to weather an electrical outage that crippled much of Northeast in 2004.

Paller said he found Cartwright's comments on the Chinese capability to launch massive denial-of-service attacks particularly significant, because this scenario has never been publicly discussed by such a high-ranking official.

The Latest Cyberwar Technology

The McAfee report also fingers the Chinese government as the source of widespread cyberattacks. James Mulvenon, director of the Center for Intelligence Research and Analysis at the Defense Group Inc. in Washington, told McAfee that "the Chinese were the first to use cyberattacks for political and military goals….Whether it is as battlefield preparation or hacking networks used by the German chancellor, they are the first state actor to jump feet first into 21st century cyberwarfare technology. This is becoming a more serious and open problem."

China does not stand alone in its military exploitation of cyberspace, according to the McAfee report. Peter Sommers, a computer security expert at the London School of Economics, said there are signs that intelligence agencies around the world are constantly probing government networks for signs of weakness, and countries he did not identify "are gearing themselves up to launch all-out online attacks."

McAfee predicted that over the next few years, governments will pursue "punitive action" against cyberattackers and "will … go after them, regardless of their location." That's the approach advocated by the Defense Science Board in a recent report, which said that the United States "should link cyber defensive and offensive operations to its broader national strategies … treating adversarial operations that damage U.S. information systems and networks as events warranting a balanced, full-spectrum response."

Earlier this year, Cartwright advocated a similar strategy in testimony before the House Armed Services Committee. He said that if "we apply the principle of warfare to the cyber domain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.