National Security

China Is a Cyber Victim, Too

The reason we should listen to Beijing's complaints about U.S. hackers.

After years of silence, the United States has finally had enough of Chinese cyber-theft of trade secrets. American officials have repeatedly raised the issue with their Chinese counterparts in language that is increasingly frank.

When pressed in public or in private, Chinese officials usually respond in one of several ways. They argue that the cyberattacks are too hard to trace to know with any certainty who perpetrated them. They argue that the Chinese government can't be blamed because hacking is illegal in China. They claim that accusations of Chinese cyberattacks are just inventions intended to denigrate China. They out and out deny responsibility, pointing to the lack of solid proof. Finally, they make counteraccusations: As one Chinese spokesman explained to the Financial Times: "[A]s a late starter, China's internet is highly vulnerable and among the most victimised by cyber attacks. The latest figures show that in the past two months, 6,747 overseas servers were found to have controlled more than 1.9m mainframes in China with Trojans or botnets."

The first four of these defenses are relatively easy to dismiss. There is a decade-long history of Chinese cyber-meddling with many nations, not just the United States, which has been exceptionally well documented only to be offhandedly dismissed by Chinese officials. All modern militaries, including both the People's Liberation Army and U.S. forces, are seeking offensive and intelligence advantages through cyber-capabilities. In the face of the Department of Defense's relative transparency, Chinese denials make the PLA appear that much more culpable.

China's counteraccusations, however, demand a more detailed response. Typically these claims are a non sequitur to deflect criticism: "We couldn't be hacking you; we're getting hacked ourselves," as if cyberspace forced them to choose one or the other. For a decade, these pleas have been dismissed as the thin defense of the guilty. But there is a nugget of truth in Chinese counteraccusations. China not only has a cyber problem, it has a valid U.S. cyber problem -- and it's one that Secretary of State John Kerry appears to have agreed to address.

The Chinese press has reported that the websites of 85 public institutions and companies were "hacked" between September 2012 and March 2013, with 39 of those attacks traced back to the United States. During a similar period, Chinese authorities noted that there had been some 5,800 hacking attempts from U.S. IP addresses and that U.S.-based servers had hosted 73 percent of the phishing attacks against Chinese customers. Of the 6,747 computers controlling nearly 2 million botnets in China -- the ones the Chinese spokesman told FT about -- 2,194 were in the United States, "making it the largest point of origin of cyber attacks against China," according to Xinhua.

Perhaps oddly for Chinese statistics, these actually stand up to scrutiny: American cyberspace is one of the least secure online realms. The United States does indeed top the list of botnet controllers with 40 percent of the total tracked by cybersecurity giant McAfee; Russia accounted for 8 percent and China 3 percent. Other measurements show these nations grouped closer together, but the United States is clearly a leading source of attacks. For example, Akamai, one of the world's largest content-delivery networks, has observed that 13 percent of global attack traffic originated from the United States, though 33 percent came from China. Russia has the most malicious severs, with the United States ranking sixth; China doesn't make the top 10, according to HostExploit's latest quarterly report. After years of stories about U.S. military and intelligence cyber-capabilities, international audiences might see these statistics and agree with China that it is the Americans who are the troublemakers -- after all, they were the ones behind Stuxnet.

But China's claims of victimhood sometimes get a better hearing than they should. Western newspapers can appear balanced by reporting that each side is "trading barbs" or "exchanging allegations," while the Chinese nationalist press can assert that "the US' exaggerations of the threat posed by Chinese hackers are aimed at creating an environment to accelerate its capability to carry out a cyber war." Such messages are part of a campaign aimed squarely at the non-aligned countries, which have long worried about U.S. hegemony, including in cyberspace. It is a message that is winning adherents.

