CACI Chairman Dr. Jack London's Speech on American Cybersecurity and China's Increasing Threat
For the local alumni chapter of the U.S. Naval Academy's class of 1959, learning is a life-long mission. Alums are invited to a monthly '59er luncheon series to hear from speakers on a variety of important topics. A recent speaker was none other than CACI's Chairman, Dr. Jack London, a fellow '59er himself.
Following up on his article "Made in China" in the April 2011 issue of the U.S. Naval Institute's Proceedings magazine, Dr. London was asked to talk about China's increasing threat to American cybersecurity. On November 10, 2011 at the Army Navy Country Club in Arlington, VA, Dr. London spoke on this pressing topic to 25 of his fellow classmates. Among them were many Vietnam veterans and several retired Admirals.
Dr. London's presentation, which is unclassified and from open-source material, follows.
At his Senate confirmation hearing in June, Secretary of Defense Leon Panetta warned that the "next Pearl Harbor we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems."
This is not an exaggeration. Russia was behind damaging cyber attacks against Estonia and Georgia in 2007 and 2008. Launched in June 2009, the Stuxnet virus that hit command and control systems of Iranian nuclear facilities, wasn't detected until June 2010. This August, McAfee revealed that they had discovered a five year campaign of cyber attacks on the networks of 72 organizations, including the United Nations, governments and companies worldwide. By the way, China is the prime suspect.
It's hard to believe that an "invisible" threat could be so pervasive and potentially destructive. But the increasing global dependence on technology has only increased our vulnerability to it. It's a dangerous world and the cyber threat cannot be underestimated.
The cyber threat to American national security is unique because it's asymmetric. Attacks may be perpetrated by the few upon the many, with little cost or resources. Cyber attacks are typically anonymous, launched from any of millions of sources worldwide. The perpetrators can be nation states, terrorist groups, activist hackers or motivated individuals. Impacts may be immediate and obvious, or dormant and subtle, eluding recognition for years. Damage can range from inconvenient downtime of personal systems to the life-threatening destruction of critical infrastructures.
Let me give you a better idea about the scale and scope of the cyber threat:
There were over 3 billion malware attacks recorded in 2010. The U.S. is the victim of more malicious cyber activity than any other country, suffering 19 percent of all attacks worldwide in 2009.
Over half of the world's critical infrastructure organizations [utilities, energy, transport, etc.] have been hit by large-scale cyber attacks, threatening essential services, at a cost of millions of dollars daily. China and Russia, for example, routinely probe American industrial networks.
Military networks are scanned millions of times each day and hit by thousands of attacks every day by outside intruders - among them more than 100 foreign intelligence agencies.
Cyber attacks are costly. Cyber espionage alone is estimated to cost the United States up to $200 billion a year, with China being responsible for most of that burden.
What's scary is that cyber attacks are growing in volume, sophistication and cost. So what is our line of defense?
Responsibility over government systems is divided between U.S. Cyber Command (USCYBERCOM) and the Department of Homeland Security (DHS).
USCYBERCOM is responsible for the coordination of all existing cyberspace resources and activities needed to operate and defend Department of Defense (DoD) networks. And when directed, they conduct both defensive and offensive military cyberspace operations. USCYBERCOM operates under the U. S. Strategic Command (USSTRATCOM) and includes Army, Air Force, Fleet and Marine Cyber Commands. They also work closely with interagency and international partners on cyber missions.
At DHS, the National Cyber Security Division (NCSD) works with public, private and international organizations to secure cyberspace and America's cyber assets. NCSD's objectives are 1) to build and maintain an effective national cyberspace response system, and 2) to implement a cyber-risk management program for protection of critical infrastructure.
As robust and technologically advanced as our cyber systems are, U.S. cybersecurity has many challenges.
For example, our laws and policies greatly lag behind our technical capabilities in countering the cyber threat. Bureaucracy may be the problem. There are over 40 Congressional committees and 100 subcommittees dealing with cybersecurity. This summer, there were 22 cybersecurity bills in Congress and pending White House legislation. Many agencies have also developed their own separate initiatives.
DoD, for example, has already released its initial operational guidelines for cyberspace. And they will soon have new cyber rules of engagement that include an offensive strategy for "reasonable, proportional responses" to cyber attacks and threats.
The private sector is estimated to own over 85% of our nation's critical infrastructure. With no regulatory authority, the government relies on voluntary cooperation from the private sector to protect these important networks. Public-private partnerships have helped bridge this gap, but they are not enough. Another idea is a "Secure Zone," a network of crucial national security systems set off from the rest of the Internet. However, it would require unprecedented cooperation among the Pentagon, Department of Homeland Security, the FBI, and the private sector.
Cyberspace is quickly evolving. But in this dynamic and sometimes chaotic environment, one player stands out - China.
While Russia and Israel are considered to be the larger troublemakers in cyberspace, China distinguishes itself for having the fastest-growing and most active cyber attack program of all nations.
In 2008, breaches into the systems of Marathon Oil, ExxonMobil, and ConocoPhillips were traced back to China. In March 2009, GhostNet, an electronic spy network based mainly in China, infiltrated 1,300 government computers in 103 countries. Then, for 18 minutes in April 2010, 15 percent of the Internet's routes were hijacked by China's state-controlled telecommunications company, redirecting Internet traffic that included data from U.S. military.
There are three reasons why the Chinese cyber threat is paramount.
First, cyber is part of China's national security doctrine. The Chinese military believes that "seizing control of an adversary's information flow [is] a prerequisite to air and naval superiority." The People's Liberation Army (PLA) also views intelligence-gathering, in addition to traditional military and espionage activities, as part of its core mission. In fact, China is engaged against the United States in "the single largest, most intensive foreign intelligence-gathering effort since the Cold War." The PLA's Third Bureau, which monitors diplomatic, military and international communications, is the third largest signals-intelligence (SIGINT) monitoring organization in the world after the U.S. and Russia.
