Why Chinese Hackers Aren't A Threat
I've had enough. And no, I'm not talking coffee. No such thing as enough coffee. No, rather, I've had enough of people claiming that the sky is falling, when it clearly isn't (and making a few bucks off the fear while they're at it). I've had enough of Die Hard 4 "fire sale" scenarios, enough of Richard Clarke's "digital equivalent of thermonuclear war" fear-mongering, enough of hyperbolic news articles calling for the restructuring of the Internet to save humanity itself, and more than enough of random members of the U.S. Congress claiming they understand the threat and that it is a real one, when they can barely use the Internet themselves. Please, just stop it.
Now first, let me be clear: I do not argue that Chinese crackers do not have the skill to successfully attack American infrastructure (and most certainly this site...I know you can do it, please don't). On the contrary, I think the large body of research shows that these attacks are not only feasible, but well within the reach of these government backed attackers. I also do not contend that they pose no threat, just not the kind of catastrophic one being shouted about from the rooftops nowadays. What I do argue is this: a.) there is no clear motivation for any such attack and b.) if they wished to commit these kinds of attacks, they would have done it by now.
"Now, hold on a second," an objector might say. "These damn commies clearly hate us for our freedom/liberty/excellent television programming/fried foods. They don't need more reason than that to attack us!" It's exactly this kind of Cold War mentality that is preventing people from understanding the true nature of China's goals in cyberspace. It's not about "spreading communism" or "fighting the capitalist pigs". It's purely about profit.
Don't believe me? Let's look at two major attacks we've seen so far from the Chinese. The most recent attack (Aurora), the one that has renewed calls for greater network security (and of course, monitoring) amongst government types across the country, was targeted almost exclusively at commercial organizations. This would seem odd, if one thought that the Chinese were trying to "destroy the capitalist system". If these attackers were easily able to break into literally dozens of high-profile, hardened, target networks, what was stopping them from breaking into, say, our power grid? The phone system? Wall Street? It'd certainly be a more effective way to bring down the system. The answer: absolutely nothing was stopping them. But this is nothing to fear, because they obviously didn't and still don't want to. They chose their targets for specific reasons, and causing the downfall of the United States wasn't one of them.
So what do they want? Well, one just needs to look at what was taken. Proprietary code. Proprietary designs. Intellectual property. If you look at Titan Rain back in 2003, the story was the same. It was all about taking valuable information, and nothing else. Save a few web defacements, none of the Chinese attacks we have seen have focused on anything but stealing proprietary data. While almost all of these Chinese attackers are indeed strongly nationalistic, their goal is not to destroy the U.S., but to enrich China.
There is an excellent quote from Mark Getty that states that "intellectual property is the oil of the 21st century." By some estimates, intellectual property makes up about 20% of the U.S. GDP (and 60% of yearly growth), and I personally think that is a conservative estimate. That comes out to be a $2.92 trillion industry. By comparison, the U.S. annually spends only $670 billion on oil each year. Intellectual property includes every copyright, patent, trade secret, etc, that anyone is currently using to make money off of. That's a pretty big chunk of the economy, I would say. By breaking into U.S. networks and taking this data for themselves, China is, quite literally, stealing billions of dollars worth of intellectual property during their intrusions into our corporate networks. It's like getting billions in free research and development, all for the cost of a single 0-day in Internet Explorer. Not bad, huh?
So why don't they take this intellectual property while at the same time crashing our economy and destroying the country? I mean, what's bad for us is good for them, right? Wrong. People often fail to understand how interconnected today's modern economy is, even after such illuminating events as the recent financial crisis. This is especially true in China's case: their economic well-being is still very dependent on the well-being of the United States. There is a saying amongst loan sharks (or so Hollywood has told me) that "dead men don't pay debts." We are currently in debt to China for over $888.5 billion. Crashing our economy, making us economic "dead men", would make us unable to repay that money, let alone with interest, which in turn would cause their own economy to collapse. Rather than jeopardize their own economic well-being, China would much rather sit back and watch the U.S. struggle to develop new technology with these loans while they collect their money with interest, while at the same time stealing the final product of the research that the money is being used to fund. Let me see if I can summarize this in more interweb-friendly terms:
I think from that summary that it is pretty clear why China is attacking our networks in the way that it is, and why we have not yet seen the kind of all-out digital warfare that pundits have been warning about nearly constantly for the past decade. There's no PROFIT at the end of the meme if they do anything else.
So does this mean that we shouldn't invest in protecting critical infrastructure and the like? No, of course not. There will always be a few people who just want to watch things burn, and we need to protect against that. However, we should be responding in a much more mature, measured, and rational way, rather than running around acting like it's 5 seconds to midnight. Encourage young people to enter the information assurance field through scholarships and higher pay for these workers, improve IDS/firewall/antivirus systems, hold corporate software makers accountable for their software vulnerabilities, and start public education campaigns to inform people enough so that maybe, just maybe, they won't click on everything that pops up in front of them. Babbling incoherently about communist threats and imminent cyber war does nothing to solve the problem, and will likely cause our limited security research funds to be invested in all the wrong places. So I ask again: please, just stop it.