China's recent "moral equivalency" argument in support of its cyber-espionage attacks on the U.S. rings hollow, since information security firm Mandiant detailed thousands of civilian cyber-casualties inflicted by China's military. And while the U.S. military is an acknowledged world leader in cyber-espionage, it has yet to be accused of such indiscriminate targeting of civilian computers.
[The Black Hat Embedded Security Summit returns on April 23 - 24 to DESIGN West 2013. The Summit will provide essential information and tools, as well as a forum for the latest solutions for securing embedded systems from threats in today's global environment. Learn more here].
Last week, China fired a verbal salvo back at the U.S., accusing it of orchestrating relentless attacks on its secure military computers, including the Chinese Defense Ministry. China was responding to the recent report by security firm, Mandiant Corp. (Alexandria, Va.), which documented how it tracked down China's advanced persistent threats, including thousands of individual cyber attacks by its 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department (Military Unit Cover Designator 61398) in Shanghai.
China, however, stopped short of accusing the U.S. of attacking civilian computers.
In traditional warfare, the U.S. has often found its military prowess being slighted for its civilian casualties—called "collateral damage" in mil-speak—that give asymmetrical-war makers like terrorists fodder for a "moral equivalency" argument. Regardless of your politics on collateral damage in traditional warfare compared to deliberate attacks on civilians by terrorists, in cyberspace the U.S. so far has escaped such criticism.
China, on the other hand, is accused of orchestrating routine attacks not just on military computers, but on civilian computers in every developed nation of the world. In fact, military and defense contractor computers are in the minority, according to Mandiant's report on China's government sponsored "economic espionage," which claims to have evidence for attacks in 20 different non-defense related industries located in every developed nation in the world. Recently, the U.S. was charged with orchestrating attacks on Iran's nuclear centrifuges with its Stuxnet virus in a book by David Sanger entitled Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.
At DESIGN West last year, Joe Loomis, a senior research engineer at Southwest Research Institute (San Antonio, Texas) lamented the possibility of collateral infections from Stuxnet affecting civilian power grids. Despite the bare possibility exposed by Loomis, no serious collateral damage charges have yet been filed against the U.S. However, Iran has been accused of retaliating on U.S. civilians including Bank of America, J.P. Morgan Chase & Co and Citigroup Inc.
Thus the stage is set for the governments of every developed nation in the world to confront-and-conceal their covert operations in cyberspace, with the U.S., as usual, conducting military-style attacks and its adversaries responding by attacking civilians.
At the recent RSA Conference 2013 security performance management company nCircle Inc. (San Francisco) took a survey of 205 security professionals there, with 50 percent responding that they considered their company a target for state-sponsored economic espionage. The same respondents also said that China has the most advanced cyber-attack capabilities (with the U.S. coming in second).