The U.S. and China are at war, only it’s not with guns, bombs and missiles. You won’t see burned out homes on television or streams of refugees leaving cities but the casualties are real. Instead of stealth bombers creeping through the night, this war is being fought across connected computer networks and, according to experts most familiar with the problem, the U.S. is losing.
For years the battle has raged and an army of Chinese hackers have systematically plundered global computer networks for business intelligence, weapons designs, personnel dossiers and have gained access to a wide variety of control systems, including those that control our power grids. They have hacked industries that support our government and contract personnel, like companies that process security clearances, insurance companies, healthcare providers, defense industries, computer security professionals, educational institutions and they have lifted the very source code for much of the popular software running on our computers. According to an unclassified Congressional report, the Chinese have even managed to acquire the designs of every single nuclear weapon in the U.S. arsenal.
The targets constantly shift in response to economic and foreign policy priorities of the Chinese government and include almost every major government agency including the IRS, Department of Energy, the Securities and Exchange Commission and the Nuclear Regulatory Commission. Somewhat ironically the list of targets includes Homeland Security, the organization tasked with protecting our nation’s critical computer networks.
In the most recent high profile breach, hackers managed to secure administrator privileges, the most trusted credentials on a computer network, and used them to carefully review and document the personnel files of millions of current and former government employees, including several current lawmakers. When it comes to building a dossier on government employees, the Office of Personnel Management (OPM) was the holy grail, and the hackers had more than a year to execute their plan. With that kind of time it’s safe to assume the hackers got everything they wanted, including the most coveted Form (SF) 86 where those seeking a security clearance document their financial and medical histories, along with all their past sins and dirty little secrets.
Ironically, the OPM intrusion was detected during a routine upgrade of OPM’s network security. Officials may have used a security program called Einstein to trace the extent of the hack and what information the thieves obtained.
If you think you have nothing to fear because you’re not a government employee, guess again. Two health insurance giants, Anthem Inc., and Premera Blue Cross, were hacked for a combined 91 million patient records that included the names of relatives, social security numbers, birthdays, addresses, phone numbers and bank account information. There is evidence the intruders perused patient medical information as well.
The sophistication of the hacks is so good that Chinese hackers were able to operate with government-issued trusted security certificates that tell users that websites are safe from intruders. Back in March both Mozilla and Google stopped accepting security credentials from Chinese websites. Instead of getting to the site, visitors to Chinese websites will get a warning telling them that proceeding to the site could leave them vulnerable to attack.
This is one war that we can’t win by bombing our way to victory. Traditional military force is no good in this fight; we have to learn new ways to fight and and defend ourselves in the new cyberwar arena. Anyone thinking we should simply hit back at the Chinese should consider that China is our largest trading partner and owns a lot of U.S. foreign debt. Another factor to consider is that the Chinese have a huge potential to use their access to the power grid and switching systems to do actual physical damage to the U.S. and our economy.
Imagine the effect on the world economy if the power went off in America for three months. Imagine the chaos if traffic lights in major cities suddenly went green in all directions at the same time. Imagine if millions of Americans woke up one day to find their bank accounts empty and life savings had disappeared overnight. Imagine you or a relative go to the hospital and die of insulin shock because hackers rewrote your medical records. While it may sound like the plot for a sci-fi movie, all of those scenarios are completely plausible in a cyber shooting war. Right now, we’re not prepared to wage that kind of fight.
We need to learn how to fight in the modern battlefield of cyber technologies and develop the capacity to respond with overwhelming force if it was ever needed. Then we can flex our technology muscles but, until we develop that capacity, we need to bide our time and choose our battles carefully.