1. No category

US-China Cybersecurity Cooperation

U.S.-China Cybersecurity Cooperation
Capstone Report
School of International and Public Affairs
Columbia University
Ian Adelson
Mellissa Z. Ahmed
Vivian Coyne
Han Lim
Zhifan Jia
L.C. Paisley
Kim Truong
Faculty Advisor: Roy D. Kamphausen
June 2014
The thoughts, ideas, opinions and language of this document are those of the authors and do not represent the views
of the United States Government (USG) or the Department of Homeland Security (DHS). Any assistance provided
to the authors by DHS personnel and any mention of DHS in the document does not constitute or imply the
endorsement, recommendation, or favoring by DHS, or the USG. Further, neither the USG nor DHS validates the
accuracy of the research or writing of the authors, and neither the USG nor DHS provides any warranties regarding
the veracity of any statements contained in this article.
U.S.-China Cybersecurity Cooperation
Summary
Cybersecurity has historically been a contentious issue between China and the United States, yet
both countries would benefit from strategic cooperation in this area. The two global powers are
vested stakeholders in an interconnected international system of trade, finance, and other
globalized institutional systems. Cyber networks underpin the critical infrastructures of such
systems, and cyber protection necessitates the information exchange of threats as well as
coordinated efforts in managing defensive capabilities.
The organization of this report addresses two main realms of analysis: 1) Foundational
knowledge on China in cyberspace and information culture, and 2) Proposed infrastructure
sectors for U.S.-China cyber cooperation. To address barriers to constructive dialogue, the report
describes key practices in Chinese cultural communication intended to maximize mutual
understanding. To provide context on China’s perspective on cybersecurity, we then outline its
cyber priorities and key actors, namely CNCERT. The second half of the report details the
particular critical infrastructure sectors that are most ripe for cooperation: finance, commercial
port cybersecurity, and civilian nuclear energy. These areas provide compelling cases for
building cybersecurity cooperation between the U.S. and China based on our analysis of mutual
interests and shared threat vulnerabilities. The three infrastructure sectors also present viable
opportunities for building cooperation through information sharing against third party threats,
establishing boundaries of cooperation, initiating multilateral exercises, and exchanging of best
practices. Our research, based on recent literature and a dozen expert interviews, concludes with
the following recommendations:
Financial Systems
 Timely information sharing on threats to develop effective measures against cyber attacks
 Given China’s vested monetary interests in U.S. financial cyber networks, establish
cooperation to defend against third-party attacks
 Agree that certain areas are sacred and should be safeguarded from malicious activity by
governments, such as financial exchanges and clearinghouses
Commercial Port Security:
 Bilateral information sharing against third-party threats
 Regular exchange of best practices in commercial port cybersecurity
 Joint proposal to amend IMO International Port Security standards to include
cybersecurity
Civilian Nuclear Energy:
 Initiate cyber cooperation with the China Atomic Energy Authority on civilian nuclear
energy and its related infrastructure components
 Cooperation with the China-U.S. Center of Excellence on Nuclear Security
1
U.S.-China Cybersecurity Cooperation
Contents
Acronyms...…………………………………………….………………………..3
Overview……………………………………………………………..………….4
Chinese Culture & Communication Strategies………………………………….5
Chinese Cyber Priorities, Perceptions and Key Actors………………………….9
Lessons Learned: Attacks on Government Infrastructure………....…………....15
Proposed Infrastructure Sectors for Cooperation….…………………………....18
Cooperation Sector 1: Financial Systems…………………………………...18
Cooperation Sector 2: Commercial Port Security…………………………...21
Cooperation Sector 3: Civilian Nuclear Energy…………………………….24
Conclusion………………………………………………………………………28
Appendices
Appendix A: Chinese Perceptions of Internet Information Access & Usage…...29
Appendix B: List of Experts Interviewed.………..……………………………..30
Authors’ Contact Information…………………………………………………...31
Endnotes…………………………………………………………………………32
2
U.S.-China Cybersecurity Cooperation
Acronyms
CCG
Chinese Coast Guard
CAEA
China Atomic Energy Authority
CERT
Computer Emergency Response Team
CHIPS
Clearing House Interbank Payments System
CNCERT
China's Computer Emergency Response Team
CND
Computer Network Defense
CSI
Container Security Initiative
DDoS
Distributed Denial of Service
DHS
U.S. Department of Homeland Security
DoE
U.S. Department of Energy
EDF
Électricité de France (Electricity of France)
ENISA
European Network and Information Security Agency
EU
European Union
GAC
Chinese General Administration of Customs
ICE
Immigration and Customs Enforcement
ICS
Industrial Control Systems
IMO
International Maritime Organization
ISAC
Information Sharing and Analysis Center
NCCIC
National Cybersecurity and Communications Integration Center
NNSA
National Nuclear Safety Administration
NSS
Nuclear Security Summit
RFID
Radio-Frequency Identification
SCADA
Supervisory Control and Data Acquisition
STIX
Structured Threat Information eXpression
SWIFT
Society for Worldwide Interbank Financial Telecommunication
TAXII
Trusted Automatic eXchange of Indicator Information
3
U.S.-China Cybersecurity Cooperation
Overview
This report examines U.S.-China relations and seeks opportunities to leverage cooperation on
computer network defense (CND) activities to achieve shared goals. The Department of
Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC),
was a source of information for our capstone team as we worked to identify cultural barriers to
communication and cooperation with potential Chinese counterparts, and to develop specific
scenarios and recommendations for improving cooperation between the two countries on CND
activities.
Our recommended areas of cooperation focus on areas outside defense and national security in
order to avoid contentious issues and mistrust. This report finds that there are opportunities for
the United States to propose cyber cooperation with China in the areas of protecting financial
systems, commercial port security, and civilian nuclear energy.
While acknowledging the large amount of recent public information about cyber attacks on U.S.
entities coming from the People’s Republic of China, this report does not focus on a restatement
of the Chinese cyber threat or its competitor status, and explicitly seeks the least politically
contentious areas for cooperation. We also propose several diplomatic initiatives as part of
recommendations for cyber cooperation but do not elaborate on the mechanics of how these
initiatives would be executed—this level of detail is beyond the scope this report but presents an
interesting and necessary area of further research for implementation.
Methodology
We first reviewed the critical infrastructure sectors that DHS is tasked to protect as well as
industries represented by Information Sharing and Analysis Centers (ISACs). We examined
which infrastructure sectors were least politicized and most urgent for cooperation with China by
considering the following questions:



Do the U.S. and China share vulnerabilities and third party threats in this sector?
Do the U.S. and China share economic or other interdependencies in this sector?
Are there viable opportunities and imperatives for information exchange?
Some infrastructure areas, such as transportation and water systems, are structurally more
confined within domestic borders as compared to internationally integrated areas, such as trade
and finance. We focused our analyses on these latter sectors. In order to provide actionable
guidance on approaching the Chinese on cybersecurity on infrastructure systems, we identified
Chinese counterparts that NCCIC should consider approaching, outlined cultural
communications strategies, and conducted a brief literature review of recent areas of cyber
cooperation and lessons learned. The findings and recommendations are also based on a dozen
interviews with selected regional and functional experts in U.S.-China relations, cybersecurity,
and critical infrastructure.1
1
For a full listing of all interviewees, see Appendix B. Our interviews did not include native Chinese
cybersecurity experts due to our limited time and resources.
4
U.S.-China Cybersecurity Cooperation
Culture and Communications Strategies2
Introduction
To build productive dialogue, it is essential to understand the differences in culture and
communications between the two countries. Unlike the U.S., Chinese strategic culture is
characterized by ambiguity, disinformation and secrecy. Through this approach, China aims to
achieve its strategic objectives, thereby “winning without fighting.” The way in which an entity
shares information reflects its strategic culture, which in China, is traditionally dominated by the
state.1
Differences in cultural values and assumptions are usually invisible, often subconscious, and
difficult to discern by an outside observer. Because of the subtlety surrounding cultural values, it
is necessary to pay attention to some distinct facets of Chinese culture, especially bureaucratic
culture, which Chinese counterparts may reflect.
Key Concepts of Chinese Culture
"Guānxì”, or Personal Connections
"Guānxì" (关系) is one of the most powerful forces in Chinese culture. Though the direct
translation of "guānxì" is "relationship," the concept as it is used and applied in Chinese culture
is much richer and encompasses more than a simple interaction.
