Naming and shaming China over cyberspying

U.S. Defense Secretary Chuck Hagel speaks at the opening plenary session of the Shangri-La Dialogue in Singapore, June 1, 2013. Hagel will meet with defense ministers at the event and then travel to Brussels to meet with NATO defense ministers.

That seems to be the US’s strategy, with Defense Secretary Chuck Hagel calling China out at the International Institute for Strategic Studies Asia Security Summit in Singapore on June 1. It’s pretty ballsy but apparently after the Mandiant report was published and publicized, some of the relentless cyberbreaches slowed for a while, so the US is just testing out a new public-shaming strategy.

China, predictably, has countered by questioned the US claim about its Asia pivot is not about containing China’s rise.

In any case, the world will watch to see what kind of language on hacking Obama uses in public with Xi when they meet next week. 

I suppose this US shaming behavior would be unthinkable if China were a Western power. Different times call for different types of diplomacy. 

(Photo: courtesy US Defense Dept)

US is more squarely focusing cyber espionage blame on China

From the NYTimes…

The US is explicitly blaming the Chinese military for massive cyber-espionage.

The (US) report, released Monday, described China’s primary goal as stealing industrial technology, but said that many intrusions also seemed aimed at obtaining insights into American policymakers’ thinking. It warned that the same information-gathering could easily be used for “building a picture of U.S. network defense networks, logistics, and related military capabilities that could be exploited during a crisis.”

 

But this report suggests “cyberweapons have become integral to Chinese military strategy.”

Obviously, the US is reaching for what’s handy on the China cyber espionage issue. China is a huge country with a lot of weight to throw around. And China, modernising in the age of the internet, is using all available tools with little regard for international legal and diplomatic standards.

Meanwhile, across the Atlantic, the UK is finding out what that can mean.

 

The SEC as a force for transparency in cyber espionage events

U.S. Securities and Exchange Commission

This Bloomberg piece teases out the idea that US companies are not fully reporting the cyber espionage against them – or that the cyber espionage is not nearly as bad as the US government contends. Whichever is ultimately true, the level of disclosure from companies doesn’t match what has been discussed recently in the Mandiant report and statements from the US. 

‘‘There is a clear discrepancy between what companies are reporting to their stockholders and what they’re declaring to policy makers,’’ said Sascha Meinrath, vice president of the New America Foundation, a Washington-based policy group.

The discrepancy is understandable because this issue, while clearly going on for some time, is only now becoming public. As a rule companies are hesitant to raise alarms with shareholders and do anything to increase the perception of risk in their operations. But it would be interesting at anyone of these companies to compare the views of their chief risk officers, their executives, and the guys running their day-to-day IT security. I bet the views would vary widely within the same company. And to the government, they might be saying something else entirely, again, from a legalistic perspective.

The Securities and Exchange Commission wants any “material” intrusion to be filed with them.

“The SEC issued guidance in October 2011 telling companies to disclose cyber attacks or risks if that information is material, meaning it would affect an investor’s willingness to buy, hold, or sell the company’s stock. The business may have to describe the financial fallout of an attack if it’s ‘‘reasonably likely’’ to lead to reduced revenue or higher costs, the guidance states.”

But the enforcement of this is unclear, too, and up to the discretion of individual companies.

If a company doesn’t disclose an attack in an SEC filing that was reported in the news media, ‘‘don’t be surprised if we ask you to provide us with a materiality analysis,’’ Jim Lopez, an SEC branch chief for disclosure operations, said.

I imagine in some cases, it wouldn’t be clear what the ultimate damage is. But over time, now that companies have been given the guidance and its a matter of public discussion, a very revealing portrait about who has been compromised may emerge.

‘‘There is a disconnect,’’ Stewart Baker, a former Homeland Security Department official said…. ‘‘All that intellectual property that the government sees leaving the country is coming from somewhere.’’

While the disconnect may continue, the shift in the perception about the problem may begin to narrow the gap between what the government and what businesses are saying.