After years of silence, the United States has finally had enough of Chinese cyber-theft of trade secrets. American officials have repeatedly raised the issue with their Chinese counterparts in language that is increasingly frank.
When pressed in public or in private, Chinese officials usually respond in one of several ways. They argue that the cyberattacks are too hard to trace to know with any certainty who perpetrated them. They argue that the Chinese government can't be blamed because hacking is illegal in China. They claim that accusations of Chinese cyberattacks are just inventions intended to denigrate China. They out and out deny responsibility, pointing to the lack of solid proof. Finally, they make counteraccusations: As one Chinese spokesman explained to the Financial Times: "[A]s a late starter, China's internet is highly vulnerable and among the most victimised by cyber attacks. The latest figures show that in the past two months, 6,747 overseas servers were found to have controlled more than 1.9m mainframes in China with Trojans or botnets."
The first four of these defenses are relatively easy to dismiss. There is a decade-long history of Chinese cyber-meddling with many nations, not just the United States, which has been exceptionally well documented only to be offhandedly dismissed by Chinese officials. All modern militaries, including both the People's Liberation Army and U.S. forces, are seeking offensive and intelligence advantages through cyber-capabilities. In the face of the Department of Defense's relative transparency, Chinese denials make the PLA appear that much more culpable.
China's counteraccusations, however, demand a more detailed response. Typically these claims are a non sequitur to deflect criticism: "We couldn't be hacking you; we're getting hacked ourselves," as if cyberspace forced them to choose one or the other. For a decade, these pleas have been dismissed as the thin defense of the guilty. But there is a nugget of truth in Chinese counteraccusations. China not only has a cyber problem, it has a valid U.S. cyber problem -- and it's one that Secretary of State John Kerry appears to have agreed to address.
The Chinese press has reported that the websites of 85 public institutions and companies were "hacked" between September 2012 and March 2013, with 39 of those attacks traced back to the United States. During a similar period, Chinese authorities noted that there had been some 5,800 hacking attempts from U.S. IP addresses and that U.S.-based servers had hosted 73 percent of the phishing attacks against Chinese customers. Of the 6,747 computers controlling nearly 2 million botnets in China -- the ones the Chinese spokesman told FT about -- 2,194 were in the United States, "making it the largest point of origin of cyber attacks against China," according to Xinhua.
Perhaps oddly for Chinese statistics, these actually stand up to scrutiny: American cyberspace is one of the least secure online realms. The United States does indeed top the list of botnet controllers with 40 percent of the total tracked by cybersecurity giant McAfee; Russia accounted for 8 percent and China 3 percent. Other measurements show these nations grouped closer together, but the United States is clearly a leading source of attacks. For example, Akamai, one of the world's largest content-delivery networks, has observed that 13 percent of global attack traffic originated from the United States, though 33 percent came from China. Russia has the most malicious severs, with the United States ranking sixth; China doesn't make the top 10, according to HostExploit's latest quarterly report. After years of stories about U.S. military and intelligence cyber-capabilities, international audiences might see these statistics and agree with China that it is the Americans who are the troublemakers -- after all, they were the ones behind Stuxnet.
But China's claims of victimhood sometimes get a better hearing than they should. Western newspapers can appear balanced by reporting that each side is "trading barbs" or "exchanging allegations," while the Chinese nationalist press can assert that "the US' exaggerations of the threat posed by Chinese hackers are aimed at creating an environment to accelerate its capability to carry out a cyber war." Such messages are part of a campaign aimed squarely at the non-aligned countries, which have long worried about U.S. hegemony, including in cyberspace. It is a message that is winning adherents.