TMCnet News

Wolf: Change Needed In Addressing Cyber Threat

[October 23, 2013]

Wolf: Change Needed In Addressing Cyber Threat

(Targeted News Service Via Acquire Media NewsEdge) WASHINGTON, Oct. 22 -- Rep. Frank R. Wolf, R-Va. (10th CD), issued the following news release: Speaking at a cybersecurity summit in Tysons, Rep. Frank Wolf (R-VA) today said there needs to be stiffer penalties for countries like China who threaten our national security with cyber attacks and cyber espionage.

"Let me be blunt: If we do not make an example and demonstrate public consequences against China and others, we will encourage more countries to invest in cyber capabilities to target the U.S.," Wolf said. "To date, there has been far too little done by the government to call out Beijing for its behavior and identify penalties that could be applied in response." Wolf laid out a detailed critique of the current U.S. cybersecurity policy at the summit, hosted by the Tysons Regional Chamber. He said the Obama Administration and Congress need to do more to address the growing threat.

Wolf, chairman of the House Appropriations subcommittee that funds the FBI, said he has been to the bureau's joint cyber center in northern Virginia on multiple occasions and has seen the list of the companies, law firms, trade associations and agencies that have been hit by cyber attacks.

"It's incredible," said Wolf, a longtime and outspoken advocate for protection against foreign cyber attacks and national threats. "The list includes many of your companies - most, maybe all." Wolf's Northern Virginia district is on the frontline in the emerging cybersecurity challenge, with a significant cyber workforce that is supporting U.S. defense and civilian agencies. He has visited a number of cyber firms and contractors in the region, including Mandiant, which in February released a report documenting the activities of a cyber espionage group connected to the Chinese People's Liberation Army (PLA) that was targeting the U.S.

Wolf made clear that the threat of cyber attacks and espionage is not from the Chinese people, who "yearn for freedom and the same universal human rights that we in the West enjoy, including the freedom of speech and religion," but instead with the Chinese Communist government.

"China's cyber espionage and theft of industrial trade secrets puts all of America's other adversaries to shame," Wolf said. "The Russians and Iranians and the North Koreans don't even come close. The PLA has put the KGB's cold war espionage campaigns against the U.S. to shame. And yet, despite all of the recent public attention, the public response is surprisingly muted. In certain quarters of the media, government and even business community, there's even an air of acceptance - as if this is just a fact of life in the 21st Century." Wolf asked the audience to imagine PLA officers breaking into the U.S. government or contractor facilities to steal information on high-tech defense programs, or breaking into law firms to steal information about WTO trade cases.

"The American people would be outraged, and rightly so," he said. "It would be the lead story in national papers after each incident. It would be a major diplomatic ordeal and would endanger diplomatic and economic relations between the U.S. and China. And yet, because this exact same theft by the same PLA officer occurs remotely via a cyberattack, we have a tendency to shrug it off and chalk it up as 'the cost of doing business.'" Wolf challenged the business community to push the administration and Congress to apply meaningful penalties against those who steal U.S. intellectual property.

"There is no amount of money you can spend that will buy the protection you need to protect your property absent the fear of retaliation by the U.S.," he said. "And the longer we allow China to steal our property and probe our networks with impunity, the more emboldened they will become. These may be uncomfortable truths for some, but they are the truth. It will take real leadership in government and the business community to change course and develop a durable cybersecurity strategy for our country." EDITOR'S NOTE: In July, the House Appropriations Committee passed Wolf's annual Commerce-Justice-Science spending legislation, which included $8.1 billion for the FBI to fund national security programs, investigations of cyber attacks, violent crime and gang task force programs, and financial and mortgage fraud. It also provided an increase in funding for investigative, intelligence and technology improvements to prevent and combat malicious cyber intrusions to be known as the Next Generation Cyber (NGC), and directed the FBI to continue to produce an annual national cyber threat assessment - both classified and unclassified - that identifies and ranks the foreign governments posing the greatest threats to the U.S.

For more on Wolf's work on this issue, click here (http://wolf.house.gov/index.cfm?sectionid=211&sectiontree=7,211).

The full text of Wolf's remarks, as prepared for delivery, are below.