The PLA has been developing its cyber-warfare capabilities for nearly a decade. Their goals are to build "informationized" armed forces and to be capable of winning "informationized" wars by the middle of this century. To develop new cyber capabilities and establish new cyber-militia units, the PLA reduced its force levels by 200,000 troops and started investing somewhere between $50 billion to $100 billion annually. One significant investment is reported to be a 1,100-person cyber operation at Hainan Island (complete with a James Bond-style submarine cave), which also is home to other key Chinese military units.
So how effective have they been? The Chinese have attempted to map our infrastructure-like our electrical grid. In 2003, the Chinese identified network vulnerabilities in critical Pentagon systems nationwide. By 2006, the Chinese were regularly attacking systems of federal agencies. From June through October in 2006, up to 150 computers at the Department of Homeland Security were infiltrated and the data was sent to a Chinese-language website. The 2008 Obama and McCain presidential campaigns were also hit. All senior campaign staff had to replace their BlackBerries and laptops. China also is believed to be behind the 2009 data theft from Lockheed Martin's F-35 fighter program. That's pretty effective.
The second reason why the Chinese threat is uniquely important is because it's networked. And I don't mean in a technical sense. There is the blurred relationship between Chinese hackers, the military, and government organizations. The Chinese not only employ their own hackers, but they also sponsor other international hacking organizations. The Chinese government also rarely discourages the activities of "patriot" or "red" hackers because they share the same interests and goals. It's a kind of cyber militia.
Chinese companies also should be considered an unofficial, loosely integrated part of China's cyber network. Huawei Technologies Company, for example, is the world's second largest infrastructure vendor and China's top networking company - after Ericsson - and possibly also one of its most suspect. For example, joint ventures have been suspected as a way to infiltrate foreign networks. Huawei's chairwoman used to work for the Ministry of State Security, China's foreign intelligence service. Huawei's founder started the company after serving in the PLA.
Chinese companies are increasingly manufacturing commercial, off-the-shelf microchips and semiconductors. This makes it challenging for the United States to meet secure and classified chip needs.
American companies in China have been harassed by intrusive government practices. Microsoft had to provide source codes for its "Office" software to the Chinese government in order to do business there.
Most notable were the 2010 attacks on Google. Many foreign companies in China stay silent on these problems for fear of provoking further attacks or jeopardizing access to that nation's vast market.
The third reason why the Chinese cyber threat is important is because China is frightened. Defensively, China's growing network-security concerns and cyber capabilities are driven by how the "the development of the Internet in China created, for the government, 'unprecedented challenges' in 'social control.'"
The evolution of China's cyber activities began in the 1990s when the Ministry of Public Security partnered with foreign network-systems firms to monitor information on the Internet. Although China had fewer than 1 million Internet users in 1997, the government was eager to control public access to it. By 1998, the Chinese had a sophisticated system that effectively monitored all domestic Internet and wireless traffic.
With more than 400 million Internet users today, including 160 million using social networking tools, the Chinese government fears it no longer will be able to control what the public reads, sees, and posts. That is a significant threat for a propaganda-oriented government, which limits or bans access to many Internet sites while paying individuals for "postings" that cast the government in a favorable light.
China also remains just as vulnerable to cyber attacks as any other nation. China's Ministry of Public Security (MPS) reported an 80 percent rise in cyber crime during 2010, which it indirectly attributed to hackers. In that year alone, the MPS arrested 460 hacking suspects and closed more than 100 websites used for hacker training and programs. The overwhelming amount of illegal software in China has also made most government and private computer systems vulnerable to malware.
It is paramount that the U.S. develop an effective and comprehensive national cybersecurity strategy to counter these threats. U.S. cybersecurity to date has focused more on defensive than offensive capabilities. As a result, there are many unknowns and gaps in American cybersecurity.
For example, we must define the array of cyber attacks and conflicts, from which countermeasures, processes, and metrics can be developed. We also need to address the coordination and cooperation among government agencies and partners involved in U.S. cybersecurity.
Many of these issues would be addressed by accelerating the review and modification of our existing laws, as well as pending legislation, to match the cyber threats. The White House, after lagging on this point itself, asked Congress two weeks ago to pass stalled cybersecurity legislation. But other legislative priorities, including a deadline next month for deficit reduction legislation, means comprehensive cybersecurity reform will be delayed.
Cybersecurity is not solely an American problem, nor can it be addressed unilaterally. The lack of international agreements, both formal and informal, on the rules of cyberspace has greatly impeded the authority of the U.S. to protect itself from cyber attacks. The U.S must lead world efforts in fostering access to and security within cyberspace - just as the U.S. has done in ensuring freedom of the sea, air, and space - by accelerating the development of legislation, policy, procedures, and authorities.
While improving American and global cybersecurity will help thwart the Chinese threat, China must also be given specific attention. Former White House cybersecurity adviser Richard Clarke recently said that the Chinese are "the people who are doing us the most damage these days in cyberspace."
On the national security front, China, specifically, must remain an intelligence security risk priority. On the business front, Chinese commercial investments in cyber-related enterprises also require ongoing examination. The U.S. also needs to ensure that components for our IT and network systems come from reliable and trustworthy sources.
The ancient Chinese general Sun Tzu once said that all war is based on deception. Nowhere is this more true - or more dangerous - than in cyberspace. The Chinese have embraced this reality. If the U.S. does not do the same, then we are only deceiving ourselves.