Recent reports the Obama administration sought to conclude an unprecedented cyber arms control agreement with China governing digital attacks are “erroneous” and there are no plans to negotiate limits on cyber weaponry.
“That was never true, and in fact I don’t think it made sense to have a ‘cyber arms control treaty,’ ” said Chris Painter, the State Department’s cybersecurity coordinator, at a conference last week.
Painter’s comments were focused on a sensational New York Times report Sept. 19 asserting that urgent negotiations had been underway in the weeks leading up to President Obama’s meeting with Chinese leader Xi Jinping. The goal was to conclude a cyber arms agreement at the summit. The agreement reportedly would have focused on preventing cyber attacks on critical infrastructures, like power stations, banking systems, cellphone networks and hospitals.
Painter said there were never plans for a cyber arms accord but instead praised what he called the “significant” informal agreement announced at the summit with great fanfare. China promised to swear off cyber economic espionage in exchange for the United States putting off plans for economic sanctions against Beijing for past cyber spying.
Empty cyber deal
The one-sided deal on Chinese cyber is meeting with wide skepticism within US national security circles based on China’s track record of aggressive across-the-board cyber attacks against both government and private sector networks. The pilfering of trade and other secrets has netted Beijing valuable intellectual property estimated to be worth tens of millions of dollars.
Additionally, the accord is one-sided considering China – and not the US — engages in the widespread theft of US and foreign economic and trade secrets and provided them to Chinese state-owned companies. US intelligence agencies are prohibited for helping American companies with similar clandestinely gathered foreign trade secrets.
The US’ most senior intelligence leader, Director of National Intelligence James Clapper, told Congress last week that the pervasive Chinese cyber attacks are unlikely to be curbed by the agreement. Asked if he believed the accord would stem Chinese cyber attacks, Clapper bluntly said, “No.”
A White House fact sheet said the two nations agreed that neither government “will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
The sides also will promote norms of behavior and hold high-level talks on cyber crime twice a year.
Painter, the State Department cyber security official, said the administration was “prepared to take action” against China for hacking. Other officials characterized such actions as plans to impose sanctions on China. But Painter said after the summit: “We’re happy we have an agreement and we’ll see where it goes.”
The US is promoting the understanding on cyber economic spying as a key step in creating so-called norms of behavior in cyberspace designed to protect vital national commercial data.
But the real problem is not just economic espionage but China’s pervasive cyber attacks writ large, something the Obama administration has failed to confront as a major strategic counterintelligence problem.
By limiting the debate with China to commercial spying, the administration is ignoring the very real dangers posed by Chinese cyber spying.
F-35 secrets stolen?
A review of past Chinese cyber attacks is instructive. One of the most damaging examples was the case of China’s spying operation against US F-35 joint strike fighter secrets, America’s new frontline stealth fighter bomber.
National Security Agency documents made public earlier this year by renegade NSA contractor Edward Snowden disclosed that China stole more than 50 terabytes of digital data – a huge amount of information – through cyber espionage, including the F-35 secrets. (The entire holdings of the Library of Congress contained an estimated 10 terabytes of data.)
The aircraft secrets included extremely sensitive information on the aircraft design and equipment, including the high-technology radar modules used in making the jet less visible to enemy radar.
As part of the cyber attack data compromise, Chinese spies stole F-35 engine schematics that outlined methods used by turbines to cool gases and reduce heat — more of the jet’s key stealth features.
But the ultimate damage from the hacking is China’s own development of the new J-20 stealth jet, an aircraft that looks like a knockoff of the F-35.
Last year, an unclassified US intelligence report on the F-35 revealed the cyber attack was part of a Chinese cyber spying operation code-named Byzantine Hades that began eight years ago. The data was then incorporated into the J-20.
The stolen data was collected by a secretive Chinese military unit known as a Technical Reconnaissance Bureau in Chengdu province and passed to the state-run Aviation Industry Corp. of China, known as AVIC.
Photographs of the J-20 made public on Chinese military enthusiast websites revealed that one of the prototype jets uses several F-35 design features and gear, including an electro-optical targeting pod under the aircraft nose and stealth jet engine exhaust nozzles.
NSA concluded that China’s cyber attacks included more than 30,000 attacks against defense industries, including more than 500 cyber attacks characterized as “significant intrusions in DoD systems.”
Overall, NSA estimated more than 1,600 network computers have been hit by the Chinese and at least 600,000 user accounts compromised. The cost of the cyber attacks: more than $100 million, mainly for the costs of rebuilding compromised networks.
The summit deal on economic spying made sure that China will pay no penalty for this and other strategic cyber attacks. And reaching largely symbolic vague commitments like the one on cyber economic espionage are not likely to end the problem.
Analysts say the problem for the US is that passive policies toward Chinese cyber attacks will only encourage further attacks.
Obama announced before the summit that sanctions against China for its cyber attacks were being prepared. However, a few hollow promises from Xi to back off Chinese cyber economic espionage operation led to the president to shelve the sanctions against Beijing.
Critics both in and out of government say the failure to respond strongly to the Chinese cyber theft will doom the US to further and potential more damaging cyber attacks.
Bill Gertz is a journalist and author who has spent decades covering defense and national security affairs. He is the author of six national security books. Contact him on Twitter at @BillGertz
(Copyright 2015 Asia Times Holdings Limited, a duly registered Hong Kong company. All rights reserved. Please contact us about sales, syndication and republishing.)