The Daily - Reacting to Chinese Cyberattacks
Episode Date: July 21, 2021The Chinese government’s hacking of Microsoft was bold and brazen.The Biden administration tried to orchestrate a muscular and coordinated response with Western allies. But while the U.S. has respon...ded to cyberattacks from Russia with economic sanctions, when it comes to Beijing, the approach is more complicated.Why does the U.S. take a different course with China?Guest: David E. Sanger, a White House and national security correspondent for The New York Times.Sign up here to get The Daily in your inbox each morning. And for an exclusive look at how the biggest stories on our show come together, subscribe to our newsletter. Background reading: The Biden administration organized a broad group of allies to condemn Beijing for cyberattacks around the world but stopped short of taking concrete punitive steps.Over the past decade, China has transformed into a sophisticated and mature cyber threat to the U.S.For more information on today’s episode, visit nytimes.com/thedaily. Transcripts of each episode will be made available by the next workday.Â
Transcript
Discussion (0)
From The New York Times, I'm Michael Barbaro.
This is The Daily.
After blaming Russia for a major hacking operation last year,
The U.S. is sanctioning more than 30 individuals and entities after intelligence...
the Biden administration responded with extensive sanctions designed to punish its government.
They're some of the most punitive U.S. measures taken against Russia in years. responded with extensive sanctions designed to punish its government.
They are some of the most punitive U.S. measures taken against Russia in years.
That did not happen this week, after the administration blamed China for a similar hack.
President Biden is condemning China for a massive cyber attack,
but so far at least not going beyond tough words.
China's not facing any punishments from the United States as of right now, not even sanctions. Is that a mistake?
Astead Herndon spoke with our colleague David Sanger
about why the U.S. is taking a different approach with China.
It's Wednesday, July 21st.
David, what is this Chinese cyber attack that the Biden administration just came out and condemned?
There has been so many of these attacks, it feels, recently.
It's kind of hard to keep track. Sure, Sted, and it can be a little bit confusing because every time you turn on the TV or open the newspaper, you read about another hack coming
out of Russia or China or someplace. Some of them are state-sponsored. Some of them are done by
private groups.
And this one that the Biden administration was going after was fascinating because we learned
that it was a little bit of each. So let me just walk you through what happened. You'll remember
that at the end of last year, just during the presidential transition, everybody was transfixed
by a big hack that was done by the Russians. It was called
SolarWinds. And it was very ingenious because it got into the supply chain of software that
companies use to basically manage their computer systems, network management, things like that.
So about a month later, people discover that there is another hack or a hack underway involving companies that are running Microsoft software, particularly a system called Microsoft Exchange.
Microsoft dug into it.
And the more that some of other investigators did, they discovered that there were breaches all over the place.
did, they discovered that there were breaches all over the place.
And while they initially thought it was the Russians, ultimately they traced it back to China's Ministry of State Security, which is the main intelligence unit run by the Chinese
government.
Microsoft says that Chinese hackers have been targeting its email server software.
They gained access to emails.
In some cases, they took over computers.
Upwards of 30,000 U.S. entities were breached in the hack.
Universities, defense contractors, law firms, and infectious disease researchers.
There's enormous frustration, I can tell you, on the business and government side.
And so at the end of February and early March,
they began sending out warnings to people that said, hey, we think we found an intruder.
This intruder has found a vulnerability in all the software we've given you that we didn't know about.
The company released a patch protecting users from similar future hacks.
However, the patch does not fix issues for those who already have their network
breached. OK, so this is the cyber attack that the Biden administration decides to come out against.
That's exactly right, Astead. Now, do we know what China was after?
It's a great question, and we're not certain. But in this case,
there were so many companies running this Microsoft Exchange system that it's hard to say
exactly what they were looking for. And they may not have known exactly what they wanted.
They may have simply known that this system is used by many of the biggest defense contractors,
by many of the biggest companies in America.
And once they were inside, they could look around and decide what was worth stealing.
This strikes me as pretty brazen from an outsider perspective.
The Chinese government hacking Microsoft, one of the world's most important and integrated
companies, into the global economy.
Is that how it was received, as a kind of brazen or bold thing?
It was brazen and it was bold. We've seen that before. But it was also indiscriminate,
and that was what was new. Previously, when we've seen the Chinese go into companies or federal agencies, it's usually been a pretty specific attack.
In this case, they just went into everybody's systems and said, once we're inside, we'll figure
out what we want. So the Biden administration knew from the start that this was China. Microsoft had
said it. Their own intelligence agencies were
pretty clear. They understood the Chinese had exploited a vulnerability that no one knew
existed in the Microsoft software. And since the attack had hit many different countries,
they decided to go use it as a way to try to show China that the rest of the world, or at least the rest of the Western alliance,
was lined up against them on these cyber attacks in a way that we had never seen before.
So they began going around the world, going to countries like Germany, which had seen probably
the second largest number of attacks and information losses under this, taking the evidence to them
and tried to get everyone, including all of the NATO nations, lined up to go condemn China
simultaneously. Now, that doesn't sound like a big deal, but it is one, because believe it or not,
NATO is still so back in the world of old traditional threats that they had never actually condemned a cyber attack, even though cyber attacks have hit their member nations for years and years.
Wait, wait, wait. NATO has never condemned a cyber attack before?
That's right. This was the first time.
That feels shocking. Well, it tells you a little bit about how so much of the Western alliance is still stuck in the old threats.
So it's been a real slog to get them to think about cyber attacks the same way they would think about military attacks.
So part of the effort here was just to get the diplomacy to catch up
with the technology. And what happened here was that the United States basically convinced
the European nations, members of NATO, Japan, Australia, others, that if you let this go
unchecked, the Chinese would over time use techniques like this to get into all of their systems.
So once the U.S. and these other countries agreed to actually condemn China, what did they end up saying?
Well, they were all a little bit different.
The United States really took the lead on this, since it got the brunt of the attack.
on this since it got the brunt of the attack. And they directly accused the Ministry of State Security of being behind this specific hack. But then they went further and they said,
we also found evidence that the Chinese Ministry of State Security wasn't only operating by itself,
but that it was condoning and in some cases financing criminal hacking groups and letting
them run out of China, which is a charge that in the past we've really only made about Russia.
Now, other countries, including NATO, they weren't as specific, in part because they can't
see the kind of evidence the U.S. does. So most of the Europeans said simply that they were condemning Chinese
activity in cyberspace and urging them to respect international law in this area without specifically
accusing them of guilt in this individual hack. So how did China then respond to this coordinated multinational condemnations
that came out on Monday for this hack?
Well, instead, it was fascinating
because it was a combination of dismissiveness
and a counterattack on the U.S.
for its own cyber operations.
What do you mean? On the dismissive side,
they said, oh, we hear this from the Americans all the time. They're constantly making accusations
like this. They're never really putting out the evidence. Who can believe this? But the next thing
the Chinese did is that was really fascinating. And they said, you know, if you want to talk about
cyber criminals, why don't you start looking at yourselves, America? they said, you know, if you want to talk about cyber criminals,
why don't you start looking at yourselves, America? They said, remember the Snowden disclosures?
And of course, that's going back now seven, eight years. And in the Snowden era, what did we learn? We learned that it was the United States that was going into foreign computer systems,
conducting exactly the kind of surveillance you're accusing China of
doing today. And in fact, they have a pretty good case to make there. Because while Snowden talked
about revealing government intrusions into the private communications of Americans, all of the
most interesting stuff in the Snowden documents actually showed that the National Security Agency
and what later became United States Cyber Command broke into foreign computer systems,
including China's. In fact, they went after Huawei, the big Chinese telecommunications giant,
got into their computer systems, figured out how their systems worked in case the U.S.
ever needed to counter those systems.
And this was all in the Snowden docs.
And so the Chinese were saying, hey, if anybody invented the game of breaking into foreign corporate systems
and extracting data from them, well, why don't you start looking at Fort Meade,
which is where the NSA is located just up near the Baltimore-Washington airport.
So it seems we have, on the one hand, most of the West condemning China for what the United States
is describing as a uniquely indiscriminate and brazen cyber attack. And on the other hand,
you have a Chinese government that is not backing down
and is in turn pointing fingers back at the United States. What you have here is a formula for
escalation and further confrontation. And that's a big problem when you're dealing with
the world's largest economy and the world's second largest economy.
We'll be right back.
Okay, David. So Biden and some of our allies are saying that they're not happy with China for this
hack. But let's talk specifics. What can the U.S. actually do to punish
China for this? So, you know, Ested, the normal thing that you would do when you want to go punish
a country without actually risking escalating into a military conflict is to impose economic
sanctions. And that's exactly what the Biden administration did against the Russians for that earlier hack called solar
winds. But what we've learned is that when dealing with an economy as big as China's,
it gets pretty risky. First of all, a lot of those economic sanctions can blow back on American
companies. You know, our economies are deeply interlinked, right? You can't walk into Walmart
without buying Chinese goods. You can't walk can't walk into Walmart without buying Chinese goods.
You can't walk into an auto parts store without buying Chinese goods.
You can't walk into an electronic store or go on Amazon without buying Chinese goods.
Whereas with a country like Russia, we've got a lot more leeway because we're not as
dependent on them for a range of consumer goods and technology.
So that's one reason.
But the second is China is also just a huge consumer of Western goods.
And so a lot of American companies and a lot of our European allies
are extremely reluctant to see the United States government
get involved in an economic sanctions
war. You know, when the Germans were thinking about banning Huawei, the Chinese telecommunications
company, the Chinese showed up and said, hmm, nice cars you make around here. Love those Mercedes,
those BMWs. In fact, as we look at the market, it looks like we're buying about a quarter of all of your luxury cars.
Be ashamed if that whole market dried up for you.
And boy, did that change the politics in Germany.
So the Chinese have learned how to go use their role as a huge producer and a huge consumer to not only stave off economic sanctions, but shape the rules of the world
economy. The simple answer seems to be that it's not only unclear that sanctions would impose harm
to the Chinese, but it's more clear that it will probably backfire and maybe do some bad
stuff to our own economy. That's right. And you have to remember, Ested, that countries hack with different strategic objectives
and different national interests.
And so you've got to think about a series of incentives
and punishments that actually fit what it is
that those countries are trying to do
when they're attacking you.
And that's why Russia and China
have traditionally been quite different. You know, Russia is fundamentally a weaker state,
certainly a weaker economy. It's got an economy about the size of Italy's. And its power in cyber
comes from its ability to disrupt. So when we've seen hacks from the Russians,
frequently they have been designed
to undercut our confidence in our own networks,
to make us believe that our systems are vulnerable.
They've put code into our electric power grid
as a reminder that any time they wanted, they could begin
starting blackouts in the United States.
Wow.
I didn't know that.
Yeah.
Now, until now, that's not been the Chinese M.O. here.
The Chinese have largely been interested in stealing intellectual property.
They've usually been about building up their own economy
and their own state-run companies by stealing U.S. data.
Traditionally, instead, we've viewed these as very different kinds of attacks,
each of which requires a very different kind of response.
The response to stealing intellectual property is in some ways easier because we have a
big body of international law that prohibits stealing copyrighted and patented works, right?
So if the Chinese steal a pharmaceutical firm's drugs for treating COVID-19, we know how to go deal with that. The problem is that now the Russian
disruptive activity is to some degree being mimicked by the Chinese, who are growing bolder,
whose ambitions around the world are becoming more obvious, and whose ability to disrupt is linked to the fact that they're building networks
all across the globe. Whether that means that they're laying undersea cable that they control
or sending Huawei out to build telecommunications networks that they control, they are making the
point that they can turn on and off the flow of information around the
world or gasoline around the world or supply chains around the world that are feeding American
companies.
So China is not only becoming more bold in the cyber attack space, but also seems to
be adopting tactics that were typically seen as ones that
more aggressive actors like Russia have used in the past.
That's right. But they've got greater means to go do it.
So if the U.S. is not able to attack China economically,
to impose sanctions as it would with another country?
What can it do?
So a lot of people think that the best option here is actually a diplomatic one.
It's one that begins to set some boundaries about what's out of bounds when you target
attacks.
And there you would start with critical infrastructure, where we would all agree,
the United States, Russia, China, that some things in peacetime are simply off limits.
Do you think that the diplomatic method has a chance of success? It seems as if it still
requires the Chinese to honor some sort of agreement. What incentive would they have to do
that? It's a great question, as said, because, you know, in the past, we've reached agreements
with the Chinese on intellectual property, and they've followed them for a few years. And then
you saw attacks like the one we've been discussing today. A few things would make this a lot easier.
First of all, if we are more certain of our ability to
attribute an attack to a specific nation and provide that evidence in public, the theory is
you can name and shame countries more quickly. And that's a big change that both the Trump
administration and the Biden administration have made in recent times. Number two is if you can organize the rest of the world
to join in those condemnations,
it makes it clear to the Chinese
that this could be an impediment
to their ability to sell their goods,
but more importantly, sell their influence around the world.
So that's a second element of it.
Is any of this gonna be perfect?
No, but you know,
instead, we've invented this electronic highway system. We live on that system each and every day.
We're glued to our phones and to our computers. And as long as we are addicted to those,
we're going to be vulnerable to attacks on those systems. All we're trying to do at this point is set some boundaries
the way we have over the years on nuclear weapons, on chemical weapons, on landmines,
on everything else that we've used against each other and we've decided over time is doing more
harm to society than good. But based on the trajectory of cyber attacks, even just in the last
year, it does feel like things are escalating considerably. What does that mean for the future
of this cyber war? So instead, we're in a world of perpetual cyber conflict now. This isn't a set
of incidents. This isn't something that we're going to beat back
and make go away. This is a permanent state of being. The way the Cold War in the 1950s,
after the United States and then the Soviet Union got nuclear weapons,
changed forever how countries deal with each other.
And that means that we've really entered a new digital Cold War.
We're just at the very beginning of this.
Fundamentally, if you had to compare Cold War to Cold War,
I would say we're sort of in the mid-1950s.
We've all just discovered we have these horrible new weapons.
We know there's some point
at which their use becomes catastrophic, and yet we don't really want to give them up.
And so now we're all just feeling our way, trying to understand how far we can push it,
how bad is the risk of escalation, what could go a step too far. And the fact of the matter is,
we don't really know. what could go a step too far. And the fact of the matter is,
we don't really know.
Thank you, David, for your time.
Thank you, David, for your time. Thank you, Estep. We'll be right back.
Here's what else you need to know today. We'll be right back. before the Senate on Tuesday, the director of the CDC, Rochelle Walensky,
said that the Delta variant of the coronavirus now accounts for the vast majority
of all new infections in the U.S.
This is a dramatic increase,
up from 50% the week of July 3rd.
In some parts of the country,
the percentage is even higher,
particularly in areas of low vaccination rates.
New daily infections have risen almost 200 percent over the past two weeks to 35,000,
most of them among unvaccinated Americans. And the Times reports that nearly 60 people connected to the Olympic Games,
which are scheduled to begin on Friday, have tested positive for COVID-19,
including several within the Olympic Village.
The infections are a major challenge to the organizers of the Games,
which were delayed by a year specifically to avoid infecting participants.
Today's episode was produced by Sydney Harper, Luke Vanderpleet, Rob Zipko, Austin Mitchell,
and Chelsea Daniel. It was edited by MJ Davis-Lynn, engineered by Chris Wood,
and contains original music by Dan Powell.
That's it for The Daily. I'm Michael Barbaro. See you tomorrow.