The U.S. And China Are Discussing A Cyber Arms Pact, But Everyone Is Still Getting Hacked

Cybersecurity firms say the “cyber arms control” deal being discussed between the U.S. and China this week doesn’t go far enough.

Chinese President Xi Jinping speaks U.S.-based CEOs.

Pool / Getty Images

SAN FRANCISCO — The U.S. and China will negotiate the terms of what's being called one of the world's first arms control deals for cyberspace this week — but among the hundreds of American businesses which face daily infiltration attempts by hackers in China, the agreement is being described as too little, and likely, too late.

U.S. officials have said the agreement could address attacks on critical infrastructure, like power stations and hospitals. It will not, however, address cyber-espionage or intellectual theft such as the cyberattacks that have hit Anthem, Blue Cross Blue Shield, and Sony or the theft of 22 million federal employee's personal data.

"This is one of the most complicated problems around. The consequences of not getting it right are immense," said Richard Bejtilich, chief security strategist of the FireEye cybersecurity firm. "Both China and the U.S. are eager to hammer something out because anything at this point would benefit either party immensely. That doesn't mean that what they are going to hammer out will makes thing better on the ground."

Cybersecurity firms like FireEye are one of the fastest growing industries in the U.S., with companies reporting an unprecedented increase in the number of cyberattacks they face daily. In an interview with CBS last year, FBI director James Comey said there were "two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."

Despite a report last week that attempted cyberattacks had slowed in recent weeks ahead of the China's presidential visit, four cybersecurity companies interviewed this week by BuzzFeed News said they had seen no slowdown whatsoever in the pace of attacks.

"If there has been a slowdown in attacks, we haven't seen it," said one CEO, whose cybersecurity firm is currently assisting a solar company which was recently hacked by China. He declined to be named as his company has not publicly spoken about what he called "repeated, serious breaches by China."

Meanwhile, in a speech Tuesday night in Seattle, Chinese President Xi Jinping appeared to deny that such hacks were even taking place, telling business leaders that "the Chinese government will not engage in commercial theft or encourage or support such theft by anyone."

"China is ready to set up a high-level, joint dialogue mechanism with the United States on fighting cybercrime," Xi said.

White House officials have said that they are keen to discuss those cyber issues with China, but that until now progress has been slow.

"Candidly, cyber is an issue where we have not made the progress that we've wanted to make," said Ben Rhodes, Deputy National Security Advisor, in a conference call with reporters earlier this week. "We believe very strongly that the U.S. and China both have an interest in investing in clear international norms as it relates to cyber activity. We're working together to try to arrive at common principles that could give us greater confidence that China is acting in a manner that does not disadvantage our businesses, and that upholds and invests in those evolving international norms."

Jay Kaplan, CEO of cybersecurity startup Synack and a former NSA cyber security analyst, told BuzzFeed that the cyber pact was a step in the right direction "in theory."

"It is completely unenforceable given the non-attributable nature of state-sponsored cyber activities," said Kaplan, referring to the various levels of deception available today for hackers to mask their country of origin. "The pact doesn't address stealing state secrets or intellectual property which is the most prevalent issue today."

The current pact under discussion is based on a code of conduct adopted recently by the United Nations, which declared that no state should allow activity "that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public."

"What is being discussed right now is what has already been agreed to in the U.N. It's to get the ball rolling by agreeing to something they've already agreed to," said Bejtilich, who speaks to Congress frequently about the threats of state-sponsored cyberattacks. "The benefits that China gets from stealing intellectual property and other data is too great for them to give up without the us thinking creatively and coming up with a serious threat of action the U.S. government will take if these cyberattacks persist."

Senator Mark Warner, in an interview with BuzzFeed News this week, said that legislation was currently being discussed on how to better protect U.S. businesses, and that the U.S. government had to do more to protect American companies from cyberattacks.

"I frankly think a lot of this is originating in China and I think we need to acknowledge that," said Warner. "If they are not going to cooperate with us, we need to think about other methods."

Rhodes told reporters that at this stage, the U.S. administration was still considering sanctions on China.

"Our preference is resolving this through dialogue, we're not averse to punitive measures, including sanctions, if we feel like there are actors in China and entities that are engaged in activities that are sanctionable," said Rhodes.

Previous
Next Post »