"Guānxì" expresses the relationship of one person to another, or one party to another. More
importantly, the term also expresses an obligation of one party to another, built over time by the
reciprocation of social exchanges and favors. If one has "guānxì" with another, one will perform
a favor or act on another’s behalf, and depending on the depth of the relationship, do anything
necessary for the other party. By establishing this type of relationship with someone, the other
party is implicitly agreeing also to be available to reciprocate when the need arises. Thus,
"guānxì" can be considered as a type of currency that can be saved and spent between the two
parties. Like money, it is a resource that can also be also be exhausted, so one must be sensitive
not to overextend or use up the "guānxì" that has been established.
However, reciprocity does not suggest immediate, American-style reciprocity. In China, favors
should be always remembered and returned, though not necessarily right away. Long-term
reciprocity is a cornerstone of enduring personal relationships.
Hierarchy and Holistic Thinking
Under Chinese bureaucracy, the extreme respect for authority tends to result in centralized
decision-making and acceptance of hierarchy. However, respect for hierarchy tends to hinder the
development of individual responsibility and initiative.
2
For more information regarding cultural communication, please see the following resources: The
Chinese Negotiation by John L. Graham and N. Mark Lam, UMD LSBE Study-in-China 2010, and
Harvard Business Review on Doing Business in China.
5
U.S.-China Cybersecurity Cooperation
For example, holistic thinking is an indirect result of hierarchy. Under such a system, individual
ideas are no longer important, and the reluctance to express one’s own ideas is reinforced by the
belief that it is risky and irresponsible to stand out. Another embodiment of holistic thinking is
that the Chinese think in terms of the whole, while Americans think sequentially and
divisionally, breaking up complex negotiation tasks into a series of smaller issues, such as price,
quantity, warranty, and delivery. Chinese negotiators tend to focus on the whole of the matter,
skipping among smaller sub-issues, and from American perspective, seemingly not settling any
of them.
“Face” or Social Capital
Fundamentally, “face,” or “miànzi,” (面子) represents a person’s reputation and feelings of
prestige (both real and imagined) within their workplace, society, and family. The concept of
“face” can be more deeply understood within the historical context of China as a highly
hierarchical society.
The position that a Chinese person occupies relative to others commands a certain degree of
respect and requires certain types of behavior. For example, a director of a Chinese government
organization might expect their subordinates to use the honorific, which includes the person’s
position (e.g. Director Chen), when addressing him or her. If the subordinate fails to use the
honorific or polite speech, the director could potentially feel slighted, embarrassed, and/or angry.
In effect, the director would lose “face” in the eyes of their colleagues and observers.
While Americans tend to think in absolute terms—a person either has or does not have prestige
and dignity—the Chinese think of face in quantitative terms. Face, like money, can be earned,
lost, given, or taken away.
Recommended Confidence Building Measures
1. It is acceptable to approach a Chinese official at a meeting event and introduce yourself.
However, it is even better if someone the official knows makes the introduction.
2. It is not acceptable for a junior member of a foreign delegation to reply to or challenge
the arguments of a senior Chinese delegation member during a meeting because the
senior Chinese official could lose face. “Matching” is important in China. A safe way is
to always use a senior delegation member as a spokesperson and have the junior members
remind that person if any important point has been left out.
3. Chinese counterparts would be pleased to hear you speak basic Chinese (e.g. greetings)
as it shows that you are interested in understanding more of Chinese culture and you have
made efforts to do so. In the worst case, you all will have a good laugh about it and they
would likely be more than happy to help you improve your skills, presenting another
opportunity to advance your relationship.
4. When drinking alcohol during a Chinese party, people will likely toast you to show their
respect and hospitality. As a foreigner, you are not expected to do likewise, but it will be
much appreciated if you do. Once you have started, make sure you start to toast your
partners from the highest-ranked officials. This act is called “jìngjĭu,” which is proposing
a drink. When you toast, finishing your drink helps convey your respect. You may
6
U.S.-China Cybersecurity Cooperation
propose a simple toast, “gānbēi,” which translates literally as “drying the cup.” Given the
culture of holistic thinking, performance at any out-of-office events has an impact on the
overall relationship.
A Note on Expectations for Hosts
It is important to note that reciprocation can itself act as a confidence building measure when
your organization is hosting its Chinese counterpart. As hosts, Chinese organizations can be
exceptionally enthusiastic in structuring their guests’ stay beyond the typical meeting and
institutional tour, in contrast to American hosts, who would prefer to structure their free time
individually. This can be attributed in part to an appreciation for the rich historical continuity of
Chinese culture. Chinese hosts also take great pride in anticipating the needs of their guests, and
view a busy schedule as one way of expressing that care. However, many Chinese hosts are
increasingly aware of the differences between Chinese and American host etiquette and may opt
to leave their American guests the ability to structure their own free time.
When hosting a Chinese delegation, the best option is to assume a similar level of enthusiasm or
involvement when planning your guests’ stay—within the limits set on your organization. While
it may certainly be impossible to host dinners and accompany your guests on a tour of the local
sights, it would be extremely well received to schedule your guests for a meaningful tour of
Washington, D.C. or to assign a point person to manage your guests’ trip.
Summary: American vs. Chinese Cultural Values and Ways of Thinking
American
Chinese
Individualist
Collectivist
Egalitarian
Hierarchical
Information-oriented
Relationship-oriented
Reductionist
Holistic
Sequential
Circular (indirect)
Proposal First
Explanation First
Method of persuasion
Impatient
Enduring
Terms of agreement
Forging a “good deal”
Forging a “long-term
relationship”
Qualities
7
U.S.-China Cybersecurity Cooperation
Terminology
Some English words are difficult to translate or have no equivalents in Chinese, thus,
misunderstanding may occur. The following are a few examples:
Untranslatable Word
Engage/engagement (in a business sense)
Frame (as a verb)
Embody/ Embodiment:
Connotation
Denotation
Alternative
Involve, participate
Form, devise
Includes/contains (something)
Implication
Use literal or primary meaning
Useful Chinese Phrases



“Nihao” (你好)means “hello”, “xiexie” (谢谢) means “thank you”, and “zaijian” (再
见) means “goodbye”
When you see your Chinese partners for the second time, you can begin with
“haojiubujian,” (好久不见) meaning “long time no see”
When you want to express that you and your counterparts should “make much of what is
common and minimize differences,” you can use “qiútóngcúnyì,” (求同存异),which is
widely used by Chinese government officials
8
U.S.-China Cybersecurity Cooperation
Chinese Priorities and Key Actors
China’s Cyber Priorities
China’s main priorities are to maintain regime stability, combat third party threats, enforce laws,
and promote innovation in cyberspace. The first priority, of combating anti-government speech,
is worth noting, but may not be a fruitful avenue for cooperation given that this is primarily a
domestic issue and not one on which the two sides agree. Combating third-party threats holds
more promise: framing cyber priorities as a joint desire to prevent a bored young man in Eastern
Europe from accessing U.S. or Chinese bank accounts or shutting down a major container port
could be a productive way to view this issue. China must also, like the U.S., combat traditional
criminals who are now able to sell illegal goods or communicate more easily online. Finally, as
in the United States, the need for security must be balanced with freedom to innovate.
On a conceptual level, the Chinese government supports cooperation on cybersecurity with
entities such as the United States and European Union (EU). A recently released Chinese policy
paper on the EU called on both sides to “facilitate practical cooperation between China and the
EU in fighting cyber-crimes, emergency response to cybersecurity incidents and cyber capacity
building through platforms such as the China-EU Cyber Taskforce and work together for the
formulation of a code of conduct in cyberspace within the UN framework.”2 There have also
been numerous attempts at cooperation between various Chinese and American agencies on
cybersecurity.
The nature of U.S.-China cybersecurity relations implies that certain forms of cooperation are
possible while others are not. Information sharing and other tactics that promote improved
communication are the most likely methods to improve this area. The two countries cannot be
expected to cooperate in areas of key national security concern or areas that are strictly confined
within domestic borders. The Chinese legal system reinforces these notions; for example, the use
of foreign encryption is banned.3 An intangible barrier to cooperation is the mutual suspicion and
low expectations each side has for the other—many interviewees expressed concern regarding
the difficulty of the task.
An Emerging Cyber Priority: The Internet of Things
The Internet of Things (IoT) is an emerging issue in cybersecurity for both the U.S. and China.
