The release of Mandiant's report outlining China's cyber-espionage activities directed against the United States in recent years consumed the mainstream media today. Clearly, the report contributes much-needed (and fairly detailed) information to the domestic public discussion about American cybersecurity, provides a treasure trove of forensic and operational information to researchers in its Appendix, and perhaps even offers the White House some unclassified reference examples it can use when discussing cybersecurity matters with its Beijing counterparts.
Many nations - including China - probe our networks constantly to identify vulnerabilities in our national or commercial infrastructures for reasons ranging from attempting to steal our secrets (i.e., traditional espionage) to developing knowledge of our strategic posture that may assist future military operations (i.e., targeting intelligence). Regarding the Mandiant Report, this should not come as a surprise to anyone given the number of assorted high-profile incidents attributed to "Chinese hackers" in recent years. However, their apparent and well-documented success in doing so, and for so long, should be cause for alarm.
If the cybersecurity community in the United States (which includes lawmakers) wishes to act upon the findings of the Mandiant report, it should not start simply by ‘pointing fingers’ at China as the alleged and likely aggressor. Rather, it should look inward and ask three fundamental questions:
- What should the United States do to deter such behavior by other nations (including China) at a diplomatic level?
- What technical, social, operational, legal, regulatory, or other situations allow such attacks to be successful against us, time and again, year after year?
- What can (and must) be done - and where - to prevent future such attacks from being successful?
Asking questions won't help unless the answers are truthful, objective, and can be used as a starting point for working both within the community and with well-informed lawmakers to foster the national will required to act upon those answers in a manner leading to meaningful cybersecurity improvements. As I've said for years, if something is deemed a 'critical resource' for the country or essential to national security, it must be treated as such -- and that includes bearing the economic costs of securing it. To do otherwise is perpetuating the cybersecurity problem, which leads to the disturbing historical findings presented in today's Mandiant report.
Edit on 2/20 @ 0740ET: Turns out I might be right on that first bullet point. The AP reported late last night that the White House is set to announce a series of fines, penalties, and sanctions as an initial step in response to cyber-espionage activities.