The views expressed by contributors are their own and not the view of The Hill

Made in America, stolen by China: We need cybersecurity minimum standards

AP Photo/Kiichiro Sato
The American and Chinese flags wave at Genting Snow Park ahead of the 2022 Winter Olympics, Feb. 2, 2022, in Zhangjiakou, China. Hackers working on behalf of the Chinese government broke into the computer networks of at least six state governments in the United States in the past year, according to a report released by a private cybersecurity firm. The report from Mandiant does not identify the hacked agencies or offer a motive for the intrusions, which began last May and continued through the last month.

The United States is under siege and many threats originate from the same place, even if the day’s headlines don’t make it obvious.

Russia is certainly the threat du jour because of its rampant use of cyberattacks, invasion of Ukraine, and energy extortion on much of Europe. The Cybersecurity & Infrastructure Security Agency (CISA) even launched a “Shields Up” campaign that centers around cyber threats originating from Russia. Add the threat of nuclear war to the equation, and it’s easy to understand why Russia captures so much of our attention.

But there is a greater threat that is so pervasive and omnipresent that it has infiltrated your teenager’s social media, breached both federal and state agencies and much of the supply chain supporting our defense industrial base.

Military, intelligence, and economic advantages are made in America and then quickly stolen by China.

China is simultaneously influencing hours of your children’s time every day on TikTok, breaching federal agencies to compromise the personal information of tens of millions of Americans, and very recently at least six state government networks. And let’s not forget the vast supply chain that enables the world’s greatest fighting force. Our defense industrial base is routinely attacked by China, in parallel to their assault on the rest of American citizens, government, and business.

Many Americans now understand that TikTok is more than just viral videos; it’s a data harvester. Seven governors (so far) have banned the use of TikTok on state devices: Kay Ivey of Alabama, Bill Lee of Tennessee, Spencer Cox of Utah, Kevin Stitt of Oklahoma, Larry Hogan of Maryland, Kristi Noem of South Dakota, and Henry McMaster of South Carolina

The Chinese Communist Party reportedly is using companies like ByteDance, TikTok’s parent company, and telecom provider Huawei as levers to run a longstanding espionage program.

TikTok has already started paying out after settling a $92 million class action lawsuit that claimed the app violated privacy rights. CNN reported that the FBI determined Huawei equipment — currently deployed on cell phone towers near military bases — is capable of “capturing and disrupting highly restricted” Defense Department (DOD) communications. The Federal Communications Commission (FCC) designated Huawei as a national security risk last year.

These are not isolated incidents.

China doesn’t always use private businesses to do its dirty work, and it isn’t just after data. Chinese officials reportedly have targeted Federal Reserve employees for a decade to gain influence and undermine monetary policy. A report from Sen. Rob Portman of Ohio says that unless action is taken, China has “an open avenue to disrupt the integrity of the American financial system, jeopardizing U.S. national security.” Even more brazen, hackers linked to the Chinese government stole millions in COVID-19 benefits, according to the Secret Service.

Between its motivations, pervasiveness, and coordination in stealing American data and attempting to use it against us, China is clearly the largest threat to the U.S. — the Pentagon certainly sees it that way.

Is China ready to leapfrog the United States from a military dominance perspective? What about the political, economic, and intelligence advantages that the U.S. holds? Gaining supremacy in those areas is China’s goal, and it’s closer to reality than hyperbole.

Consider the scope

China has been breaking into computer networks of government contractors for the better part of two decades. This means organizations from defense to critical infrastructure have had schematics, research and development, and other sensitive data all being fed to the Chinese government.

The call to action on stopping China came way back in 2008. Deputy Secretary of Defense Gordon England gathered top eight aerospace and defense CEOs to the Pentagon and told them to “stop the bleeding” of data that was occurring on their networks. Nearly 15 years later, action hasn’t been swift enough.

In July 2020, FBI director Christopher Wray called this Chinese theft “on a scale so massive that it represents one of the largest transfers of wealth in human history. If you are an American adult, it is more likely than not that China has stolen your personal data.”

Only in March 2022 did Congress pass the Cyber Incident Reporting for Critical Infrastructure Act, which requires breach victims to notify CISA within 72 hours of a significant cyber incident and within 24 hours of paying a ransom. The legislation also gives CISA up to two years to issue proposed rules and even longer for a final rule.

As CNN’s reporting indicates, the U.S. government has known about China’s targeting of critical communication networks near military bases, but still hasn’t fully funded a program to rip and replace the equipment. To do so would be a burdensome and expensive endeavor, but losing our military, technical, and intelligence advantages is far more costly and difficult to swallow.

Inadequate defense and inducement to look the other way

Our government is getting much better at responding to threats like Chinese talent plans, but we have to increase the speed with which we act. We’ve known about these threats for nearly two decades, yet no mandatory cybersecurity minimums are in place for defense contractors to do business with the U.S. government.

In August 2020, the Trump administration issued an executive order that sought to ban TikTok in the U.S. over its data collection practices. Ten months later, the Biden administration rescinded it and replaced it with one of its own.

Too often, Chinese threats are intentionally minimized because so many U.S. organizations have business there. In October 2019 Daryl Morey, then the general manager of the NBA’s Houston Rockets, published a tweet in support of Hong Kong protesters. That tweet alone reportedly cost the NBA between $150 million and $200 million.

With so much profit to be made in China, there is financial incentive to look the other way as the heist of American data and intellectual property continues.

Best path forward

It might be tempting to compare this hostility to the Cold War, but Soviet Russia didn’t have the kind of reach, manufacturing capacity, or economic power that China has now. China is pervasive in its ability to produce goods and services that Americans want and need, from apps like TikTok to semiconductors and cellular communication equipment. China can weaponize and distribute its data collection efforts in ways that can be devastating to America.

Federal agencies like the FCC, DOD, and Securities and Exchange Commission (SEC) each have a regulatory lever they can pull. Acting in unison would provide some consistency in those efforts. However, our best shot at meaningful progress in shunning China’s ongoing threat is growing public-private partnerships.

Instead of a naming-and-shaming reactive culture, we need to double down on a proactive, information-sharing, forward-defending posture.

Victims shouldn’t be penalized for sharing breach information or indicators of compromise. That intel should be distributed through the appropriate public-private partnerships to better protect our critical infrastructure.

Creating mandatory cybersecurity minimums certainly has an associated cost, but we are getting to a point where we can either pay now or pay later. The cost of inaction is likely unbearable, an erosion of democracy that we probably can’t even fully grasp.

Eric Noonan is CEO of CyberSheath.

Tags China China–United States relations Chinese Communist Party Chinese espionage in the United States Chinese hacking Chinese intellectual property theft Chinese technology cyber attacks Cyber threat intelligence cyber threats cybersecurity Cybersecurity & Infrastructure Security Agency Cybersecurity and Infrastructure Security Agency cybersecurity executive order Cybersecurity standards Data breach data breaches Data protection Data security

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.