Yet U.S. cyber-operations are extremely different from their Chinese equivalents and cannot be compared in the way the Chinese suggest. When the U.S. military or intelligence community conducts cyber-operations, they are quiet, coordinated, exceptionally well targeted, and under the strict control of senior officers and government executives. Lawyers review every stage. Even Stuxnet, though it was a breathtakingly sophisticated and brazen attack, was so tightly controlled that, when it escaped its target network, it caused no disruption. The White House keeps a close hold on cyber-operations through senior executives, generals, and political appointees throughout the bureaucracy.

Chinese espionage, by comparison, is under no such control. As in other areas of Chinese society, the People's Liberation Army and state-owned enterprises are subject to little oversight and feel little need to coordinate their actions. Recently, one colleague that works for a specialized incident-response firm reported finding as many as seven different Chinese espionage groups operating in the same network, all sending information back to different masters. Few, if any, senior party officials care to rein in activities helping domestic companies (and probably lining their own pockets) by stealing foreign intellectual property.

Yes, the United States may be addicted to using cyber-operations as a cheap and easy way to disrupt adversaries and gain intelligence, but this has absolutely nothing to do with the nation being a home for phishing sites, malicious software, and botnet controllers. These are purely criminal matters, as juveniles, organized-crime groups, and others use U.S. servers to host their felonious attempts to disrupt, blackmail, defraud, spam, and annoy the rest of us. The United States has so many computers and so much of the Internet's underlying infrastructure -- with perhaps 500 million hosts compared to 20 million for China -- it is not surprising that so many criminal attacks originate or pass through here.

Still, the United States can and should clean up its own act -- not because of any Chinese finger-pointing, but because it serves our commercial and societal interests, and because it's the right thing to do. If an attack is coming from here, there is a good chance it's because an American citizen is a criminal or because a citizen's computer or network has been taken over by foreign criminals. Either way, the U.S. government has the obligation to stop it. Yet while in Beijing, I have heard Chinese cyber-crime officials say they have asked the United States for help that never comes.

That's why it's good that Secretary Kerry just announced a joint U.S.-China working group to tackle cyber issues. In this group, American officials should shout loudly, but they should listen, too -- ask for details and hunt down the perpetrators using the resources of the Department of Homeland Security, the Department of Justice, and the FBI. Not only will cleaning up our own Internet improve cyberspace for us, it will provide a chance to shift the U.S.-China dynamic. At present, the conversation is mostly one-sided, with senior American officials berating their counterparts. Taking action on valid Chinese criticisms may help develop this into an actual conversation.

Moreover, many leaders around the world are confused about U.S. intentions in cyberspace, and concerned that, in light of Stuxnet and Cyber Command, the United States is preaching "do as I say, not as I do." If the United States were to publicly respond to Chinese counteraccusations, it could regain the high ground and demonstrate the difference between the two countries' approaches to cyberspace. The United States is committed to an open and global Internet, while China pushes a darker vision with strong national borders cutting out any objectionable material.

U.S. officials must continue their campaign to convince the Chinese leadership to reduce cyber-espionage. It may seem like tilting at windmills, but it is the right policy and long overdue. But China has some legitimate concerns also, which are in America's own interests to resolve (and be seen resolving) and the new joint working group provides the perfect opportunity. In any relationship, there is room even in the most heated argument for both shouting and listening.


Stalled Miracle

South Korea's economy isn't nearly as strong as you might think.

Once again, North Korea is grabbing global headlines by threatening aggression against its neighbor to the south and the United States. And once again, South Koreans are largely shrugging off the rhetoric from the north.

This nonchalance gives South Koreans the chance to focus on another existential threat -- one that's not so easily dismissed as bluster. South Korea's economic success -- the growth formula that brought forth the "miracle on the Han," set records for development, and is a model for other emerging economies -- is no longer working for a great many Koreans. The nation is beset by a deep middle-class malaise that could limit the consumer spending needed to create a more balanced economy and might eventually limit gross domestic product growth itself.

