Chinese hackers are unlikely to stop their campaign of commercial cyber espionage against U.S. companies, despite the deal announced last week, the top U.S. intelligence official told the Senate Armed Services Committee Tuesday.
Director of National Intelligence James Clapper told committee Chairman Sen. John McCain, R-Ariz., that he “wasn’t optimistic” that the agreement announced Friday by President Barack Obama and his Chinese counterpart Xi Jinping would curb China’s cyber espionage aimed at stealing trade secrets from American companies for the benefit of their Chinese competitors.
“Hope springs eternal,” Clapper told McCain, “but we will have to watch what their behavior is.”
“It’s incumbent on the intelligence community to depict to our policymakers what behavior changes as a result of this agreement,” he added.
Friday’s agreement came after Obama publicly threatened to use new sanctions authority against Chinese firms that benefitted from such online industrial espionage, but Clapper was careful to distinguish between that kind of hacking and more conventional cyber-spying like the breach at the Office of Personnel Management, which affected more than 22 million Americans who either applied for a security clearance or were living with or related to someone who did.
Clapper, taking another opportunity to walk back his statement earlier this year that China was the “leading suspect” in the OPM hack, said there are “differing degrees of confidence” as to whether China was to blame. But in any case, he said, such acts of conventional, albeit online, espionage are not covered by the deal — and would be difficult to sanction due to the fact that the U.S. also engages in the same practices.
“We too practice cyber espionage, and we’re not bad at it,” Clapper said. “People in glass houses shouldn’t throw rocks.”
That didn’t sit well with McCain. “So people should be able to steal our stuff because we live in a glass house?” he retorted. “That is astounding.”
McCain was one of several senators who pressed Clapper, National Security Agency chief Adm. Mike Rogers and Deputy Secretary of Defense Robert Work on why the Obama administration hasn’t developed and used more offensive cyber capabilities, as a way of deterring the bevy of cyberattacks the country is constantly facing.
“Make no mistake, we are not winning the fight in cyberspace. Our adversaries view our response to malicious cyber activity as timid and ineffectual,” McCain said in his opening statement. “The administration has not demonstrated to our adversaries that the consequences of continued cyberattacks against us outweigh the benefit. Until this happens, the attacks will continue and our national security interests will suffer.”
Work admitted that “we are not where need to be” in terms of deterrence, but he said the Department of Defense is “pushing hard” on changing the cybersecurity culture across the department. Experts say improving defenses is another way of increasing the cost of cyberattacks to the adversary because it makes successful attacks much harder to mount. Work said the Pentagon’s cybersecurity discipline implementation plan, launched in August, will hold commanders accountable for protecting systems and educating personnel. DOD is also working on fortifying its hardware, with a plan similar to how systems were built during the Cold War to withstand an electromagnetic pulse.
“The problem is that many of the old systems were not built to respond to the cyberthreats that we see today,” Work said.
Senators also took issue with the fact that the DOD’s cyberattack response policy, which was mandated by the 2014 passage of the National Defense Authorization Act, has not been finished.
“If there was an attack tonight on our infrastructure, I do not want to go on cable news tomorrow and say the administration told us the policy is still in development,” said Sen. Angus King, I-Maine. “We’ve got to get on this. The idea that we can continue to simply defend and never have an offensive capability is ignoring this enormous threat.”
King then asked all three witnesses if an offensive capability was needed to deter cyberattacks. All three answered yes.
“I don’t mean to imply that this is easy, but this is urgent,” King said. “We can’t define ourselves by saying ,‘This is complicated, we’ll get to it.’”
Rogers said the country is working to create those capabilities, but he wants to make sure it has policy in place that articulates what behavior is acceptable before it moves to the offensive.
“We need to articulate as a nation that we are developing a set of capabilities, we are prepared to use those capabilities if required,” Rogers said. “This is not necessarily our preference. We want to engage in a dialogue with those around us, but on the other hand, we do have to acknowledge the current situation we find ourselves in.”