5 October 2015

Why US talks will not be enough to make China ditch cyberwar

Source Link

You can't trust treaties to look after your cybersecurity – organisations must protect their own data



Hey, wanna cyber? (Image: Mark Wilson/Getty)

THERE are fingerprints everywhere, but no one has been caught. On Wednesday last week, the US Office of Personnel Management (OPM) admitted that the data breach it suffered in June was worse than first thought, with 5.6 million fingerprints among the 21.5 million personal records compromised. It had thought the figure was 1.1 million.

Although guilt is hard to prove, the US government suspects that Chinese hackers stole the biometric data, enabling them to clone the identities of security-cleared personnel.

The attack is part of a string of assaults that has escalated cybersecurity tensions, and US president Barack Obama and Chinese president Xi Jinping discussed the issue this week.

On the table was a treaty that would ban destructive uses of cyberattacks in times of peace. Power stations, airlines and banking infrastructure would all be off limits, bringing cyberwarfare in line with the rules of physical conflict.

But attacks such as the OPM breach are about information extraction rather than destruction of data or infrastructure. That makes them harder to swear off. So how can the US and China’s online relationship simmer down? The current US approach of trying to strong-arm China into a policy that would ban attacks like the one on the OPM won’t work, says Jeffrey Carr, CEO of cybersecurity consultancy Taia Global. “You can’t bully China into not attacking. They can easily say it’s not us and it’s very hard to prove that it is,” he says.


“You can’t bully China into not attacking. They can easily say it’s not us, and it’s hard to prove that it is”

Instead, the solution is making systems so secure that breaching them becomes more trouble than it is worth. The other problem with the US approach is that it is treating electronic espionage from China differently to that from the rest of the world.

“The US is trying to create an exception for intellectual property theft that benefits Chinese enterprise,” says Carr, when espionage of this sort is rife globally.

Everyone’s at it, says Christopher Burgess, a former CIA executive who now runs cybersecurity consultancy Prevendra. Attributing any kind of attack to a particular organisation is also fiendishly difficult, relying on traditional police fieldwork more than clever software.

In the indictment of Su Bin, a Chinese businessman accused of stealing trade secrets from Boeing last year, an FBI agent describes how the Chinese hacking group he discovered didn’t launch any attacks from within China. Instead they set up servers around the world, with remote command and control centres in separate countries. No data went into or out of China on the internet.

The US and China may succeed in signing a treaty that rules out physically harmful cyberattacks in times of peace. But until companies and governments start protecting their computational infrastructure, other kinds of hacking will continue. “If you are looking to make your living by stealing, this is a dream job,” says Carr.

And Thomas Rid, a cyberwar researcher at King’s College London, says the Edward Snowden leaks have made cyberwar even worse. “Lots of countries think they have to get into this game and get better at it, because look what the Americans can do.”

This article appeared in print under the headline “Firewalls trump fine words”

No comments: