US must get tough on fighting Chinese cyber espionage, congressional advisory panel is told
- Private firms like Google and Microsoft will have to play an active role in government efforts, US-China Economic and Security Review commissioners hear
- Beijing has exploited America’s free market system and slow responses to network hacks, witnesses say
The US government’s leading advisory panel on China policy was told on Thursday that Washington must devote more resources to countering Chinese cyber espionage and cyberwarfare capabilities and make companies like Microsoft and Google play a more active role in the effort.
In testimony about China’s ability to exploit America’s free market system and slow responses to network hacks, witnesses including Winnona DeSombre, a fellow at Harvard’s Belfer Centre for Science and International Affairs, warned that the US government must support countermeasures against Chinese hacking the way it did its space race against the former Soviet Union.
01:42
US sanctions DJI and 7 other Chinese companies over alleged Xinjiang human rights abuses
In announcing the attack in July, the State Department said that “cyber actors” working with China’s Ministry of State Security were behind “a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private-sector victims”.
“The US does not currently have adequate cyber defences, personnel, supply chain security or international technical and standards leadership to rival China long term in cyberspace,” DeSombre added.
In remarks that echoed those of his colleagues on the US-China Economic and Security Review Commission (USCC), Michael Wessel said the current US regulatory structure “puts security behind profits”.
Threat to US from China ‘more damaging’ than ever before: FBI chief
“We are still aiding and abetting China,” Wessel said. “The problems with Huawei were identified early in the 2000s and we’re still trying to find the money to rip and replace Huawei systems from our networks to be able to have greater security.”
Asked about the assertions, Beiijng’s Washington embassy spokesman Liu Pengyu said: “The US has repeatedly made groundless attacks and malicious smears against China on cybersecurity.”
“China is a staunch defender of cybersecurity, and has long been a main victim of cyber thefts and attacks,” Liu said.
“It needs to be pointed out that [revelations by former US intelligence consultant Edward Snowden] and other incidents are still fresh in our memory, and that the US agencies have been engaging in large-scale, organized and indiscriminate cyber intrusion, surveillance and monitoring activities ,” he added.
Multiple participants in Thursday’s hearing cited the inherent limitations posed by the American free enterprise system when it comes to patching cyber vulnerabilities.
“The United States operates in a free market, and so [its] government has much more limited leverage than the Chinese government might,” said John Chen, a lead analyst at cybersecurity consultancy SOS International, another witness.
“And so there are a lot of situations where because in this free market, American companies are obliged to pursue profits for shareholder interest, and that can generate externalities on the American taxpayer”, such as the Huawei equipment matter, he said.
Aaron Friedberg, another USCC commissioner, said countering China’s cyber capabilities may require more government intervention in the corporate sphere.
“If we’re really going to address this problem we’re going to have to start operating in a quite different way,” he said. “That probably involves a greater role for the government than has been true in the past and that many of us would normally be comfortable with.
“So, for example, imposing or creating requirements for defences that companies have to meet on the defence side, and on the offence side.”
Cheng argued that virtually all Chinese companies are part of the “civil-military fusion” that Beijing’s Central Military Commission can call upon for cyberwarfare objectives.
“That means that, potentially, corporate IT departments as well as Chinese antivirus firms, all of these, [including] China Telecom … all of these are potential sources of three things: personnel, equipment and facilities – and by that last item, I would include their networks are potentially available in event of need,” he said.
Biden expected to embrace tough-on-China cyber policy, think tank says
In her recommendations, DeSombre said the private sector should be subject to mandatory breach notification laws, threat information sharing for companies that manage critical infrastructure and stricter patching requirements for federal contractors.
The America Competes Act, passed this month, calls for new guidelines to help research universities defend against cyber assaults and would direct the US government to examine the vulnerability of mobile service networks to “cyber attacks and surveillance conducted by adversaries”.
Asked about the timing for a reconciled bill, deputy White House press secretary Karine Jean-Pierre said on Thursday that Biden was “in constant communication with Congress on a whole list of issues and that clearly is one that’s critical and important.”
“It is important to us to move forward with that and so we’re going to continue to make sure that we’re talking to Congress,” she said.
Additional reporting by Owen Churchill and Jacob Fromer