Good morning. I appreciate the opportunity to speak with you this morning about two of the most serious threats to our national security: cyberattacks and cyber espionage.

As Tony mentioned in the introduction, I serve as the chairman of the Appropriations subcommittee that funds lead agencies working to address the cyber threat, including the FBI and NIST.

I worked closely with former Director Mueller on the FBI's transformation immediately after 9/11 to address the threat from terrorism, and more recently have been working closely with the bureau to prepare it to deal with the growing threat from cyberattacks and espionage.

I have visited the FBI's joint cyber center in northern Virginia on several occasions and have seen the list of all of the companies, law firms, trade associations and agencies that have been hit by cyberattacks. It is incredible. The list includes many of your companies - most, maybe all.

In 2006, my office's computers were targeted and attacked by entities within China. The attackers first hacked into the computer of my foreign policy staffer, then the computers of my chief of staff, my legislative director and my judiciary staff person. They got everything.

On these computers was information about all of the casework I have done on behalf of political dissidents and human rights activists around the world.

For nearly two years, the FBI asked me not to publicly raise the attack, but in 2008 I decided to reveal the attack on the House floor to inform the American people of the threat and help remove the stigma of sharing information about these attacks.

At the same time, I introduced a privileged resolution in the House directing the Sergeant at Arms to work with the FBI to provide timely alerts to Members of Congress about the attacks and better train offices on steps to improve cybersecurity.

Fortunately, my Democrat counterpart in the Senate, Chairwoman Barbara Mikulski from Maryland, understands these issues very well and we have had a very productive relationship trying to find bipartisan solutions to this challenge.

She understands this threat as well as anyone and I appreciate her willingness to work together on the annual appropriations bills to better position the FBI, NIST and other agencies to respond to the growing cyber threat from China and other countries.

To be clear: we face cyber threats from a number of state and non-state actors, including organized crime, Russia, Iran and North Korea.

However, because the threat from China is of such a greater magnitude than all of the others combined, I want to focus my remarks specifically on cyberattacks and espionage sponsored by the Chinese government.

Let me say up front: when I talk about the cyber threat from China today, I'm referring specifically to the autocratic Chinese government - the thin layer of leadership at the helm of the Chinese communist party that rules by fear and oppression over the Chinese people.

The Chinese people are a good people who yearn for freedom and the same universal human rights that we in the West enjoy, including the freedom of speech and religion. I regularly meet with dissidents when they come to the U.S. and have traveled to China to meet with them on several occasions.

In fact, I think more Chinese citizens come through my office during their visits to the U.S. than just about any other Member of Congress.

Unfortunately, the same cyber methods the Chinese government uses to attack the U.S. are also used against the Chinese people to suppress free speech, restrict freedom of worship and engage in surveillance activities consistent with a police state.

These are the same tools that restrict the ability of the Chinese people to access information online. In fact, when I visited Beijing in 2008 immediately before the Olympics, I went to an Internet cafe and unsuccessfully attempted to access my own Web site, along with that of the Dalai Lama and others which the Chinese government deems unacceptable.

As many of you know, northern Virginia has become the frontline in the emerging cybersecurity challenge, with a significant cyber workforce that is supporting U.S. defense and civilian agencies.

Over the last year I have personally visited a number of the firms and contractors in the region that are helping the government better defend networks and address gaps in security.

You may recall that earlier this year the cybersecurity firm Mandiant, which is headquartered in northern Virginia, released a report documenting the activities of a cyber-espionage group connected to the Chinese Peoples' Liberation Army (PLA) that was targeting the U.S.

I visited Mandiant's office in Reston in May shortly after it released its landmark report. In talking with them and other contractors, I continue to be struck by both how pervasive and insidious the threat is, how much we have lost and continue to lose to cyberespionage and how challenging it is to curb it.

Here are just a few U.S. entities that have publicly attributed cyberattacks to China over the last year alone: Coca-Cola, Council on Foreign Relations, U.S. Department of Energy, New York Times, Bloomberg News, The Wall Street Journal, Washington Post, Twitter, Facebook, Apple, Aspen Institute, Telvent, Microsoft, EADS and Evernote. The list also includes the personal computers of Admiral Mike Mullen, the former chairman of the Joint Chiefs of Staff.

They even targeted the McCain and Obama presidential campaigns in 2008 and the Romney and Obama campaigns in 2012.

Again, these are the ones publicly attributed to China.

As I mentioned earlier, I have seen a much more extensive list at the FBI's joint cyber center that makes clear just how broad and pervasive the threat is.

The full list is stunning. It includes federal agencies. It includes law firms. It includes all elements of the defense and high-tech communities.

It is highly likely that some of the companies represented here in this room have been on that list.

This morning I would like to talk a bit about the true scope of this threat and say some things about the nature of the threat and our current response posture that might be a little controversial.

First, a few facts to frame the discussion today: * Last year, former FBI Director Robert Mueller said that while terrorism is the greatest threat today, "down the road, the cyber threat will be the number one threat to the country." * The director of the National Security Agency recently described Chinese espionage of U.S. technology as "the greatest transfer of wealth in history." * Cyberespionage is having a real and corrosive effect on U.S. job creation. Last year, the Washington Post reported that, "[t]he head of the military's U.S. Cyber Command, Gen. Keith Alexander, said that one U.S. company recently lost $1 billion worth of intellectual property over the course of a couple of days - 'technology that they'd worked on for 20-plus years - stolen by one of the adversaries.'" * In April, Verizon released its annual cyber report which found that "96 percent of recorded, state-affiliated attacks targeting business' trade secrets and other intellectual property in 2012 could be traced to Chinese hackers." * Both government and industry experts have repeatedly told me that there is no "silver bullet" solution to the cyber threat - just constant vigilance and spending more resources to make systems as secure as possible * There's also a nexus between cyber espionage and China's traditional espionage efforts. Of the 19 trade secret espionage cases that have been brought under the Obama Administration, 16 of the 19 cases involved Chinese nationals spying for Chinese institutions and some of these cases had a cyber-component. That's 85 percent of all DOJ espionage cases that have involved Chinese espionage.

Clearly, China's cyber espionage and theft of industrial trade secrets puts all of America's other adversaries to shame. The Russians and Iranians and the North Koreans don't even come close. The PLA has put the KGB's cold war espionage campaigns against the U.S. to shame.

And yet, despite all of the recent public attention, the public response is surprisingly muted.

In certain quarters of the media, government and even business community, there's even an air of acceptance - as if this is just a fact of life in the 21st Century.

Imagine for a moment if PLA officers came into the U.S. and physically broke into government or contractor facilities to steal information on high-tech defense programs or broke into law firms to steal information about WTO trade cases.

Or worse, what if they physically broke in to place malicious code to disrupt U.S. power plants, electric grids, dams or telecom networks on command? The American people would be outraged, and rightly so. It would be the lead story in national papers after each incident. It would be a major diplomatic ordeal and would endanger diplomatic and economic relations between the U.S. and China.

And yet, because this exact same theft by the same PLA officer occurs remotely via a cyberattack, we have a tendency to shrug it off and chalk it up as "the cost of doing business." I couldn't disagree more. And the current culture of acceptance of this threat in Washington is troubling.

In a way, the current "Washington consensus" on cyber parallels those in the 1970s and 1980s who warned the Soviet Union was undefeatable and the U.S. should learn to live with it. Then President Reagan was elected and challenged that paradigm.

We need the same type of paradigm shift on cyber.

The government and cyber industry has developed the unfortunate habit of referring to the Chinese state-sponsored cyber threat as the "Advanced Persistent Threat" - or APT.

Why? The threat is not a secret. I hope it's not a reflexive fear of antagonizing diplomatic and economic relations with Beijing.

While it may be more comfortable not to identify the source, it's disingenuous and ultimately dangerous. If we don't start publicly "naming and shaming" the actors responsible for threatening our national security and undermining job creation, they can continue to act with impunity in the public square.

Let me be blunt: if we do not make an example and demonstrate public consequences against China and others, we will encourage more countries to invest in cyber capabilities to target the U.S.

To date, there has been far too little done by the government to call out Beijing for its behavior and identify penalties that could be applied in response.

There was a brief moment of progress earlier this year when Mandiant and the Obama Administration both produced reports identifying Beijing's role in the cyberattacks against the U.S.

