Security vendor Mandiant's 60-page report on Chinese cyberespionage, which offers proof that it is coming from a Chinese military unit housed in a building in the Pudong district of Shanghai, adds new fuel to two hotly debated cybersecurity questions.
First, does this mean the quest for 100% certainty in "attribution" of intrusions has been achieved? And second, does that mean the U.S. is justified in taking what government officials like to call "active defense" measures -- what most others call "retaliation" or "offense"?
Security experts are divided on the issue. Gary McGraw, CTO at Cigital and a vocal opponent of active defense, notes that Mandiant finding the source of advanced persistent threats (APT) in real time is good, but vastly different from being able to pinpoint the source of a cyberattack that takes place in a fraction of a second.
McGraw also urged that it is a gross exaggeration to call these attacks acts of war. "This is not cyberwar," he said. "That involves blowing things up, or taking things down for an extended period. This is espionage. There is a big difference, and we should not be conflating the two."
James Arlen, a senior consultant with Leviathan Security Group, said most organizations are not remotely prepared to launch any kind of effective attack against a perceived adversary. "We've spent the last decade of infosec riding around the driveway in training wheels, and people are talking about how awesome we're going to be at piloting M1A2 tanks across the battlefield," he said.
Arik Hesseldahl at All Things D wrote in "Cyberwar with China is here, like it or not" that since China has been hacking companies involved in remote access tools that are used to control SCADA (supervisory control and data acquisition) systems, they are preparing to attack the nation's critical infrastructure.
Joel Harding, a retired military intelligence officer and information operations expert who says he is a longtime believer in active defense, thinks a proportionate response is perfectly reasonable. "Why not find a way to infiltrate it and turn the tables?" he said, given the U.S. knows the building where the attacks have been originating. "We can infiltrate virtually or in the real world. We can target it with viruses, Trojans, worms -- all kinds of APTs, and continue to make life miserable for them."
Stewart Baker, first assistant secretary for policy at the Department of Homeland Security under President George W. Bush and now a partner at the law firm Steptoe & Johnson, wrote last fall: "We will never defend our way out of the current cybersecurity crisis. That's because putting all the burden of preventing crime on the victim rarely succeeds. The obvious alternative is to identify the attackers and punish them."
Sign up for Computerworld eNewsletters.