In the United States, the National Intelligence Council presented the IoT as one of six
“Disruptive Civil Technologies…with potential impacts on U.S. interests out to 2025.”4 National
Intelligence Director James Clapper testified recently before the Senate Select Committee on
Intelligence, citing the complexity and nature of the IoT as one of potential cyber threats. 5
Concern has been echoed in the private sector as well. Symantec has warned of a new
cybersecurity threat that is on the rise due to the spread of the IoT. Cisco estimates that there are
over 10 billion connected devices in the world, and the number is expected to reach 50 billion by
2020.6 The expansion of cyberspace, in part due to transition to IPv6 and lowering costs to
produce network-ready devices, increases the cybersecurity risk of all connected users.
China has expressed an appreciable degree of interest in the IoT as well. Premier Wen Jiabao has
elevated the status of the technology by identifying the IoT as an “emerging strategic industry”
and pledged to invest 5 billion Yuan ($800 million) by 2015. The National Development and
9
U.S.-China Cybersecurity Cooperation
Reform Commission has also included the IoT in the 12th Five-year plan, and charged the
Ministry of Industry and Information Technology to construct the policies that pertain to the
development of the IoT.7
The risks that the IoT presents were exposed at the Hack in the Box cybersecurity conference
held in April 2013 using a web service called Shodan. The website collects information from
more than 500 million web-connected devices, and the conference showed how a variety of
devices, ranging from servers and computers to routers, printers, and even home appliances, is
prone to external security breach.8 It must be noted that although this technology may be in its
infancy, cyber threats already exist.
Perceptions of Cyberspace3
The Chinese are just as concerned about sovereignty in virtual arenas as they are in physical
ones. Cyberspace is seen as a collection of jurisdictions, rather than a common, global space to
be jointly used and controlled. Consequently, although China has demonstrated its willingness to
cooperate with the EU on creating a joint task force and a code of conduct, the Chinese
government reserves certain rights to itself.9 The Chinese government punishes citizens for
online dissent, and has not reciprocated the recent U.S. briefing on cyberwar methods and
priorities.
The Chinese government sees its population as especially vulnerable to cyber threats.10 China
sees itself as primarily a victim of hacking, which often originates in the U.S. Widespread use of
pirated software, sometimes unknowingly, is a major vulnerability since such software lacks
protections from hackers.11 Identity theft and malware attacks on computers are common;
meanwhile, protective measures on websites are inadequate.12 The rate of increase of internetconnected people in China, who now outnumber the population of the U.S., has outpaced the
speed of adoption of proper security measures.
Perceptions of DHS NCCIC
In the Chinese system, security and intelligence functions are both accomplished within the
Ministry of State Security. DHS will need to be aware of that dimension as they interact with
Chinese colleagues whose starting point in understanding DHS is their own bureaucratic system.
In a post-Snowden era, Chinese officials are going to be cautious in interacting with any U.S.
government agency. However, given the pervasive involvement of the state in the operations of
Chinese companies, this may not be a major obstacle. CNCERT is closely affiliated with the
Internet Emergency Response Coordination Office, and, like many ostensibly nongovernmental
agencies in China, may act only with at least implicit permission from the government on most
issues. If CNCERT projects this state of affairs onto NCCIC, the fact that DHS is a government
organization may not mean as much as it would to an American, given that they most likely
assume groups taking diplomatic action do so with the blessing of their own government.
3
For more information regarding perceptions of cyberspace among CNCERT’s leadership, see Appendix
A.
10
U.S.-China Cybersecurity Cooperation
Key Actors: CNCERT
China’s Computer Emergency Response Team (国家互联网应急中心, CNCERT) plays an
important coordination role within China and in its relations with other actors. Founded in 1999,
CNCERT works on “building up the national monitoring, warning, emergency response,
evaluation and public opinion centers for network security.”13 It produces a weekly English and
Chinese language overview of the threat landscape and statistics on how this compares to prior
periods. It coordinates relations with other CERTs and with subordinate bodies in China, as seen
in its organization chart (Figure 1). One example of ongoing cooperation is with Japanese and
Korean CERTs: the three described a recent history of information sharing (including a 24/7
technical hotline) and crisis de-escalation in a statement to the media after their first annual
trilateral meeting last August.14 The Chinese version of the site regularly updates a set of articles
about international issues in cyberspace. The English version of the website is not quite as
extensive, but it is more developed, frequently updated, and well-translated than many
comparable Chinese government websites.
CNCERT will most likely toe the party line. Its representatives have been quoted as criticizing
the United States for being the biggest host for cyber attacks against China, while also objecting
to U.S. reports that China launches a large number of cyber attacks against the U.S.15 It is not a
government body, but does not have the autonomy to deviate from official policy lines and
expectations.
The Director General of CNCERT is Huang Chengqing, who is also a Vice President of the
Internet Society of China (formerly Deputy Secretary, then Secretary General). As with many
Chinese officials in similar positions, he has commented on the hypocrisy of the United States’
condemnation of China for instigating cyber attacks against China given the volume of attacks
on China originating from the U.S., warning that his team had “mountains of data” implicating
the U.S. in such attacks. However, his words on that occasion were relatively restrained, given
his emphasis on practical matters like cooperation over accusation.16
Zhou Yonglin is the Secretary General of CNCERT and its former deputy director. He has
participated in efforts to cooperate on cybersecurity with the United States in the past.17 Two of
the obstacles he highlighted in discussing this exchange in 2011 were the lack of knowledge
about safety in cyberspace among the Chinese public and a language barrier between U.S. and
Chinese officials.18 He has spoken out about the number of Chinese websites defaced and the
volume of other hacking attacks each year, calling China the most frequent victim of cyber
attacks in the world.19
11
U.S.-China Cybersecurity Cooperation
Figure 1: Organizational chart of CNCERT
12
U.S.-China Cybersecurity Cooperation
Other Key Actors
Prevailing Western perceptions infer that China’s policy process is strongly coordinated from the
central government. However, China does not have monolithic, centralized approach to
cybersecurity and its policy governance is fragmented regionally and functionally. At least six
different entities have input on cybersecurity policy: the Ministry of Public Security, State
Encryption Bureau, State Secrets Bureau, Ministry of State Security, Ministry of Industry and
Information Technology, and People’s Liberation Army.20This large number of institutions is
indicative of the diversity of perspective across these groups.21
The Ministry of State Security’s Technology Bureau is responsible for drafting computer
security policies and largely in charge of the country’s cybersecurity. The Public Information
Network Security Supervision and Info-Communications departments under the Ministry of
Public Safety are in charge of investigating cyber crimes. In addition to CNCERT, these
branches may prove important Chinese counterparts to begin initial cooperation effort.
As in the United States, those who understand the technology or the policy discussions
surrounding this topic vastly outnumber those who understand both.22 In addition, many
functional departments have subdivisions that work on cybersecurity within their agency.
China recently created a small leading group on cyber and incident management headed by
President Xi. This new group is an effort to centralize Chinese cyber policy and may be the third
incarnation of such a body.23
Past U.S.-China Cyber Cooperation
Cyber crime, such as computer and network intrusions as well as identity theft and fraud, is an
area where the U.S. and China have already cooperated. For instance, the Federal Bureau of
Investigations has worked with law enforcement units in China to arrest consumers and hackers
of online personal information.24 In addition, in 2012, Chinese authorities approached U.S.
counterparts first while investigating a fraudulent bank scheme that involved a Chinese national
in Delaware.25 Fighting cyber crime often involves coordination among multiple governments
due to the nature of the offenses committed online, which are not subject to geography, and can
threaten the security and interests of many countries. As the Delaware investigation indicates,
China, if deemed beneficial to its interests, is willing to work with the U.S.
Cooperation between the two governments in fighting future cyber crime can be enhanced by
extending—within defined boundaries—the use of common technical specifications. For
example, DHS is undertaking a broad effort to advance technical specifications, like STIX and
TAXII, that are international in scope and free for public use. International adoption of STIX and
TAXII may promote automated information sharing among computer security incident response
teams globally.26
At the multilateral level, Asia Pacific Computer Emergency Response Team (APCERT) has
been conducting joint exercises – the Cyber Exercise Drill – to prepare for international
cooperation following potential cyber incidents. China has been a part of the annual exercise
drills. The drills have asked CERTs from each country to interact during the drills to enhance
communication protocols, technical capabilities and incident responses. The drills seek to
produce most practical benefits by taking the format of ‘blind drills.’27
13
U.S.-China Cybersecurity Cooperation
NATO’s Locked Shields exercise may serve as another point of reference. Organized by
Cooperative Cyber Defense Centre of Excellence, the annual defense exercise invites the
participation of expert individuals and organizations in both government and the private sector.
The exercise assigns participants to six different teams according to expertise and interests.28
Such unique aspects of Locked Shields—inviting private sector and rotating roles assigned to
participants—offer a helpful reference for the U.S. and China when considering joint exercises
as a way to engage in practical cooperative cybersecurity.
Considering that the U.S. prefers a multilateral joint cybersecurity exercise, and APCERT’s
openness to participation from CERTs of non-Asia Pacific countries, the U.S. and China could
join the organization’s annual drills. To date, APCERT has allowed the Organisation of the
Islamic Cooperation-Computer Emergency Response Team (OIC-CERT) and the European
Government Computer Security Incident Response Teams (CSIRT) to join the drills. The two
countries could co-construct key shared objectives that could serve the interests of both
governments. Simulating third-party attempts to breach government networks to disrupt
domestic infrastructure may be considered as key themes.
14
U.S.-China Cybersecurity Cooperation
Lessons Learned: Attacks on Government Infrastructure
All nations want to protect their networks and infrastructure from cyber attack. As the global
cyber landscape is growing increasingly more sophisticated and creative, countries are
continually trying to understand the mechanisms, motivations, and strategic contexts behind
emerging attacks to better protect themselves. This section examines prominent cyber attacks on
government infrastructure and extracts several crosscutting themes. Attack examples were
approached from the Chinese perspective with the aim of highlighting areas of shared interest
between the U.S. and China concerning attackers, vulnerabilities, and socioeconomic impact.
Shared Global Threats and Challenges
The threat of transnational threats cannot be addressed within borders.
In the spring of 2007, Estonia was hit with waves of distributed denial of service (DDoS) attacks
that shut down the websites of all its government ministries, two major banks, news outlets, and
several political parties. The attacks occurred in conjunction with public rioting in response to
the relocation of a Soviet war monument. The Russian diaspora have been cited as the most
likely culprits, acting in political protest. Their methods show the extent to which disparate
transnational groups can express their grievances against institutional targets. The attackers
utilized botnets from all over the world, co-opting computers located in over fifty countries. The
hackers also used weblogs, chat rooms in Russian, and other online platforms to schedule attack
activities and disseminate instructions.29
A 2010 article on China Daily indicated that transnational cyber crime is an area where China
would like to cooperate with the U.S., but legal and communications have limited the extent to
which this has been possible. Gu Jian, vice-director of the ministry's network security protection
bureau, stated, “For example, spreading pornography is a crime in China, but not in the U.S.,
where child pornography is nevertheless a crime. These differences make it difficult to cooperate
in policing these activities.” He further elaborated that there were 13 cases of Internet crime,
from fake bank websites to child pornography, for which China sought cooperation that year, but
received no or delayed responses from the U.S.30 This kind of anecdote indicates the past
difficulty for the Chinese to identify or communicate with the right U.S. cyber officials.
Increased attack strength and the need to harden vulnerable systems.
Globally, DDoS attacks increased 32 percent in 2013, costing millions and straining the structure
of the Internet.31 While they have long been a prevalent form of attack, DDoS are becoming
more harmful, intelligent, and forceful. A security firm stated that it recently offset an attack that
reached 400 gigabytes per second, a force 30 percent larger than the largest attack in 2013.4 As
DDoS attacks rely on hijacked and virus-infected computers, it can be argued that the
proliferation of botnets should be confronted more broadly and intensely.
In particular, U.S.-China discussions can narrow in on technical vulnerabilities of compromised
systems. In the latest State of the Internet report by Akamai, both the U.S. and China are among
the top originating countries in attack traffic. The report notes that the originating source
4
The March 2013 cyber attack on Spamhaus was branded that largest attack in the history of the Internet.
15
U.S.-China Cybersecurity Cooperation
identified by IP address does not translate to attribution because anyone from any country can
potentially launch attacks from the compromised systems of another country. 5 A Chinese official
stated in 2010 that eight out of ten computers in China have been controlled by botnets at some
point.32 In August 2013, the Chinese .cn domain was forced off the grid for hours due to a DDoS
attack. Discourse on how to harden systems to prevent the effects of botnets could benefit both
the U.S. and China as both face and are propagating sources of DDoS attacks. The issue is
particularly relevant as the top areas of Chinese foreign direct investment to the U.S. are IT
equipment, software, and IT services.33
Attack Patterns
Attacks are often timed with political or social unrest.
Shamoon, 2007 DDoS attacks on Estonia, recent developments in Ukraine and countless other
examples indicate that entities must be vigilant regarding the possibility of becoming target to
politically-motivated cyber attacks. This not only points to the importance of government-private
partnership in the cyber realm, but the need for infrastructure enterprises to keep abreast of its
political environment. Areas of political unrest, contentious policy, and other socioeconomic
arenas under dispute present moments when disgruntled “hackivists” are likely to target their
grievances. Examples such as Estonia and more recently, Ukraine, show how cyber attacks are
being used as a retaliatory mechanism following a contentious policy decision or political
development.
Negotiations are most promising when broader political discourse supports cooperation over
conflict.
From the reverse perspective, the most promising time to forge discussions is in tandem with
broad U.S.-China discourse towards cooperation. In late March 2014, the Nuclear Security
Summit look place at The Hague, presenting a global platform for national leaders to express
their national standing on other global issues. One of the developments from the event was
President Xi’s pledge towards mutual cooperation with the U.S. in combatting common
challenges.34
Shared Imperatives to Cooperate
Cybersecurity is a global challenge within the international political economy.
In August 2012, the business and administrative systems of the Saudi Arabian Oil Company
(Saudi Aramco) and Qatar’s RasGas, were hit by the Shamoon computer virus. Saudi Aramco is
the world’s largest energy company in the world, holding nearly 10% of the world’s oil supply,
meanwhile, RasGas is the world’s second largest producer of liquefied natural gas.35 Shamoon
demonstrates that the targeted attack of one entity has the potential to shake the underpinnings of
the world economy. Fortunately, Shammon did not penetrate systems governing operations. Had
that been the case, any disruption of production would have immediately impact on oil supply
and prices, leading to far reaching effects on multiple levels and sectors of the global economy.
5
The fact that China is frequently the top originating country of global attack traffic can indicate that the
country has a higher prevalence of compromised systems.
16
U.S.-China Cybersecurity Cooperation
China and the U.S. are the top oil consumers in the world. Since Shamoon, Saudi Arabian
telecommunications companies and Western technology companies have increased efforts to
secure Saudi data and systems.
China is now recognizing the importance of international cybersecurity cooperation.
Rapid international response enabled the Estonian government to combat the attacks. The
government’s CERT relied on assistance from its Finnish, German, Israeli and Slovenian CERT
counterparts to restore normal network operations. NATO CERTs and the EU’s European
Network and Information Security Agency (ENISA) also supported Estonia in providing
technical assessments and other assistance during the attacks.36 International cooperation, along
with cooperation with private sector banks and Internet providers, was essential to strengthening
Estonia’s cyber infrastructure, for example to incrementally increase its throughput capacity.37
Notably, the international responses to aid Estonia happened within established security
communities and strong transnational relationships. China refrained from involvement, viewing
the incidents as an internal matter of Estonia and also did not take part in the international
cybersecurity discussions that followed.38 However, China’s stance is changing as evidenced by
a recent high-level discourse and policy approaches calling for renewed cooperation with the
entities such as the U.S. and European Union.39 Analysts stated that this new direction is
intended to boost Chinese capabilities and hamper notions of a “China threat.”40 International
cooperation and preparedness are now on the Chinese cyber agenda to move its strategic interests
in technology development, global reputation, and economic growth.
17
U.S.-China Cybersecurity Cooperation
Proposed Infrastructure Sectors for Cooperation
The previous sections provided background information, tools, and themes for negotiating with
China’s cybersecurity counterparts. The second area of focus drills down into tangible areas for
information sharing and coordination. The following section details three infrastructure areas
where cybersecurity cooperation is most promising and beneficial to U.S.-China shared interests:
Financial Services, Commercial Port Security, and Civilian Nuclear Energy. Each sector
examines five categories of research: Sector Priorities, Past and Potential Attack Examples,
Shared Vulnerabilities, Chinese Partners and Key Actors, and Recommendations.
Cooperation in Financial Systems
Sector Priorities
The soundness, efficiency and stability of securities markets rely on the quality of information
provided and the robustness of the supporting technological infrastructure. In recent years,
cybersecurity in relation to financial markets, both domestically and internationally, has become
a top priority.
The cornerstone of financial services is the maintenance of trust. The industry is built upon trust
with clients, trust between firms, and trust to ensure the proper function of markets, executions of
transactions and protection of information. Any loss or integrity failure in financial infrastructure
could impact a national economy in significant ways, including the loss of credit and liquidity to
the marketplace, and the loss of confidence in the operational effectiveness of the marketplace,
which would impact other critical infrastructures.
Examples of Past or Potential Attacks
In recent years, cyber attacks on the financial services sector have been increasingly prevalent. In
2012, some of the largest banks in the United States came under cyber attack.41 In 2012 alone,
53% of securities exchanges around the world experienced a cyber attack.42 In 2013, cyber
attacks brought down systems and some of South Korea’s major banks, paralyzing bank
machines across the country.43 Operation High Roller, discovered in 2012, siphoned up to $2.5
billion from bank accounts in Europe, the U.S. and Latin America.44 Numerous stock exchanges
around the world have faced DDoS cyber attacks, which in some cases have forced trading to
halt for brief periods. It is estimated that 60% of cyber crime occurring in China is financerelated. Some Chinese banks are subject to extortion by cyber criminals, including third party
actors from Eastern Europe.45
Shared Vulnerabilities
The economic and financial interdependence between China and the U.S. is remarkable. China
owns nearly 1.3 trillion dollars of U.S. treasury bonds. The U.S. is also one of China’s largest
trading partners, with trading between the two nations reaching over half a trillion dollars each
year.
18
U.S.-China Cybersecurity Cooperation
Furthermore, financial market operations centered in the United States are increasingly
electronically connected around the world. The SWIFT interbank system and the U.S. CHIPS
system process trillions of dollars of payments daily. With China’s increasingly globalized
economy, China has strong incentives to ensure the stability of these systems. Equally
importantly, impacts of financial events sometimes cannot be contained regionally (for example,
the Global Financial Crisis in 2008 and the Southeast Asian Crisis in 1998). Cyber attacks on the
complex and interdependent global financial system could damage the orderly functioning of the
global economy and undermine investor confidence.
Given this interdependence, both countries have a significant stake in ensuring the stability and
safety of the other’s financial cybersecurity and have important incentives to share information
regarding threats from third-party malicious actors such as rogue states, terrorist groups, and the
like.
The majority of interviewees agreed that the financial sector serves as the platform with one of
the greatest opportunities for cybersecurity cooperation between the U.S. and China. However,
these interviewees also believed that the most effective and sustainable mechanism for
encouraging such cooperation has yet to be identified. The remainder of this section identifies
several approaches designed to spur cooperation.
Chinese Counterparts and Key Actors
The U.S. must work with a number of Chinese entities in order to prevent and mitigate cyber
attacks on financial networks. The three main partners should be the China Securities Regulatory
Commission (中国证券监督管理委员会), the China Banking Regulatory Commission (中国银
行业监督管理委员会), and the People’s Bank of China (中国人民银行). The relevant sectors
in the Chinese financial system are securities exchanges, clearinghouses, and large banks.
Recommendations
Information sharing. China and the U.S. should begin cooperating on several areas related to
financial cybersecurity—identifying threats, establishing processes for disseminating
information, coordinating crisis responses, and improving abilities in detecting and forecasting
threats. The timely sharing of threat information is critical in developing and deploying
protective measures against malicious cyber activity. Gaps or lags in information sharing and
analysis necessitates that the industry deploys faster and more effective electronic tools for
detection and intelligence collection in relation to security attacks and incidents. In particular,
there is an increased need for capabilities to assimilate multiple sources of threat data to better
identify threat activity and produce threat profile identification, which might be difficult to
obtain.
The U.S. and Chinese governments should create a formal system to cooperate against cyber
attacks, but as this might take time (as there would be initial sensitivity to establishing this
system), it would be best to encourage the big banks and financial exchanges in each country to
start sharing information first. Interviewees expressed concern surrounding information sharing
and U.S. privacy laws. They recommended that the focus of information sharing be directed
19
U.S.-China Cybersecurity Cooperation
toward information involving globalized financial utilities such as financial exchanges and
clearinghouses.
Defending against third parties. China undoubtedly has an independent incentive in U.S.
financial cybersecurity, as it has so much invested a great deal of capital in the U.S. and the
global financial system. It would therefore be in China’s best interest to cooperate with the U.S.
in preventing other countries, such as Iran, from damaging the U.S. financial system.
Agree that certain areas are sacred. The governments of the U.S., China, and other nations
should find ways to cooperate and agree to maintain the sanctity of certain critical infrastructure
in the financial sector, therefore implicitly discouraging these areas of infrastructure from
becoming targets of attack. In the financial services sector, the important prohibitions would be
no probing, surveillance, or malicious activity by governments or government entities against
this infrastructure. Again, the two most relevant areas of infrastructure are exchanges and
clearinghouses. Not only are these infrastructures extremely important, but there is nothing to be
gained by governments from attacking them. Cooperation between states will make it easier for
them to target non-state actors wishing to cause damage or steal money in these areas.
20
U.S.-China Cybersecurity Cooperation
Cooperation in Commercial Port Security
Sector Priorities
Global commerce is an essential and growing part of the vitality of every nation’s economy. A
large portion of this commerce flows by sea as companies rely on tightly-scheduled exports and
imports to feed their increasingly globally-derived supply chains. Today, China has seven of the
world’s ten largest commercial shipping ports by volume,46 and its commercial ties with the
United States are deep and growing, exporting some $440 billion worth of goods and services to
America in 2013.47 China is the world’s largest exporter of containerized cargo and is the second
largest importer after the United States.
Large commercial shipping ports are growing exponentially around the world and their
operations managers along with international logistics companies are increasingly turning to
automated software such as Radio-frequency identification (RFID) scanners, Supervisory
Control and Data Acquisition (SCADA) systems, and scanned employee ID badges to streamline
security while dealing with the volume of traffic. These technological measures are necessary to
maintain the high operations tempo at larger ports, but also present cyber vulnerabilities.
Examples of Past or Potential Attacks
In May 2013, Europol broke up a ring of hackers that had been hired by organized crime
syndicates to infiltrate the logistics software6 in two companies running the port of Antwerp in
Belgium. For almost two years, these hackers were able to track containers, enabling the crime
group to smuggle cocaine from South America to Europe. The hackers then accessed the release
codes that allowed individual trucks to come collect them at the port before port officials
discovered their contents.48
Cyber attacks are not limited to European ports. Five out of seven of the largest commercial
container ports in the United States report receiving daily attempts by hackers to access their
networks, including brute force attacks and “cyber storms” caused by hackers using DDoS or
other high-volume attack methods.49 It is unlikely that Chinese ports have been excluded from
similar types of cyber probing or attacks. While the Chinese government claims that China is the
“biggest victim” of cyber attacks,50 due to heavy internet regulation and censorship, detailed
reports of specific cyber attacks on Chinese public or private entities are hard to find.
Shared Vulnerabilities
The Chinese government has at least three compelling reasons to want to initiate and maintain
some form of cyber cooperation with the United States vis-à-vis commercial port cybersecurity:
Economic costs. The potential consequences of even a minimal disruption in the flow of goods
between the U.S. and China would be high and would have ripple effects for the global supply
chain. For example, if there were a serious cyber attack on a major Chinese port, the zeroThe hackers were able to infiltrate the logistic companies’ software via KVM attacks to include
keyloggers disguised as USB keyboard port converters, and miniature PCs hidden inside power strips,
allowing them access to the release codes that allowed containers to be collected by authorized firms.
6
21
U.S.-China Cybersecurity Cooperation
inventory, just-in-time flow of goods that sustains commerce in the U.S. would halt, and,
depending on which port is attacked and for how long, there would be major impacts for China’s
export-driven economy as traffic is re-routed to other ports creating delays. China and the U.S.
jointly have a $440 billion reason to work together to prevent this kind of disruption to trade.
Personnel vulnerabilities at the operational level and systemic security issues. Chinese and
U.S. ports use similar industrial control systems (ICS) to manage their day-to-day operations.
Regardless of whether the software for these systems originates in China, the U.S., or elsewhere,
Chinese and American ports are also made vulnerable by the staff accessing and running these
systems daily. According to some experts, the average level of Chinese cybersecurity awareness
is well below that of the United States, especially outside larger cities51. This leads to the
possibility that, like in U.S. ports, the staff running Chinese ports may not possess a
comprehensive understanding or even awareness of the potential harm from common cyber
threats to their port operations networks. The cost of sharing information, for example against
third-party threats such as organized crime elements, and discussing best practices such as how
to conduct thorough port cyber vulnerability assessments, is relatively low compared to what the
costs of a successful cyber attack could be.
Landlord ports. Many of the larger ports in the United States contain a commercial port facility
that may include areas leased to “tenants” who are leasing space but have no role in the port’s
overall management. These tenants often have access to the SCADA systems or other logistics
software that are used to run the port, but are not subject to the same IT oversight that is required
of the port “landlord” staff. This introduces a cyber vulnerability as landlord ports often have
little awareness of what systems are being run by their tenants, if these tenant systems are being
networked to larger port systems, or what cybersecurity measures tenants may or may not have
in place. While operation of Chinese ports tends to fall under the purview of the local municipal
government or other government-related holding companies, many also have tenant operators
that are non-government affiliated and thus may share similar vulnerabilities.
Chinese Counterparts and Key Actors
It will be necessary for the U.S. to reach out to several Chinese government bodies concurrently
in order to achieve the level of hierarchical approval needed to move beyond simply talking
about cyber cooperation on commercial port security. The entity that most closely mirrors DHS’s
administration of ports is the China Maritime Safety Administration (中华人民共和国海事局),
which is subordinate to the Ministry of Transport, but separate from the Chinese Coast Guard
(CCG), which deals with maritime law enforcement and policing.
A secondary counterpart that mirrors DHS’ investigative arm of Immigration and Customs
Enforcement (ICE) is the Chinese General Administration of Customs (GAC, 海关总署). The
GAC is responsible for duty and excise collection, customs control, countering smuggling, and
port management, among other responsibilities. Lastly, it would be ideal to ensure inclusion of
some element of the Chinese Foreign Ministry from the beginning, as it is one of the main policy
making organizations in the Chinese government and its acceptance is critical to ensuring that
any agreement will be implemented by the Chinese side. All three Chinese government elements
would likely be interested in being present at any potential dialogue with the United States
regarding cyber cooperation over commercial port security.
22
U.S.-China Cybersecurity Cooperation
Recommendations
Short-term: Information sharing. China and the U.S. should begin cooperating on shared
vulnerabilities with respect to third-party cyber threats such as organized crime, terrorism, or
human trafficking. Information sharing represents the lowest rung of potential future cooperation
on commercial port cybersecurity matters and does not need to involve allowing the other side
access to port networks, which should help alleviate respective national security concerns. It can
be as informal as U.S. Customs and Border Patrol (CBP) or ICE agents – who are already
present at several of the Chinese ports included in the DHS Container Security Initiative (CSI) –
passing along information to Chinese port officials. While the CBP and ICE officials may not be
expert in technical aspects of cybersecurity for critical infrastructure, this informal mechanism
could serve as an “early warning” notice of recent trends in cyber attacks, contextualized to the
port security environment.7 Timely and routine sharing of third-party threat information is
critical to developing and maintaining situational awareness of cyber threats as well as
developing protective measures.
However, in order to get discussions started it is sometimes helpful to delineate what is not being
discussed. Both sides should agree up front that certain areas of port cybersecurity discussions
will not be discussed and what they are. Many ports are dual-use military and civilian
installations and are therefore considered important assets of national security. Given the recent
accusations of cyber espionage on both sides, focusing on third-party threats to commercial
interests is likely to be the least contentious way to move discussions forward and may be better
received by the Chinese if presented as sharing information on “cyber crime” threats rather than
“cyber attacks,” which many Chinese view as having a military connotation.
Short- to Medium-Term: Exchange of Best Practices. In addition to information sharing,
Chinese and U.S counterparts should discuss and exchange general best practices in commercial
port cybersecurity, such as how to conduct thorough port cyber vulnerability assessments, how to
develop a port cyber incident response plan, or lessons learned for training port operations
personnel. This can be conducted concurrently with information sharing on third-party threats or
could also take place between higher echelon counterparts after a lower-level working group has
been established. Limiting discussions to general best practices should preclude any domestic
national security arguments and provide each side with a better sense that their counterparts are
able to safeguard the networks of their commercial ports on which so much of our combined
trade depends.
Medium- to Long-Term: Joint Proposal to Amend IMO International Port Security Standards.
Should these information sharing and other forums develop into long-standing bilateral
dialogues, China and the United States have the leverage as the world’s largest commercial
exporter and importer to work towards jointly revising international port security codes as set
forth by the International Maritime Organization (IMO) to include cybersecurity measures.
NCCIC and their Chinese counterparts could be called on to play advisory roles in drafting the
joint international port cyber standards, based on the practical experience they might have
developed through cooperation with each other.
7
Current Chinese ports that participate in the CSI are Hong Kong, Shanghai and Shenzhen, which
together account for approximately 70% of Chinese goods being shipped to the U.S.
http://www.dhs.gov/container-security-initiative-ports
23
U.S.-China Cybersecurity Cooperation
24
U.S.-China Cybersecurity Cooperation
Cooperation in Civilian Nuclear Energy
Sector Priorities
The DHS and its bodies, US-CERT and ICS-CERT, are well positioned to take advantage of an
opportunity for cooperation with their Chinese counterparts on nuclear energy system safety and
security. Vulnerabilities in ICS and SCADA systems that control power generation and waste
and water management present an urgent need for cooperation to ensure information security
within the civilian nuclear energy sector and its associated industries.
The Chinese civilian nuclear energy industry is currently experiencing accelerated growth. In an
effort to reduce the environmental pollution produced by its reliance on fossil fuels, China is
quickly developing its nuclear energy industry and has become largely self-sufficient in reactor
design and construction. At present, China operates 20 nuclear reactors, with 28 under
construction and even more to be built. China also plans to export its nuclear reactor construction
and operation services. In 2013 Chinese nuclear energy companies, in partnership with French
nuclear giants EDF and Areva, signed letters of intent to build a nuclear reactor in the United
Kingdom.
This nuclear energy boom naturally coincides with a massive investment in China’s smart grid
infrastructure. That investment will drive the growth of China’s SCADA acquisition from
$3billion to $20billion by 2020. In 2013,China out-spent the United States in smart-grid
technology for the first time. China’s smart grid development strategy requires less of an
investment in new technologies and focuses instead on “better communication, coordination, and
incentives for consumers, power suppliers, and government agencies.”52 While this will enable
China to achieve its smart grid objectives with relative speed, the ICS and SCADA systems
associated with a newly networked smart grid remain vulnerable to zero-day attacks and other
cyber vulnerabilities.
In conjunction with this growing Chinese investment in civilian nuclear energy, cyber
vulnerabilities in nuclear security are a growing topic of concern for the international
community, the United States, and China. The Nuclear Security Summit 2014, at which China
pledged its commitment to international cooperation in nuclear security, gave nuclear
cybersecurity unprecedented prominence in its final communiqué, stating: “We recognise the
growing importance of information security, including information held on computer systems,
related to nuclear material and technology.”53 The communiqué further emphasized the necessity
for government, industry, and academia to coordinate cooperation in these areas.
President Xi Jinping’s speech at NSS 2014 illustrates China’s immediate and long-term concerns
for nuclear security and safety. While President Obama and President Xi avoided the subject of
nuclear security during their meeting at NSS 2014, Xi took the opportunity to give a speech on
China’s approach to nuclear security and his vision for international cooperation in nuclear
security. Chinese media reports that the speech comprised four major points for nuclear security:
“President Xi suggested that to enhance nuclear security, the world should place equal emphasis
on development and security, rights and obligations, independent and collaborative efforts, as
well as on treating symptoms and addressing causes. [emphasis added]”54
25
U.S.-China Cybersecurity Cooperation
Examples of Past or Potential Attacks
As mentioned in the paragraphs above, China’s efforts to expand its nuclear energy industry and
implement its $20 billion smart-grid strategy leaves its nuclear energy infrastructure open to a
host of known and zero-day vulnerabilities. For example, Stuxnet specifically targeted ICS and
SCADA systems, exploiting zero-day vulnerabilities in Windows OS and Siemens software
running on Windows OS. Shamoon is another example of malware exploiting zero-day
vulnerabilities in the energy industry.
In September 2011, it was revealed that Areva, the French nuclear giant, was targeted in a cyber
attack that may have lasted up to two years. While little information has been made public
regarding the perpetrators, intent, and extent of the penetration, after the attack other nuclear
energy companies began partnering with American cybersecurity firms to harden their cyber
defenses.
Shared Vulnerabilities
ICS and SCADA systems present a large target to malicious actors because of the ubiquity of the
software (such as Windows OS) and hardware (produced by a number of international suppliers
such as Siemens, etc.) used by the U.S. and Chinese energy and infrastructure suppliers. In
addition, ICS and SCADA suppliers have had few incentives to harden their products against the
possibility of cyber attack, while operators often lack the training and expertise and ability to
protect themselves from attack or detect an attack once underway. As older, un-networked
SCADA systems come online to the “smart grid,” they are often vulnerable to cyber attack
because of unsecured or easily hacked network connection methods.
These vulnerabilities could lead to a Stuxnet-like attack on the U.S. or Chinese nuclear energy
sectors, or a less obvious attack that could delay or cripple the countries’ energy supply or waste
and water treatment. The impact of cyber attack on civilian nuclear energy facilities from
malicious third party actors could have wide-reaching environmental and economic effects, in
addition to threatening energy security for the U.S., China, and their energy clients.
Chinese Counterparts and Key Actors
The China Atomic Energy Authority (CAEA) (国家原子能机构) oversees Chinese nuclear
energy administration, and is directly under the China National Nuclear Corporation
Commission of Science, Technology and Industry for National Defense. This organization is
China’s representative to the International Atomic Energy Agency.
The National Nuclear Safety Administration (NNSA) (国家核安局) under the CAEA was set up
in 1984 and is the licensing and regulatory body that also maintains international agreements
regarding safety. The NNSA reports to the State Council directly, but is perceived to be
insufficiently independent of the CAEA, which plans new capacity and approves feasibility
studies for new plants. The NNSA also works closely with the U.S. Nuclear Regulatory
Commission in relation to U.S.-designed nuclear reactor technologies.
26
U.S.-China Cybersecurity Cooperation
Given the CAEA and NNSA’s working history with U.S. agencies such as the Department of
Energy, the Department of Defense, and the Nuclear Regulatory Commission, these agencies
appear to be appropriate and committed partners to U.S.-China energy security cooperation.
Recommendations8
Initiate cyber cooperation in civilian nuclear energy and its related infrastructures with the
CAEA. It is critical that the United States work with China to ensure the safety of its own
domestic reactor facilities and components, as well as to prevent illegal proliferation. Intellectual
property theft and nuclear terrorism are also important areas of discussion. As China develops its
own nuclear power capabilities, it intends to export its reactor designs and construction as well as
supply chain components, creating a deeper urgency for cooperation.
At this stage, cooperation would entail dialogue between the CAEA, its American governmental
agency partners and DHS, and will likely involve the Ministry of Foreign Affairs for the reasons
enumerated in the Recommendations for Commercial Port Security. The discussion could
initially be limited to sharing industry best practices, information concerning third-party threats,
and the possibilities for hardening ICS and SCADA systems against cyber attack.
Medium- to long-term cooperation: Cooperation with the China-U.S. Center of Excellence in
Nuclear Security. The Center of Excellence could be a potential mechanism for U.S.-China
nuclear cybersecurity cooperation. The Center of Excellence is currently under construction in
Beijing, with a projected opening in 2015.55 Administered by the CAEA and built with funds
from China and the U.S., the Center of Excellence will serve as a training center for all aspects
of nuclear security. The CAEA will be working with the Department of Energy and the semiautonomous body under it, the National Nuclear Security Authority, as well as the Department of
Defense, in building and implementing the Center’s mission. From the initial press release:
The Center will serve as a forum for exchanging technical information, sharing best
practices, developing training courses, and promoting technical collaborations that
will enhance nuclear security in China and throughout Asia. It will also help meet
the training needs for China’s expanding nuclear sector and promote nuclear
security best practices throughout the region. 56
The Center for Excellence arose out of the first Nuclear Security Summit in 2010, when
President Hu Jintao agreed to build the center to strengthen international nuclear security
cooperation. In addition to the mission above, the center:
…will enable the training of nuclear site personnel on measurements and
accounting of nuclear material and on the design and installation of nuclear material
security systems. It will also have the capability to train protective force personnel
8
This section of the report does not consider either the American or Chinese military applications of
nuclear cybersecurity as we tried to preclude the military aspect from our research and recommendations
for the sake of greater feasibility of cooperation. It is worth noting that China maintains a limited
stockpile of nuclear weapons consistent with their doctrine of defense use, and is unlikely to consider
bilateral or multilateral nuclear arms reductions talks or agreements without further commitments in that
regard from the U.S. and Russia.
27
U.S.-China Cybersecurity Cooperation
using scenario-driven response exercises and give hands-on training on
international nuclear safeguards requirements and inspection techniques.57
It is important to note that cybersecurity cooperation has not been specifically enumerated as part
of the Center’s mission guideline.
DHS should work with the Center to establish training programs, exchanges of expertise and
serve as the conduit for communicating and coordinating defenses to cyber attacks on civilian
nuclear energy facilities and their related infrastructure. The dedicated nature of the Center of
Excellence as a regional hub for Asia-Pacific nuclear security will allow it to act as a force
multiplier and may lead to the development of real-time cyber threat monitoring tools for AsiaPacific nations committed to nuclear safety and security.
28
U.S.-China Cybersecurity Cooperation
Conclusion
The issue of cybersecurity between China and the United States has been heavily discussed due
to its criticality in maintaining the stability of each country’s respective economies and cultures.
As China and the United States are increasingly interconnected and interdependent in many
ways, it is crucial that the two states maximize their potential in securing their cyber networks by
cooperating and working toward mutual goals. China’s current recognition of the importance of
international cooperation in cyber realms provides the impetus for a partnership based on mutual
respect and mutual benefit.
Our team proposed three specific areas that are minimally contentious in terms of national
security with the highest incentives for cooperation – namely, protecting financial systems,
commercial ports, and civilian nuclear energy systems from third-party threats.
Despite evident barriers, identifying mutually beneficial and non-threatening areas that do not
endanger national security interests would help facilitate cooperation between the U.S. and
China. Cyber crime, third party threats, and the Internet of Things may serve as such areas.
Cooperating in such areas requires the two governments to engage in confidence building that
runs parallel with a limited information sharing. As a gradual, incremental measure, joint
cybersecurity exercise might also be deemed helpful. As the U.S. is pointed as in a position to
take the initiative in building cyber cooperation with China, it is important that the U.S.
understands China’s cybersecurity agenda and is able to offer benefits in exchange for China’s
cooperation. Future dialogue and cooperation between the U.S. and China will improve mutual
understanding in challenging key technical, economic, and strategic areas, clarify national and
industrial perspectives, and lead to the sharing of ideas on how to improve the domestic and
global management of cyberspace.
29
U.S.-China Cybersecurity Cooperation
Appendices
Appendix A: Chinese Perceptions of Internet Information Access and Usage
When CNCERT Director General Huang Chengqing was asked about Chinese theft of
U.S. weapons systems blueprints, his response was described in Reuters: “Huang did not deny
the report, but suggested that if the U.S. government wants to keep weapons programs secure, it
should not allow them to be accessed online. “Even following the general principle of secretkeeping, it should not have been linked to the Internet,” Huang said.”58
30
U.S.-China Cybersecurity Cooperation
Appendix B: List of Experts Interviewed
Interviewee
Title
Organization
Hartnett, Daniel
Research Scientist, China
Division
Center for Naval Analyses
Kramek, Joseph**
Commander, United States Coast
Guard
U.S. Coast Guard, Vice
Congressional Affairs
Nathan, Andrew
Class of 1919 Professor of
Political Science
Columbia University
Schimmeck, Karl
Vice President of Financial
Services Operations
Schneider, Roxane
Program Manager, Fraud
Reduction
Securities Industry and
Financial Markets
Association (SIFMA)
Financial Services
Roundtable
Schutzer, Daniel
Chief Technology Officer
Financial Services
Roundtable
Studeman, Michael**
Captain, United States Navy
Chief of Naval Operations
Staff
Swaine, Michael
Senior Associate
Carnegie Endowment for
International Peace
Tishuk, Brian
Executive Director
Chicago First
Wagner, Abraham
Adjunct Professor
Columbia University School
of International and Public
Affairs
** CDR Kramek and CAPT Studeman were interviewed in their capacity as private citizens with
experience in maritime security and cyber issues. Their views are their own and do not represent
that of the United States Government.
Note: Four interviewees expressed a desire to remain anonymous, and we have omitted their
names from the report.
31
U.S.-China Cybersecurity Cooperation
Authors’ Contact Information
Ian Adelson
Mellissa
Ahmed
Vivian Coyne
Han Lim
Zhifan Jia
L.C. Paisley
Kim Truong
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
32
U.S.-China Cybersecurity Cooperation
Endnotes
“China and Cybersecurity: Political, Economic, and Strategic Dimensions: Report from Workshops held
at the University of California, San Diego,” Institute on Global Conflict and Cooperation (IGCC),
April 2012.
2
“China’s Policy Paper on the EU:Deepen the China-EU Comprehensive Strategic Partnership for
Mutual Benefit and Win-win Cooperation.” Xinhua, 2 April 2014.
3
IGCC, 16.
4
“Disruptive Civil Technologies-Six Technologies with potential impacts on US interests Out to 2025,”
National Intelligence Council, April 2008.
5
Eric Chabrow, “Gauging ‘Internet of Things’ Risk,” GovInfoSecurity, February 7, 2014.
6
“The Internet of Things: New Threats Emerge in a Connected World,” Symantec Analyst Relations,
January 23, 2014.
7
Internet Security Issue, Korea Internet & Security Agency, September 2012.
8
Cyber Security Issue, Korea Internet & Security Agency, February 2014.
9
“China’s Policy Paper on the EU”
10
Need citation and precise language.
11
IGCC, 2.
12
IGCC, 4.
13
“About us,” CNCERT, 2013.
14
“JOINT STATEMENT BY CNCERT/CC, JPCERT/CC and KrCERT/CC on The First China-JapanKorea CSIRT Annual Meeting for Cybersecurity Incident Response,” CNCERT/CC, JPCERT/CC and
KrCERT/CC, 9 August 2013.
15
“Hack attacks mainly come from US IPs: CNCERT,” Global Times, 8 February 2013.
16
“China is victim of hacking attacks,” China Daily, 5 June 2013.
17
“网络安全工作委员会周勇林:与国外共享经验,”腾讯科技, 24 July 2011.
18
Ibid.
19
“周勇林:2011 年我国被篡改网站数量超 3.6 万个,”搜狐 IT, 20 March 2012.
20
Adam Segal, “China’s New Small Leading Group on Cybersecurity and Internet Management,”
Council on Foreign Relations, 27 February 2014.
21
IGCC, 2.
22
IGCC, 5.
23
IGCC, 5.
24
Dune Lawrence, “FBI Teams with China to Nab Alleged Hackers,” Bloomberg Businessweek, January
27, 2014.
25
“With phony bank scheme, fake products in China reach new heights,” The Associated Press, June 18,
2012.
26
Barnum, Sean. Standardizing Cyber Threat Intelligence Information with the Structured Threat
Information eXpression (STIX). The MITRE Corporation. 20 Feb. 2014
27
“APCERT Embarks on Global Coordination to Counter Cyber-Ops,” Asia Pacific Computer
Emergency Response Team, February 19, 2014.
28
“Locked Shields,” NATO Cooperative Cyber Defense Centre of Excellence.
29
Richards, Jason. "Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National
Security." International Affairs Review. The Elliott School of International Affairs, The George
Washington University, n.d. Web. 02 Apr. 2014.
30
Wang, Jingqiong. "Internet Policing Hinges on Transnational Cyber Crime."Internet Policing Hinges
on Transnational Cyber Crime. China Daily, 10 Nov. 2010. Web. 03 Apr. 2014.
31
Apps, Peter. "DDoS Cyber Attacks Get Bigger, Smarter, More Damaging."Reuters. Thomson Reuters,
05 Mar. 2014. Web. 03 Apr. 2014.
32
Wang.
1
33
U.S.-China Cybersecurity Cooperation
33
Hanemann, Thilo, and Daniel H. Rosen. San Francisco, CA: Asia Society and Rhodium Group, Apr.
2014. PDF.
34
Holland, Steve, and Jeff Mason. "Obama, China's Xi Pledge Cooperation and Joke about First Lady."
Reuters. Thomson Reuters, 24 Mar. 2014. Web. 03 Apr. 2014.
35
Reed, Stanley. "The World's Most Influential Companies." Businessweek.com. Bloomberg, n.d. Web.
03 Apr. 2014.
36
Herzog, Stephen. "Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational
Responses." Journal of Strategic Security 4, no. 2 (2011): 49-60
37
Kash, Wyatt. "Lessons from the Cyber attacks on Estonia." GCN, 13 June 2008. Web. 03 Apr. 2014.
38
Herzog.
39
"Full Text of China's Policy Paper on the EU - Xinhua." English.news.cn. N.p., 4 Apr. 2014. Web. 06
Apr. 2014.
40
Zhang, Hong. "China to Work with EU on Cybersecurity as Xi Wraps up Europe Tour." South China
Morning Post, 4 Apr. 2014. Web. 6 Apr. 2014.
41
Ellen Nakashima, “U.S. rallied 120 nations in response to 2012 cyber attack on American banks.”
Washington Post, April 11, 2014.
42
“Cyber-crime, securities markets and systemic risk,” Joint Staff Working Paper of the IOSCO Research
Department and World Federation of Exchanges, July 2013.
43
“Cyber attack hits South Korean banks, TV networks.” Associated Press, March 20, 2013
44
Michael Kelley, “Operation High Roller,” Business Insider, June 28, 2012l
45
Yao-Chung Chang, “Cyber crime in the Greater China Region,” Edward Elgar Publishing, Jan 1, 2012.
46
"World Shipping Council - Partners in Trade." Top 50 World Container Ports. World Shipping
Council, 19 Aug. 2014. Web. 12 Feb. 2014.
47
"Foreign Trade." U.S. Trade with China.U.S. Census Bureau, n.d. Web. 12 Feb. 2014.
48
Dunn, John E. "Hackers Planted Remote Devices to Smuggle Drugs through Antwerp Port, Europol
Reveals." TechWorld RSS.Techworld, 16 Oct. 2013. Web. 14 Feb. 2014.
49
Kramek, Joseph. "The Critical Infrastructure Gap: U.S. Port Facilities and Cyber Vulnerabilities." The
Brookings Institution. Brookings, July 2013. Web. 14 Feb. 2014.
50
"China 'biggest Victim' of Cyber Attacks." People's Daily Online. People's Daily, 25 Oct. 2010. Web.
30 Mar. 2014.
51
Phone interview with Daniel Hartnett, Research Scientist in the China Studies Division, Center for
Naval Analyses, 28 Mar. 2014.
52
Liu, Kexin. “Wising Up: Smart Grid as New Opening for U.S. China Energy Cooperation.” China
Environment Forum, Woodrow Wilson Center for International Scholars. Web. Aug. 2009.
53
“The Hague Nuclear Security Summit Communiqué.” The European Union Council, Nuclear Security
Summit 2014, The Hague. 8193/14. Web. 25 Mar. 2014.
54
Yu, Lintao. “Nuclear Philosophy.” Beijing Review, No. 14 3 April 2014. Web. 31 March 2014.
55
“China-U.S. Nuclear Security Center Opens Next Year.” CCTV. Web. 24 Mar. 2014.
56
“U.S., China Sign Agreement to Establish Center of Excellence on Nuclear Security.” Press Release,
National Nuclear Security Administration. 19 Jan 2011. Web. 30 Mar. 2014.
57
Ibid.
58
“China has 'mountains of data' about U.S. cyber attacks: official.” Reuters, 5 Jun 2013, Beijing. Web.
25 Mar. 2014.
34

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz