Fergus Hanson is author of Internet Wars: The Struggle for Power in the 21st Century. This post on economic cyber espionage (parts of which were also included in an article for the Brookings Institution) is part of a series that will also examine citizen activism, control of economic chokepoints, and cyber warfare.
Prime Minister Malcolm Turnbull has said 'We have to recognise that the disruption that we see driven by technology...is our friend'. But if this friendship is to be maintained, we have to acknowledge major transformations are occurring that require urgent engagement.
A huge issue is economic cyber espionage, particularly the state-sponsored variety. This is what the then director of the NSA General Keith Alexander referred to when he spoke of 'the greatest transfer of wealth in history'.
After troubled previous attempts to reach agreement, last month presidents Obama and Xi announced 'neither the US or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property', and referred to significant progress in how the two countries will co-operate on law enforcement when perpetrators are identified.
But as President Obama hinted, the issue is far from resolved. Standing beside his Chinese counterpart he said 'the question now is, are words followed by actions'. Unfortunately, the most immediate test of the new agreement is also one of the most fraught.
In May 2014, the US Justice Department issued five arrest warrants for members of the Chinese military who were alleged to have conducted cyber attacks against US companies . It's hard to imagine China is in a rush to hand them over, but surprisingly, the Washington Post has reported that 'The Chinese government has quietly arrested a handful of hackers at the urging of the US government...It is not clear if the hackers arrested were with the Chinese military, but they were accused of carrying out state-sponsored economic espionage.'
Despite these positive early signs, the agreement leaves many serious gaps. [fold]
Given the massive economic losses experienced by the US, the focus last month was naturally on the theft of intellectual property. However, there are other reasons for attacking a US company besides stealing its IP. In April, the Citizen Lab at the Munk School of Global Affairs released a report on a new offensive tool, 'the Great Canon', that China had developed and used against selected pages of GitHub, a code-sharing site. The targets included pages on the site that monitor Chinese online censorship, and others that publish a Chinese language version of the New York Times.
Political revenge is another motivator: last year Iranian hackers launched a large cyber attack on Las Vegas Sands casino in an apparent attempt to get back at its CEO and majority owner Sheldon Adelson for comments he'd made about Iran. There are also military rationales for hacking into certain companies, which could be activated in the event of a conflict or as a coercive measure.
The Iranian example also highlights how the bilateral nature of the China-US agreement excludes other significant perpetrators of IP theft. As US Director of National Intelligence James Clapper stated in his report to the Senate Armed Services Committee in February: 'several nations — including Iran and North Korea — have undertaken offensive cyber operations against private sector targets to support their economic and foreign policy objectives'. He also noted 'the Russian cyber threat is more severe than we had previously assessed'.
The threat to Australia is also real, especially if we are to meet the Prime Minister's ambitions of being 'a nation that is agile, that is innovative, that is creative.' The first unclassified Australian Cyber Security Centre Threat Report released in July described the threat as 'undeniable, unrelenting and continues to grow'. It stated:
In 2014, CERT (Computer Emergency Response Team) Australia responded to 11,073 cyber security incidents affecting Australian businesses, 153 of which involved systems of national interest, critical infrastructure and government.
As the report noted, this was very likely an underestimate, as CERT relies on voluntary reporting and many companies would be unaware they have been attacked. The report also noted the key role of governments in these economic attacks:
Foreign state-sponsored adversaries are targeting the networks of the Australian government (including state and territory), industry and individuals to source economic, foreign policy, defence and security information, and gain advantage over Australia.
There are two major issues here that Australia needs to address. The first is domestic. There is an urgent need to increase the cost and difficulty of stealing Australian IP, theft that erodes our economic competitiveness and ultimately our national security. There are many options available to government. A low risk option is to work with the private sector to ensure organisations are aware of the threat, and enforce cyber security standards. As the US Director of National Intelligence observed: 'China is an advanced cyber actor; however, Chinese hackers often use less sophisticated cyber tools to access targets. Improved cyber defences would require hackers to use more sophisticated skills and make China's economic espionage more costly and difficult to conduct'.
The second imperative is to develop norms of behaviour that counter the current permissive environment. As President Obama acknowledged in his press conference with Xi Jinping:
…because this is a global problem, and because, unlike some of the other areas of international cooperation, the rules in this area are not well developed, I think it's going to (be) very important for the United States and China, working with other nations and the United Nations...and the private sector, to start developing an architecture to govern behavior in cyberspace that is enforceable and clear.
The challenge will be finding the right forum to pursue what will likely be a long road to consensus. The UN route has the advantage of bringing all states to the table, but it also has many downsides. These include excluding critical actors, such as the internet governing bodies and major IT companies. The UN is also vulnerable to efforts by some states to reduce protections for human rights and free speech.
Another option might be the G20, which brings together key states, the private sector and civil society (through the B20 and C20). It operates more informally, which lends itself to an area like this where agreed norms of behaviour are desperately needed but formal agreement is unlikely for many years to come.
If Australia is to embrace technology-driven change, there is an urgent need for government to ensure Australian IP is protected from theft both by strengthening defences and ensuring Australia is front-and-centre in developing acceptable global norms.