Unfortunately, there has been little follow through by the Obama Administration since that time - and there is little evidence that China's behavior has changed because there were no serious consequences.

That's why we need a sustained effort by the government and industry to quickly and publicly identify Chinese cyberattacks. The U.S. also must develop a range of diplomatic and economic penalties for continued attacks. Most importantly, we must follow-through on applying penalties.

Only through public identification and clear consequences do we have any hope of modulating the behavior of China and other state actors that are attacking our country.

These actions require strong leadership from the White House, and a coordinated effort by the State Department, Defense Department, Treasury Department, FBI and Homeland Security, to be effective.

Unfortunately, I do not believe that the current administration has the foresight or the fortitude to identify penalties and follow-through on them. Congress also has a role to play, particularly in funding critical cyber capabilities at the Defense Department, FBI, Homeland Security and NIST.

As chairman of the subcommittee that funds several of the key agencies involved in the cyber response, I have taken several proactive steps to bolster our capabilities.

I prioritized cybersecurity programs in the fiscal year 2012 and 2013 Commerce-Justice-Science Appropriations bills, including significant increases to the FBI's joint cyber task force and requiring each agency to vet its IT equipment purchases.

I directed the FBI to produce an annual unclassified cyber report to help raise public awareness of the source of the threats.

I will continue to prioritize funding and attention in Congress to better position the government to be more proactive in addressing this threat.

To summarize: the government's status quo posture of pouring money into better securing networks is unlikely to yield a change in the threat itself. It will take a fundamental change in strategy that results in direct penalties to influence the behavior of our adversaries.

It is often said by government officials that we're in a similar position now on cyber as we were with regard to terrorism the years leading up to 9/11.

However, if we learned any lesson from that attack, it's that the failure to confront the threat as it emerged and metastasized resulted in terrible consequences - consequences we're still dealing with both at home and abroad.

There is no easy way to address the cyber threat from China or other countries that are following its model of cyberattacks and espionage, but we need to adjust our posture to find a meaningful response.

We're already years behind where we should be and I'm not optimistic that this administration will change course in its remaining three years.

That's why I hope that the business community will push hard on the administration and the Congress to apply meaningful penalties against those who steal your intellectual property.

There is no amount of money you can spend that will buy the protection you need to protect your property absent the fear of retaliation by the U.S. And the longer we allow China to steal our property and probe our networks with impunity, the more emboldened they will become.

These may be uncomfortable truths for some, but they are the truth. It will take real leadership in government and the business community to change course and develop a durable cybersecurity strategy for our country.

Another related area where I fear the U.S. has failed to develop a coherent and strategic policy is the unique and unprecedented threat from Chinese state-owned or state-directed companies that are operating in the U.S.

I believe this threat is particularly pronounced from Chinese telecom firms that are connected to the PLA.

Last year, The Economist magazine published a special report on Communist Party management of Chinese corporations. The article noted the Chinese government's particular support for its telecom and IT industry noting that, "the end result is the creation of a new class of state companies: national champions that may not be owned by governments but are nevertheless closely linked to them" The article reported that "[t]he (Communist) party has cells in most big companies - in the private as well as state-owned sector - complete with their own offices and files on employees. It holds meetings that shadow formal board meetings and often trump their decisions." Author Richard McGregor wrote that the executives at major Chinese companies have a "red machine" with an encrypted line to Beijing next to their Bloomberg terminals and personal items on their desks.

Given this level of party control in China's private sector, we shouldn't be surprised to learn that the PLA has been operating cybermilitias out of telecom companies.

Currently, the most concerning of these Chinese telecoms is Huawei, which is attempting to increase its market share in the United States and around the world. Numerous government reports have linked Huawei's corporate leadership to the Chinese intelligence services and the PLA, raising concerns about Huawei networks and devices being subject to espionage by the Chinese government.

Huawei's efforts to sell telecom equipment to U.S. networks have long troubled the U.S. defense and intelligence community, which has been concerned that Huawei's equipment could be easily compromised and used in Chinese cyberattacks against the U.S. or to intercept phone calls and e-mails from American telecom networks.

