Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Chinese Cyber Threat: NSA Confirms Attacks Have Escalated

'Defending Forward' Is New Military Mantra for Defending Government Networks
Chinese Cyber Threat: NSA Confirms Attacks Have Escalated
Rob Joyce of the National Security Agency discusses China, hacking and deterrence on a Nov. 8 panel at the Aspen Cyber Summit.

The historic cybersecurity nonaggression pact agreed between China and the United States in 2015 seems to have gone out the window, said cybersecurity experts speaking Thursday at the Aspen Cyber Summit in San Francisco.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Three years ago, the White House threatened to impose sanctions on China unless it ceased its cyber-enabled economic espionage program against the U.S. Then cybersecurity researchers initially tracked a marked decrease in attacks sanctioned by the Beijing government as well as by Chinese individuals (see: U.S.-China Cybersecurity Agreement: What's Next?).

June 2015: Chinese State Councilor Yang Jiechi meets with then U.S. Secretary of State John Kerry to negotiate a new cyber "code of conduct." (Photo: U.S. State Department.)

But with President Donald Trump changing tack, a trade war between the U.S. and China has arisen. While the U.S. hasn't imposed sanctions on China, it has slapped increased tariffs on Chinese imports into the United States.

And that has resulted in an increase in hack attacks emanating from China, despite the 2015 agreement.

"It's clear that they are well beyond the bounds today of the agreement," Rob Joyce, the National Security Agency's senior adviser for cybersecurity strategy to the director, said at the Aspen Cyber Summit. "We have certainly seen their behavior erode in the last year, and we're very concerned with those troubling trends," said Joyce, who formerly served as the White House cybersecurity coordinator (see: White House Might Eliminate Cyber Coordinator Role).

'Economic Warfare Problem'

Dmitri Alperovitch, CTO of CrowdStrike, tells the Aspen Cyber Summit on Nov. 8 that deterrence is most effective when it targets the behavior of a country's leadership, rather than its hackers.

Dmitri Alperovitch, CTO of cybersecurity firm CrowdStrike, told summit attendees that the thinking by China's leadership appears to be: "If we're going to suffer the economic pain, why not get the benefit from espionage?"

But he said that while cyber espionage is one component of the Chinese government's strategy, it's not the complete picture.

"It is an economic warfare problem that is being conducted through cyber as well as other means, and responding to this with economic actions of our own, and putting pressure on the Chinese government, I think, is the right strategy," he says. "It will take a long time; we are not going to see results immediately. But I think the strategy is square."

The tariff pressure on China does seem to be working, Alperovitch added. "For the first time in [Chinese] President Xi's term, we're starting to see fissures within the politburo and some criticism of his governance, given the relationship with the United States," he said.

Chinese Hacker Indicted

Beyond economic pressure, the U.S. government is also bringing other diplomatic forms of pressure to bear, including the threat of sanctions.

"We recognize it is not just a cyber problem," Joyce said. "We're using all elements of the national power to address these."

That includes indicting foreign hackers. For example, last month, Chinese Ministry of State Security operative, Yanjun Xu - aka Qu Hui, Zhang Hui - was arrested in Belgium and extradicted to the U.S. after he was indicted by a federal grand jury for conspiring and attempting to commit economic espionage and steal trade secrets from U.S. organizations (see: US Again Indicts Chinese Intel Agents Over Hacking)

"This indictment alleges that a Chinese intelligence officer sought to steal trade secrets and other sensitive information from an American company that leads the way in aerospace," Assistant Attorney General for National Security John C. Demers

Defense Department: 'Defend Forward'

Can foreign hack attacks can be blocked at the source? The NSA's Rob Joyce responds to a question posed by Washington Post reporter Ellen Nakashima at the Aspen Cyber Summit on Nov. 8.

Meanwhile, the U.S. Department of Defense, as part of its 2018 Cyber Strategy - replacing its 2015 cyber strategy - says it is emphasizing the concept of "defending forward," including attempting to stop hack attacks at their source, without doing anything that would rise to the level of armed conflict. It's also begun publicly outing foreign governments' hacking tools as part of a strategy it calls "continuous engagement."

"The idea that they get free shots on goal, they get to keep trying and trying and trying until they succeed, is something we have to counter."
—Rob Joyce, NSA

"We've decided that we've got to have one element of our national power be cyber capabilities," the NSA's Joyce said at the summit. "Looking at a strategy that just says: 'We're going to wait until the attacks come to us, and then we'll defend them at the boundary, we'll clean up and remediate and try to push them back out after there's been a compromise, we'll recognize that we lost information'; that's not a winning strategy. So a piece of this has to be engaging people who are seeking to come do things that are illegal or immoral on our networks." (See: NSA: The Silence of the Zero Days)

Cyber Command Outs APT Malware

From a defense standpoint, more than hacking back is involved.

For example, on Nov. 5, the U.S. Cyber National Mission Force - part of U.S. Cyber Command - announced a new initiative via which it will publish to VirusTotal samples of foreign government malware that it says were used by foreign hackers who targeted U.S. government networks. Already, it's posted four such samples, including some flagged by cybersecurity firms as being malware tied to the hacking group APT28, aka Fancy Bear, which has been tied to Russia's GRU military intelligence agency (see: Dutch and British Governments Slam Russia for Cyberattacks).

Joyce said such moves are all part of the U.S. government's plan. "That is an engagement, saying: 'We're going to take your tools; we're going to put them out there; we're going to show your tradecraft; we're going to make it harder for you to do these kind of operations.' And by doing that, we're imposing friction," Joyce said. "So the idea that they get free shots on goal, they get to keep trying and trying and trying until they succeed, is something we have to counter. And that's where you're seeing this strategy."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.