Is it time to kick China where it hurts?

Mounting evidence points to China as our biggest cybersecurity threat. But is there really anything we can do about it?

A few months back, CSO Publisher Bob Bragdon wrote a column saying it was time to stop pussyfooting and acknowledge more directly that China is a cybersecurity menace in need of a tough response.

He wrote at the time:

We dance around this issue because we don't want to make China mad. God forbid. This is cowardly appeasement. It's like not wanting to say anything to the schoolyard bully who steals your lunch money every day.

I understand the whole issue of economic expediency. Why aggravate China? It's a huge trading partner. But if that was a legitimate argument, wouldn't China be asking itself that same question? Why aggravate the United States? It's a huge trading partner!

I do not accept the argument. We know that if a business opens an office in China, it's going to lose whatever intellectual property it has there. We know that when we send our executives to China, the Chinese government will be pilfering their laptops and cell phones. If that wasn't the case, then why would we give our execs throwaway phones and laptops? (And if you aren't doing that, we should probably talk.) The threat is real, and it's about time we do something about it.

I couldn't help but think of those words this morning as I read a Brian Krebs story about Chinese hackers breaking into the systems of energy industry giant Telvent.

Krebs reported:

A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts says digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests.

Krebs said letters were sent to customers of Telvent Canada Ltd. saying that on Sept. 10 it learned of a breach of its internal firewall and security systems. "Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings -- OASyS SCADA -- a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies," Krebs wrote.

The incident offers a glimpse of what future cyber battles will look like, with enemies taking down large portions of our infrastructure by hacking vulnerabilities in the computer systems attached to such things as the power grids. It's a threat we've covered a lot in recent months.

RELATED ARTICLES:

SCADA security arms race underway

Industry association aims to bolster SCADA security

On the surface, it's easy to say we need to be tough toward China. We need to hit the communist regime where it hurts. Ironically for a communist government, the best pain point is it's economy. Maybe it's time for some economic sanctions and, in the spirit of giving back, some of our own hack attacks on their systems.

Fair is fair, right?

The problem is that it's easy to talk tough toward China.Taking effective actions is another matter. This isn't our granddads' battle field, where the enemy could be identified by its uniforms and insignias. Today, it's hard to distinguish government-sanctioned cyberattacks from the actions of rogue groups with no ties to their government.

You can't shoot someone you can't clearly see. Well, you can, but it usually results in a friend taking the bullet in the shoulder.

Until we come up with better ways to track attacks back to their source, the best thing companies and government agencies can do is mount a more effective defense.

These entities can't prevent every attack, but we've seen plenty of evidence that they can do better at closing security holes than they have to date. If we can find and fix the vulnerabilities and add more layers to our security programs, we can at least make it harder for China's hackers to succeed.

That's better than nothing.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline