Report: U.S. vulnerable to Chinese cyber espionage

China is actively conducting cyber espionage as a warfare strategy and has targeted U.S. government and commercial computers, according to a new report from the U.S.-China Economic and Security Review Commission.

"China's current cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts," according to the annual report (PDF) delivered to Congress on Thursday.

The report cites news articles and testimony from U.S. officials like Col. Gary McAlum, chief of staff for the U.S. Strategic Command's Joint Task Force for Global Network Operations. It concludes that Chinese cyber attacks, authoritarian rule, and trade violations are impediments to U.S. economic and national security interests.

A spokesman for the Chinese foreign ministry, Qin Gang, said the report was misleading, impeding cooperation between the U.S. and China, and "unworthy of rebuttal," according to an article published late Monday in Secure Computing Magazine.

China is targeting government and private computers in the U.S., including systems operated by the biggest U.S. defense contractors, according to the report, which cited news articles. In 2005, hackers from China nabbed NASA files on the propulsion system, solar panels, and fuel tanks, and an aviation mission planning system for Army helicopters and Army and Navy flight planning software were stolen from the Army Aviation and Missile Command at Redstone Arsenal in Alabama, the report said.

China can access an unclassified U.S. military network called the NIPRNet (Non-secure Internet Protocol Router Network) and "views is as a significant Achilles' heel and as an important target of its asymmetric capability," according to the report. This "gives China the potential capability to delay or disrupt U.S. forces without physically engaging them--and in ways it lacks the capability to do conventionally."

The U.S. government also is at risk as a result of the global computer supply chain, the commission said. Computer components used by the U.S. and manufactured in China are "vulnerable to tampering by Chinese security services, such as implanting malicious code that could be remotely activated on command and place U.S. systems or the data they contain at risk of destruction or manipulation," the report said. Hundreds of counterfeit routers made in China were found in systems throughout the Defense Department, it said.

The Chinese government is training citizens in cyber operations at military academies, and tolerates, or even encourages, actions taken by an estimated 250 hacker groups there, the report said.

Chinese military officials believe the U.S. is doing cyber espionage against China, and believe that by striking first with a cyber attack they can plant misinformation and hide their tracks, according to the report.

U.S. officials and lawmakers have complained about specific incidences where they believed Chinese representatives breached their systems. This summer, two congressmen who have been longtime critics of China's human rights record accused China of compromising computers that had information related to political dissidents. In the spring, government sources told the Associated Press that they were looking into allegations that Chinese officials copied data from a laptop left unattended in China by the commerce secretary.

[n3td3v]

We live in the west, so we tend to get the U-S version being believed over the Chinese version of events, but I think the U-S is the bigger aggressor.

[sigzero]

Riiiight...keep thinking that.

[ethana2]

Most of my family uses Ubuntu and our new president uses OSX, so I think things are going to improve rather soon...
Security isn't something you do, it's the way you design every bit of code that you write. If our government is running things on Windows, we're blaming the wrong people.

[man_w_balls]

It's the Invisible War

[man_w_balls]

BTW, the way China runs their country makes even George Bush seem like a cool guy

[AwakenZero]

I believe the U.S. government and certain agencies like the FBI, CIA and such are using a different operating system than what is currently on the market for businesses and consumers. Correct me if I'm wrong.

However, if they aren't then they should try to develop their own operation system. Even if the U.S. uses Ubuntu or OSX over Windows. It is easy for a chinese hacker to just find out what operating system the U.S. uses and just spend hours trying to see what they can exploit out of a specific operating system.

If the U.S. uses their own operating system then the hackers will have to do some "guess work" on what types of attacks will work and what will not because they will not be able to aquire the operating system through the markets like Windows, OSX, or Ubuntu.

As for hardware, they shouldn't aquire hardware for the U.S. government to use from other countries that might have an interest in tampering the hardware to attempt to gain access to U.S. government files.

[simplelifer]

Interesting...

I do have to address the following;

1.) "The U.S. government also is at risk as a result of the global computer supply chain..." Taiwan, not China (People's Republic of China), makes and supplies over 70% of global PC components and parts, like iPhone made by Taiwanese Foxconn, and Taiwan (Republic of China) is the foe of China, ally of U.S.

2.) About a week or so ago I read a news from Cnet about how some Chinese web 2.0 startups are coping U.S ideas and technologies, the fact that Chinese engineering skills and technologies is still far behind Americans, doesn't this report contradict to that news? The Chinese don't even know how to design their own OS from ground up for God sake! Remember how angry they were last week when Microsoft decided to blink PC screens from time to time, if people are using illegal copies of their Windows? The Chinese thought Microsoft were targeting at them since most of the Windows use in China are, mostly, illegal copies.

I believe Chinese are attacking computers in U.S, especially ones that operate by the government. But at risk? I'm mean c'mon! Does this smell like cold war lyrics back in the 80s'---we are so weak and vulnerable, let's spend more money on defense. Only this time, do it on computers.

[frasercrane]

IMHO typical Sinophobic ranting. If the Chinese (not Taiwanese) had wanted to engage in a cold war and do damage covertly it has done more with its food and toy products than anything it can hope to do with computing.

[SteamChip]

The crossbow has been introduced. Its time for the knights to upgrade their armor and tactics (again).

[Greg5A]

I have to wonder why this stuff isn't being fixed. The Chinese steal from us. The Russians steal from us. Everybody in the world tries to steal from us. Our security gets compromised on a regular basis--but it seems like nothing gets fixed.

It certainly looks like our business and government leaders are a bunch of damn dumbheads.

[knowles2]

And I am sure the US is hacking China and Russian and North Koreas, UK, France, and any one elses computers they are interested in, just the same as those same countries all go around hacking each others. It far cheaper to steal the information and than to invent it your selves.
Have not it been proven the NSA has had implanted certain folders and back doors into windows system it self.

And well I love the way the article uses sophisticated attack methods, I wonder how sophisticated they really were. British hacker hack into NASA computer system and he taught himself how to hack into computers and had no technical training what so ever. So I am doubtful the attacks are all the sophiscated it more likely the security protocols are just out dated. As well as parts of the system being being old is the real problem rather the chinese being ahead of you lot on cyber warfare. Russia on the hand has actually has people, I not gonna say they are the Russian government, but certainly cyber criminals who has proven they can disrupt other country computer networks and take down government websites and so fourth.

Whole and the person who said they should build their own operating system, sure that will keep system safe, for about a week or so, they would get one their agents to steal it and pretty soon after it deployed it will just be as open as the one they used before.

Only true way to maintain security is to be proactive, hacking chinese computers, developing your own in house techniques, building own firewalls. And most of all have lots and lots of people monitoring all the networks.

[SenorFrog]

Greg5A: There's no incentive to fix it. When's the last time a high ranking government or corporate official got spanked because of a security breach? I'm not even talking about being hacked, if they just punished the companies and organizations that are allowing people to walk around with unencrypted laptops with personal and classified data on them, I'd be happy.

On a individual level, with the global economy going down the drain, make sure you at the very least get your free credit report from the reporting agencies. It might be worth it to invest the money in a full service solution. The attacks and scams are not going to be focused only on the big guys. Keep your malware up-to-date at home (there are good free versions available), and if you have teenagers or anyone that loves teh pron, keep each of your computer's personal firewall up and use a router - don't surf naked.

And a Happy Thanksgiving to all.