The cyberwar between China and the US has spread from computers into the halls of diplomacy. In a report this week, the Pentagon said for the first time that the Chinese government and military have been launching cyber attacks against the US. Today, Chinese state media called the US “the real hacking empire” and said the country has “an extensive espionage network.”
There’s a nugget of truth in China’s rebuttal. The US has some of the most powerful cyber warfare resources in the world and has long been one of the leading sources of cyber attacks on companies and people. According to cyber security firm McAfee, the US is home to the largest number of botnets in the world, the control servers used to hack computers in the US and elsewhere. Data from Deutsche Telekom shows that far more attacks against its networks come from Russia and the US than China. And according to HostExploit, which tracks malware activity, the US and Russia, not China, have the world’s most malicious servers.
In some ways, Beijing is right to argue that China is also a victim, wrote Jason Healy, director of Cyber Statecraft at the Atlantic Council, last month. Between September 2012 and March of this year, 85 Chinese government and company websites were hacked, with 39 of the attacks originating in the US, according to Chinese state media. Chinese authorities also said that US-based servers had hosted 73% of phishing attacks on Chinese residents during roughly the same period.
Yet, as Healy notes, there’s a big difference between state-backed cyber operations—used to gather intelligence or disrupt infrastructure—and the attacks cited by Chinese authorities. These US-orginated cyber attacks on China are primarily criminal operations carried out by individuals. They typically take advantage of the US’s insecure servers to launch spam, fraud and other petty attacks.
Comparing the state-sponsored cyber operations of China and the US is even more difficult. US military cyber operations are “quiet, coordinated, exceptionally well targeted and under the strict control of senior officers and government executives,” Healy writes, citing Stuxnet as an example. By contrast, China’s cyber espionage is subject to little oversight or coordination. (One military hacker kept this unflattering blog about his experience).
Efforts by the two countries to address cyber attacks also differ. The US is drafting rules of engagement for “offensive” cyber warfare, whereas China has done little to address concerns directly. After security firm Mandiant accused China of hosting a secret military unit in Shanghai to attack US companies, officials brushed off the allegations as impossible to prove.
China says the US is attempting to “turn black into white and mislead international public opinion.” Meanwhile, US lawmakers are calling for ways to punish countries for cyber espionage. What’s really needed is clearer international guidelines, especially now that more states are joining the global cyberwars.