Alleged China attacks could test U.S. cybersecurity policy

But what the government can really do remains unclear

1 2 Page 2
Page 2 of 2

Instead, what's needed is a measured diplomatic response, where the issue is raised with China when it wants U.S. cooperation on other matters, he said. "The State Department has to make it clear that these attacks are so serious they warrant a diplomatic response. I am not sure that level of commitment has been demonstrated yet," Nojeim said.

Any victories gained from cyber-retaliation are likely to be temporary, at best, Winkler said. "If you can identify the systems that are attacking us and make sure you are attacking the right systems, theoretically, that might work" to head off another attack, he said. "But that's like throwing sand in the eyes of somebody who is beating you up." It can be effective -- but only for a while, he said.

That doesn't mean, nothing can be done. U.S. organizations that are targets of attacks from China first need to bolster their defenses, said Amit Yoran, former director of the U.S. Department of Homeland Security's National Cyber Security Division. The continuing success Chinese agents have in penetrating U.S. networks points to ineffective security -- and sophisticated attackers, Yoran said.

"Companies such as Google have very, very sharp security teams, but the technologies they rely on are inadequate," said Yoran, who is currently CEO of security vendor NetWitness Corp. "We have developed a technology base in modern computing that is indefensible against modern threats."

What's needed is a security approach that focuses on continuous monitoring of networks and data, not one based solely on prevention.

"Whining about this won't stop it," said Alan Paller director of research for the SANS Institute, a Bethesda, Md.-based security institute. "Cyber-based military espionage and economic espionage are radically effective programs for the Chinese government," and it's unlikely that policy statements are going to do any good, he said. "There are simply too many attackers with too many motives to think that a policy of deterrence would be more than minimally effective."

At the federal government level, at least, "it is [security] skills with good tools that allow organizations to defend themselves," Paller said. "Sadly, these skills are in radically short supply."

The U.S government has fewer than 1,000 people with the advanced skills needed to fight in cyber space at "world-class levels," he said. What's needed are between 20,000 and 30,000 cybersecurity warriors. "Our competitors have even more."

Companies outsourcing work to China, or doing business there or in other developing nations such as India, also need to be aware of the heightened risks to their intellectual property, Winkler said. "Companies need to look at things much more strategically," he said. While it may be cheaper to outsource manufacturing in countries such as China and India, the long term costs could be high if they're not careful.

"Many are not looking at the strategic risks of a rival stealing their technology and selling counterfeit goods," he said.

As for official government cyber policies, just because the U.S doesn't have an official policy for handling attacks doesn't mean it's sitting on its hands, said one analyst who asked not to be named. "One reason why the U.S might not have come up with any rules of the road is because the NSA and other intelligence agencies are involved in the same kind of activity," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, send e-mail to or subscribe to Jaikumar's RSS feed

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon