Recent news stories about Chinese cyberattacks on the networks and reporters at The New York Times, the Washington Post and The Wall Street Journal -- all of which recently made startling admissions about them -- have put the topic in the public limelight in a way not seen since Google's claims two years ago about Chinese cyber-theft of intellectual property. The tension is now so high, President Obama even discussed cyber-hacking in his phone call with the newly installed Chinese President Xi Jinping last week, and today, U.S. Treasury Secretary Jack Lew is meeting in China with Xi, where one of the main topics will be how to end the cyber-hacking. It's all unprecedented.
Cyber-nationalism, as security expert and author Bruce Schneierdescribed it last week, is leading to heightened mistrust across the world "not just amongst nation-states but between people and nation-states."
Cyber-nationalism is fueling a cyber-arms race. The U.S., China, Russia and recently Germany have spoken publicly about the buildup of government-organized "cyber commands" with potentially offensive as well as defensive capabilities. And now, points out Schneier, there's heightened concern about what the origin of products and services might be on a national level. Though the creation of the Internet and the Web brought the world closer together, there's now an effort by some governments to cordon it off or censor it where it's deemed useful to the government.
Chinese cyber-espionage has long been recognized, but the current "media frenzy" about it is fueling nationalist worries, Schneier says, though he adds "people are understandably worried" about it all. But the underlying reality is that the U.S. itself has cyber-espionage operations and the U.S. is likely "giving just as good as we're getting." In addition, the U.S. Cyber Command's announcement that it's expanding from 900 people to 5,000 would certainly worry China, he points out.
William Hagestad II, cyber-security consultant and author of "21st Century Chinese Cyber Warfare," said it appears the Chinese military leadership organized their version of a Cyber Command six months after the U.S. did. Hagestad, a retired U.S. lieutenant colonel, notes there don't seem to be any real "rule of engagement" related to cyber-conflict.
As it happens, Russian President Vladimir Putin earlier this year ordered the Federal Security Service there to establish a way to detect, prevent and disable cyberattacks in Russia and its diplomatic missions abroad. The Russian government is also funding Moscow-based security firm Kaspersky Lab to devise a secure operating system intended to protect industrial-control systems (ICS) against the kind of Stuxnet-like malware attacks that hit Iranian ICS. And last June, Germany disclosed what had been a top-secret cyber-warfare unit.
Hagestad, who reads and speaks Mandarin and has studied Chinese history, said he believes the Chinese Communist Party's intent is primarily to prevent the occupation of China by foreign forces, something China has suffered over the centuries from invading armies. While China is certainly not innocent of what's it's being accused of in cyberattacks against foreign business and government, it's going down the wrong road to make China the new "bogeyman" militarily, he cautions.
One question is whether the building cyber-nationalism is having an effect on what companies and governments buy in terms of high-tech equipment for the enterprise, telecommunications networks or consumer use. Hagestad said after the U.S. House Intelligence report last October that accused China-based Huawei and ZTE of being a security threat to the U.S., the Chinese government basically banned non-Chinese purchases for the state-run telecom networks there.
However, governments around the world -- especially military or other agencies handling sensitive information -- have often had special demands for goods made locally. It's a question whether businesses and consumers not bound by special government procurement regulations will turn to buying from suppliers in countries from which they fear no cyber-espionage or attack.
Mikko Hypponen, chief research officer at F-Secure, the security firm based in Finland, said his company has seen an uptick in inquiries from customers that are related to national origin of security software. He would only say that most of these inquiries related to national origin of software came mainly from customers in the Asia-Pacific region.
Other signs crop up of sensitivity to where security products are made. For instance, Gartner noted in its enterprise firewalls report published in February that because HP's H3C firewalls were developed in China, they "aren't visible outside the Asia/Pacific region, and HP has to address concerns from many geographies about relying on technology developed in China. This situation has led to HP having to recommend competitors' firewall products as optional replacements for HP firewalls when they expire." The Gartner report also notes that another firewall vendor, Stonesoft, being headquartered in Finland -- neither in the U.S. or China -- is "being shortlisted where enterprise operations span multiple countries, including the U.S. and China."
If rising cyber-nationalism does result in China being viewed as a major threat to critical infrastructure in the U.S., there will be a terrible irony in companies such as electric-power plants wanting to go find sources outside China for the industrial-control systems and other equipment they use, says one consultant in the energy-distribution industry.
"We've stopped manufacturing large transformers here," says Joe Weiss, managing partner at Applied Control Solutions, which consults on security issues surrounding industrial-control systems used by the electric-power industry. "If you want one, you have to go to China or France." And in addition, the American makers of equipment such as SCADA systems all have major manufacturing facilities in China and equipment is sold there, too. "I think people would like to buy American," says Weiss, who says he does give credence to the many tales of cyberattacks and theft of intellectual property from China. "But the issue is, does the technology exist here?"
The sad thing in it all is the electric-power companies in the U.S. don't appear prepared to fend off cyberattacks anyway, he concluded, because security controls hardly exist for the control-systems side.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: [email protected].com.
Read more about wide area network in Network World's Wide Area Network section.