Cyber Scene #58 - China's Cyber Belt and Road: Strategic Measures and Countermeasures
Cyber Scene #58 -
China's Cyber Belt and Road: Strategic Measures and Countermeasures
This edition of Cyber Scene is all about cybersecurity, stretching from the U.S. across Europe to China and back.
Cyber Scene readers may be familiar with China's Belt and Road infrastructure projects. The expanding hubs serve as the belts and the spokes extending from them are the roads—global roads. Presented as an infrastructure project, "One Belt One Road" (the official Chinese translation) is officially aimed at 65 countries, half of the world's population (4.4 billion at the time it was released), and one third of the world's economy. The infrastructure requires towers and cyber connectivity for all those parliamentary buildings, road construction, supply chains, etc.
US White House leadership over the last 5 years has talked about infrastructure, but only recently has a tangible strategy been developed by the White House and funded by Congress. It is not exclusively physical either. Rather, it advances simultaneously and compatibly with an embedded cyber strategy.
Chinese leadership has been heading in this direction for many decades. In the Western World, the White House is both developing cyber strategy and naming proven, experienced cyber experts. And this too is impacting NATO, non-NATO Europeans and other constitutional democracies world-wide. The jury is still out as to how the new US cybersecurity strategy will play out in a global widening cyberattack environment. But the following discussion indicates that at least there is a strategy in the game.
The White House has its challenges. It is working on multiple fronts. China is not the only problem, although the recent Biden-Putin face-to-face keeps those doors open. On the tech front, the White House is also dealing with how to enhance cyber defense while working with Big Tech to comply with strategic initiatives. And while juggling these issues, it is also rejuvenating relationships with foreign partners who share an interest in dealing proactively with these threats. Moreover, the White House needs to fully man its cyber staff and fund its cyber initiatives. This is also subject to politicized dispute.
For starters, New York Times' (NYT) Nicole Perlroth addresses this in "How China Transformed Into a Prime Cyber Threat to the U.S." She notes that unlike a decade ago, current Chinese cyber-attacks are highly aggressive, sophisticated and mature—far more advanced than in the past: "China is now perpetrating stealthy, decentralized digital assaults of American companies and interests around the world." Sloppy PLA hacking has been replaced by "elite satellite network contractors at front companies and universities working with China's State Security," reportedly as of 2018. They work through software like Microsoft's Exchange email service and Pulse VPN devices which are harder to defend. The analysis goes on to point out that the US Justice Department indicted four Chinese nationals for hacking commercial aviation, defense, biopharmaceutical and other industrial commercial secrets in July 2021. In late July, the U.S. also indicted China's Ministry of State Security itself. Secretary of State Antony Blinken believes that the State Security Ministry "…has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain."
NYT cyber experts Zolan Kanno-Youngs and David E. Sanger reported the following day that for the first time the Biden administration accused the Chinese government of "…breaching Microsoft email systems used by many of the world's largest companies, governments and military contractors." As White House Press spokesperson Jen Psaki states, "We are not holding back." The article goes on to explain that the US diplomatic goal is to bring countries like China and Russia to agree to "a set of guardrails for behavior—not arms control, which would be impossible to verify in a world of invisible, reproducible cyberweapons." The cyber experts go on to say that dealing with digital espionage is nothing new, but that the Biden administration has been "aggressive in calling out both countries and organizing a coordinated response." As a result, a joint statement from the U.S., NATO, Australia, the U.K., Canada, the EU, Japan and New Zealand that criticized China for the cyberattacks was issued and publicized.
With a view from across the pond, the Economist followed up on 20 July in "After failing to dissuade cyber-attacks, America looks to its friends for help." This article added that "…unusually, America recruited those allies to admonish China by name, something they had been loth (sic) to do. NATO joined America for the first time in condemning China for state-sponsored hacking." The expectation is that the US will convince its allies to take some form of collective action against China.
A big question is to what extent NATO might take Article 5 action against a cyber-attack on one of its members. In the Pentagon's Early Bird Brief, Defense One addresses this issue. It notes the possibility of a cyber-attack leading to Article 5 implementation. It was used only once: NATO joining the US in Afghanistan following 9/11. As of the NATO Summit in June 2021 attended by the US President, the alliance on 14 June officially "re-conceptualized how and what kind of adversarial activities can lead to cross the threshold of an armed attack. The most important change: the insertion of the word 'cumulative.'" Asked about the choice of the word "cumulative," the NATO press response is significant:
"The term was indeed used deliberately, and the reason for using it is because the alliance has recognized that the cyber threat landscape is evolving, and that several low impact cyber incidents by the same threat actor have the same impact as a single destructive cyberattack."
By early July, the NYT's Kellen Browning reported that hundreds of businesses around the world had suffered from elite cyberattacks. The issue of an Article 5 declaration would impact non-NATO nations as well. Sweden, not a NATO nation but one joining the US in Afghanistan, was hit hard when Sweden's largest grocery was forced to close 800 stores due to a cyber-attack; Sweden's railway system and a major pharmacy chain were also affected. While President Biden opined that the attacker was not specifically identified, a European response would be similar. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stepped in to identify this attack as a "supply-chain ransomware attack" and added that CISA was helping with the investigation.
Such is not the exception but the rule of late. As the US struggled in May with its own ransom attacks (Colonial Pipeline and JBS meat factory were the lead headliners), per the Economist 19 June "Ransomware highlights the challenges and subtleties of cybersecurity," Ireland lost control of its healthcare system, Health Service Executive (HSE). HSE declined to pay the $20M ransom demand. The article goes on to address the surprisingly permissive attitude that had existed toward "…a regime led by an old spook like Mr. Putin." But as was seen in the 2014 OPM hack of 21.5M records of US persons, cybercrime is experiencing a growth spurt.
So, the tenor has changed. Catch up isn't working well at cyber speed. In addition to global alliances to counter cybersecurity breaches, large and small, preemptively, Wired calls out the importance of President Biden's playing "Hardball with Internet Platforms." It believes the White House needs to prioritize Americans' wellbeing over Big Tech's "whims" to begin a path to restoring democracy, privacy, and competition. As an example, Wired reporter Roger McNamee points out on 24 July that the Surgeon General cited disinformation as a public health menace citing 65% of Covid disinformation coming from 12 Facebook accounts. He singles out YouTube, Instagram, Google and Twitter as "also guilty" of having a decidedly negative impact. He opines that many Americans know this but find the use of these platforms so convenient that they are disinclined to bring this to litigation.
Mr. McNamee does point out that "…appointments of former FTC advisor Tim Wu to the National Economic Council, antitrust scholar Lina Khan as chair to the FTC, former FTC commissioner Rohit Chopra to lead the Consumer Finance Protection Bureau, former CFTC head Gary Gensler and [Jonathan] Kanter at the SEC are brilliant moves because those leaders understand the issues and will make the most of the limited tools at their disposal." But, as he summarizes, clipping the wings of these tech giants will cause profits to drop a bit, and the economic impact will be a difficult issue to deal with.
On the subject of forward progress, Wired's Garret Graff also discusses strong team appointments from the Biden White House. He praises the selections, most of which Cyber Scene has highlighted in past issues, but states "It's a lot of talent, but the US now has five overlapping roles jockeying for limited budgets, authorities, and bureaucratic victories." One of the selections is Jen Easterly, the new CISA chief, and Graff also notes the challenge of sorting out the roles of just-sworn-in Chris Inglis as top cyber adviser and coordinator to the White House and that of Anne Neuberger as the Deputy National Security Adviser for Cyber and Emerging Technology. But he does underscore the fact that except for Lisa Monaco who is going to the Department of Justice, the other senior cyber experts all have common "DNA" from their earlier work at the National Security Agency (NSA) and have all worked successfully and closely together in the past. As an aside, he points out that NSA was the principal agency responsible for creating this cyber expertise, continued by its current Director and Cyber Command Commander Paul Nakasone. As another aside, Lisa Monaco, during her work from 2012-2016, would have worked with at least two of the cyber experts Mr. Graff cites. The US cyber strategy would appear to combine reining in the increasing number cyberattacks and expanding their ability to defend against them both nationally and globally.