Over the last several years, Huawei's top executives' deep connections to the PLA and Chinese intelligence have been well documented.

As national security reporter Bill Gertz summarized in an article last year, "a U.S. intelligence report produced last fall stated that Huawei Technologies was linked to the Ministry of State Security, specifically through Huawei's chairwoman, Sun Yafang, who worked for the Ministry of State Security (MSS) Communications Department before joining the company." It's not just Huawei's longstanding and tight connections to Chinese intelligence that should trouble us. Huawei has also been a leading supplier of critical telecom services to some of the worst regimes around the world.

Last year, the Wall Street Journal reported that Huawei "now dominates Iran's government-controlled mobile-phone industry...it plays a role in enabling Iran's state security network." Huawei also sold its telecom equipment to Saddam Hussein's Iraq and Taliban-controlled Afghanistan.

Given all of this information, there should be no doubt Huawei poses a serious national and economic security threat to the U.S.

But I fear that with Huawei's rapid growth in the U.S. market, we may soon find that we are too intertwined with Huawei network equipment and devices to address potential security concerns. We must resolve these concerns before Chinese telecom firms make significant inroads on U.S. networks, not after.

Perhaps that is why Beijing has ensured that Huawei is able to continue its global market growth by "unsustainably low prices and [Chinese] government export assistance," according to this commission's January 2011 report on the national security implications of Chinese telecom companies.

For these reasons, I included a provision in the FY2013 Commerce-Justice-Science Appropriations bill restricting agencies from buying products from Chinese state-owned, state-directed or state-subsidized telecom companies, like Huawei or ZTE.

I believe this is a responsible and prudent step, especially in light of the Intelligence Committee's recommendation that Congressional committees "consider potential legislation to better address the risk posed by telecommunications companies with nation-state ties." Not surprisingly, this move attracted a lot of attention from the media and the Chinese government.

I believe this is the first time the Congress has taken such a clear step to restrict this questionable equipment - and also helped raise awareness of the threat.

It also doesn't hurt that provisions like this also subtly penalize the Chinese government for its market manipulation by heavily subsidizing these firms' expansion in strategic markets, like the U.S.

Last month, the Washington Free Beacon reported how the Chinese government has now presented the Obama Administration "with a detailed list of space, military, and defense technology controls that it wants changed, and an interagency review is underway to meet some of Beijing's demands, according to U.S. officials." Of course, one of the items on the list was the provision I included to restrict the sale of this questionable telecom equipment to certain U.S. agencies.

It doesn't surprise me that the Chinese government is asking for it to be removed, but it does deeply concern me that the Obama Administration is considering offering its removal as a concession.

These mixed messages undermine efforts to send clear signals to Beijing about the consequences of bad behavior.

I have also been troubled to see how some U.S. tech companies have been asked to lobby Congress against the provision, perhaps at the behest of their Chinese subsidiaries, in order to preserve maximum access to the Chinese market - all the while knowing that their intellectual property is being stolen each and every day and provided to Chinese state-directed firms.

It's one thing to turn a blind eye when China steals your property, but it's another thing to lobby against your own government's efforts to protect its own systems.

I believe the U.S. tech community needs to take a long, hard look at its actions and consider what the long-term consequences of China's espionage and intellectual property theft will be.

To summarize, it's clear that government agencies and contractors are doing the best they can to protect our networks and information.

However, playing purely defense is a losing strategy - there is no amount of money that could be spent to fully secure our networks and keep up with ever-changing and innovative threats, especially from state actors like China who have made the theft of U.S. technology a key part of their development and national security strategy.

Similarly, if we allow our critical infrastructure, like telecom networks, to be built with equipment provided by Chinese state-controlled firms, there is no turning back.

This is a dangerous and self-destructive course.

For these reasons, again, we need to develop a cohesive and effective national policy to deal with cyber threats. It will require cooperation between government and industry.

I hope your companies will encourage the government to develop a more strategic and sustainable national cybersecurity strategy for the 21st Century that confronts the threat from nation states, like China, head on.

Thank you. I would be happy to take a few questions.

TNS 30VitinMar-131023-4525475 30VitinMar (c) 2013 Targeted News Service

[ Back To TMCnet.com's Homepage ]