Yes, the government-backed programs to build up export-oriented manufacturing still produce results: South Korea leads in memory chips, LCD displays, and mobile phones; its multinationals such as Samsung, LG, and Hyundai are taking a larger share of global markets. But the typical middle-income Korean is increasingly left behind. As giant manufacturing concerns expand overseas, they are cutting employment at home, leaving job creation to the nation's small and medium-sized enterprises (SMEs) and service industries. In contrast to South Korean manufacturing firms, most of these companies are far from world-class competitors. They have much lower productivity and offer substantially lower pay.

In South Korea, over half of middle-income citizens (households making 50 percent to 150 percent of the median wage of $37,000) are paying out more each month than they bring in. South Korea's household saving rate has plunged from one of the world's highest (19 percent) to one of the lowest in advanced economies (4 percent). It has the highest suicide rate among nations in the Organisation for Economic Co-operation and Development (OECD) and one of the world's lowest fertility rates. Today, South Korea faces a war on two fronts: the prospect of a shrinking labor force along with a rapidly aging population.

Complicating matters, middle-income South Koreans are reluctant to adapt to the new reality. Women continue to drop out of the labor force to raise children (only 44 percent of Korean families have two wage earners, compared with 57 percent across the OECD), while families continue to pay a disproportionate share of income for two obsessive priorities: home ownership and education.

A new South Korean growth formula is necessary to chart the continued trajectory toward a successful and prosperous future. To relieve the strain on middle-income households caused by perverse spending priorities and create new well-paying jobs by bolstering the service economy and SMEs, the government must first attack housing costs. House payments are particularly burdensome in South Korea because most mortgages are of short duration (10 years or less) and loan-to-value (LTV) limits are tight (most mortgages are for about 50 percent of home value). While these LTV limits have protected the banking sector, they force borrowers to take out additional high-interest loans to make their home purchases. Simply by raising LTV limits and rolling those loans into larger mortgages, South Koreans could save $8 billion a year, according to our analysis. The government has already set a goal for increasing high-LTV loans, but more can be done. Other tactics would include encouraging a more robust rental market by allowing more investors (such as insurance companies) into that sector and encouraging competition that would raise the quality of rental housing.

Getting South Koreans to stand down from their education arms race will not be easy. Despite growing evidence to the contrary -- unemployment is higher for college graduates than for vocational-school grads, for example -- Koreans cling to the belief that the university degree is the only ticket to success. South Korea needs to invest more in vocational education; it should expand its new Meister high school system, a transplanted German idea to invest in schools that provide job-specific training and a path to employment. Eventually, parents will see that there is a choice.

South Korea can also do more to build up services and SMEs. In addition to building on the success of sectors such as construction engineering that are already globally competitive, South Korea can expand sectors such as health care, tourism, and financial services. In health care, South Korea has both opportunity and need. It spends just 6.9 percent of GDP on health-care services, compared with 9.6 percent in the average OECD nation, but it has a rapidly aging population that will raise demand. In particular, South Korea can expand primary care to treat patients with chronic conditions, including the elderly.

Finally, to build up SMEs, South Korea must reduce barriers to growth and try to establish a culture of entrepreneurism. It is ironic in a country dominated by chaebol (the mega-corporations created by master entrepreneurs) that most business owners are risk-averse -- focused only on making a living. But there are structural barriers, too: the chaebol rely heavily on captive suppliers for business services such as IT support, a practice that stifles competition, despite laws aimed at helping small businesses. Other regulations continue to discourage growth: estate-tax rules allow owners to pass on their businesses tax-free, as long as they are below a certain size.

South Korea needs to celebrate and teach entrepreneurism; that means better access to capital, stronger intellectual-property protections, and bankruptcy laws that let entrepreneurs recover from failures. Seoul should recognize that efforts to address these barriers have not gone far enough and should consider a more comprehensive and consistent approach to helping small companies innovate and strive for growth. A new wave of innovation can help build another South Korean miracle -- one that might have China and other rapidly developing economies looking to Seoul for inspiration as they tackle similar challenges in the coming years.

Chung Sung-Jun/Getty Images