U.S., British officials target Chinese as source of cyberattacks

High-ranking officials in the United Kingdom and the United States have for the first time publicly identified the Chinese government as the source of cyberattacks, warning that China has penetrated both government and business networks with potentially disastrous consequences.

Jonathan Evans, director-general of MI5, the U.K.'s counterintelligence and security service, told British companies last week that they were under attack by "Chinese state organizations," The Times of London reported Saturday.

Marine Gen. James Cartwright, the vice chairman of the Joint Chefs of Staff, has portrayed the effects of large-scale Chinese-backed denial-of-service attacks against U.S systems and networks as potentially having an effect equal to "the magnitude of a weapon of mass destruction." The characterization came in a little-noticed report to Congress released by the U.S.-China Economic and Security Review Commission late last month.

Security analysts said the comments of Cartwright and Evans mark the first time that high-level officials in either the United States or the U.K. have publicly identified the Chinese government as the source of widespread cyberattacks.

Antivirus software company McAfee stated in its annual Virtual Criminology Report released last week that 120 nations worldwide have started to develop cyberattack commands, with China well ahead of the others.

The Times of London said Evans told British companies doing business in China that they are being targeted by the Chinese army, which is using the Internet to steal confidential commercial information that can be used to benefit Chinese companies.

Evans' alert was posted on the Web site of the UK's Centre for the Protection of the National Infrastructure. The Times said Evans used the site to warn companies "about the possible damage to U.K. business resulting from electronic attacks sponsored by Chinese state organizations, and the fact that the attacks are designed to defeat best practice IT security systems." Access to secure parts of the CPNI Web site is limited to companies and organizations that make up the U.K. critical infrastructure, including banks, telecommunication firms, energy companies and utilities.

Alan Paller, director of research at the SANS Institute, a provider of information security training, certification and research, called the MI5 warning "the most vibrant example of how the British are doing a better job of cybersecurity leadership. You cannot ask people to act unless they understand the problem. The British have consistently been willing to speak the truth."

In contrast, Paller said the United States has relied on a failed paperwork policy built around the Federal Information Security Management Act and "vapid guidance" from the National Institute of Standards and Technology.

Attacks Could Cause 'Cataclysmic Harm'

Cartwright testified before the U.S.-China Economic and Security Review Commission in March, when he was still head of the U.S. Strategic Command, which has responsibility for information operations in the Defense Department. He told the commission that China currently has a larger capability to conduct denial-of-service attacks than any other country, and such attacks have "the potential to cause cataclysmic harm if conducted against the United States on a large scale."

He testified that the Chinese are making "plans to use this type of capability in a military context." He added, "I don't think the [United States] has gotten its head around this issue yet, but I think we should start to consider that the regret factors associated with a cyberattack could, in fact, be in the magnitude of a weapon of mass destruction."

China also is "actively engaging in cyber reconnaissance" by probing the computer networks of U.S. government agencies as well as private companies, Cartwright said. The data collected from these probes, he told the commission, could be used to identify weak points in U.S. networks, discover the communications patterns of government agencies and obtain valuable information stored throughout networks.

Despite reports of Chinese attacks this fall against government and military networks in the United States and U.K. as well as Australia, Germany and New Zealand, top leaders in those countries have not publicly identified China as the culprit until now. Bruce Schneir, a security consultant with BT Counterpane, said he found it significant that both Evans and Cartwright decided to identify China as a serious cyber threat.

"We're not used to seeing the head of MI5 and a top general saying that China is the problem," Schneir said. Maybe, he said, "they decided enough is enough." He said he believed that Cartwright was engaging in hyperbole when he warned of a cataclysmic effect on the United States from a large-scale Chinese denial-of-service attack. The country, he noted, managed to weather an electrical outage that crippled much of Northeast in 2004.

Paller said he found Cartwright's comments on the Chinese capability to launch massive denial-of-service attacks particularly significant, because this scenario has never been publicly discussed by such a high-ranking official.

The Latest Cyberwar Technology

The McAfee report also fingers the Chinese government as the source of widespread cyberattacks. James Mulvenon, director of the Center for Intelligence Research and Analysis at the Defense Group Inc. in Washington, told McAfee that "the Chinese were the first to use cyberattacks for political and military goals….Whether it is as battlefield preparation or hacking networks used by the German chancellor, they are the first state actor to jump feet first into 21st century cyberwarfare technology. This is becoming a more serious and open problem."

China does not stand alone in its military exploitation of cyberspace, according to the McAfee report. Peter Sommers, a computer security expert at the London School of Economics, said there are signs that intelligence agencies around the world are constantly probing government networks for signs of weakness, and countries he did not identify "are gearing themselves up to launch all-out online attacks."

McAfee predicted that over the next few years, governments will pursue "punitive action" against cyberattackers and "will … go after them, regardless of their location." That's the approach advocated by the Defense Science Board in a recent report, which said that the United States "should link cyber defensive and offensive operations to its broader national strategies … treating adversarial operations that damage U.S. information systems and networks as events warranting a balanced, full-spectrum response."

Earlier this year, Cartwright advocated a similar strategy in testimony before the House Armed Services Committee. He said that if "we apply the principle of warfare to the cyber domain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests."