America Is Basically Helpless Against The Chinese Hackers

Chinese army hackers have systematically stolen secrets from U.S. corporations for at least seven years, according to an extensive report from cybersecurity firm Mandiant.

This aggressive action warrants a strong U.S. response. Unfortunately, America appears to have only one viable option, which could take years to pay off: diplomacy.

On Wednesday the Obama administration said as much when it announced its Strategy on Mitigating the Theft of U.S. Trade Secrets. The plan seems to be lacking teeth as it states only that the Justice Department "will continue to make the investigation and prosecution of trade secret theft by foreign competitors and foreign governments a top priority" while talking a lot about beefing up security against incoming attacks.

Nevertheless, here are America's other options, and why they won't work.

Fines will be ineffective as long as China can deny accountability, which they have already done, calling Mandiant's report deeply flawed. China could also claim that it doesn't have control over the hackers.

"The Chinese can say we're victims too, and they probably are," Brookings Fellow Dr. Jonathan D. Pollack told BI.

The next step would be to appeal to the U.N.

International law expert Dr. Wolff Heintschel von Heinegg told BI that the evidence that China violated America's intellectual property rights and sovereignty "is quite impressive." This could be sufficient to demand an international investigation.

"We could say, 'what we really want is access to that building in Shanghai,'" said Pollack. If U.N. inspectors were denied access the facilities, then the denial could be taken as prima facie evidence of wrongdoing.

That's when room would be cleared for more aggressive diplomatic actions, like economic sanctions. Still, with the U.S. so entangled with China economically, that course of action is clearly not a good one.

Pollack pointed out that Coca Cola was a victim of alleged Chinese hacks, but at the same time, Coke is spending billions on access and marketing to Chinese consumers.

"Do we really want a trade war with China?" Asks Dr. Martin Libicki, a senior management scientist and cyber security specialist at the Rand Corporation (who also holds a Ph.D. in economics).

"Deep down it's our economy that's under attack here," Dave Aitel, CEO of security firm Immunity, told BI. "That's the hardest part of the game."

Furthermore, America first needs to find out how much damage Chinese hackers have done before any meaningful economic action is likely to pass through Congress.

"We really haven’t figured out how much this is hurting the American public," said Libicki. "Is this a one billion dollar problem, or is this a one trillion dollar problem? If it’s a trillion dollar problem, we do different things then."

Meanwhile, physical force is not a reasonable option.

Outgoing Defense Secretary Leon Panetta said last year that the U.S. could respond with physical force to a cyberattack that causes "physical destruction and loss of life," but China has contained itself to stealing corporate secrets.

"That type of cyber event would constitute an act of war," says David B. Lacquement, a former Army general in charge of operations for U.S. Cyber Command, and currently an expert in cyber security with Science Applications International Corporation, a firm that works closely with the government, as well as private entities, on cyber security.

Libicki said initial attempts at reaching to China's military leaders will likely be "brushed aside," and China is unlikely to stop the hackers on its own.

"We've really done nothing to address the issue with China, other than speak sternly to them," Libicki. "There's a feeling that if we actually did something, they'd take us more seriously."

"What is there left on the table to do to the Chinese? And that's probably the question that the Americans are asking themselves now," Aitel said. "They have something to point to, now what do they do with that. Hopefully they knew that they want to do, and had the report come out."

For now, corporations may have to take defense into their own hands.

Private companies and their defenses are "woefully behind the power curve" compared to state-sponsored actors, he said.

Lacquement and colleague Charles E. Beard, Jr., Chief Information Officer for SAIC, said while these companies wait for international legal action to develop, they can be boosting their own defenses.

"Clearly corporations aren't going to do offensive operations," said Beard. "If we were to take an offensive operation against state-sponsored actors, you're clearly outgunned and outmanned."

The answer, the two said, falls in line with the administration's recent executive order on information exchanges between government and private entities.

The country needs a "mechanism that allows government and commercial sharing at a very rapid rate," Beard said. "Automatic blocking and neutering of the most virile threat actors out there."

And so the hacking continues and the waiting begins. Now here's the kind of email phishing scam workers should watch out for >