Of Hacking and Hypocrisy

Why the US has no right to criticize Chinese and Russian cyber-spying

On the 19th of May last year, in an unprecedented move, the US government charged 5 Chinese nationals for cyber-espionage. The prosecutor alleged that the five men had been working for the Chinese Government to steal critical US trade secrets across a range of industries. This was not the first time that the Chinese had been accused of cyber-spying on US businesses; however it was the most prominent case of it to date.

As would be expected, the case brought renewed attention on cyber defence and renewed criticism of China. Judged to be “just the tip of the iceberg,” many commentators believed that almost every Fortune 1000 company had been hacked in some way by malignant forces based in China, Russia or Iran.

Responding to the arrests, the US Attorney General Eric Holder stated “This is a tactic that the U.S. government categorically denounces. As President Obama has said on numerous occasions, we do not collect intelligence to provide a competitive advantage to U.S. companies, or U.S. commercial sectors.”

Or do they?

A bad day for the BND

Fast forward almost one year later, and the NSA is embroiled in yet another scandal related to its espionage overreach. According to reporting by the Suedeutscher Zeitung, the NSA is accused of working together with its German equivalent, the BND (Bundesnachrichtendienst), in order to spy on a range of targets across Europe.

While many of these were elements within the French government and military establishment, more interestingly and much more controversially, the report also alleged that the NSA/BND conducted wiretaps on a number of European companies. Among these, the largest was the aircraft manufacturer Airbus and its Eurocopter subsidiary. Responding to this, Airbus has now threatened to pursue legal action against these agencies for what it calls “concrete suspicion of industrial espionage”.

This spying, which reportedly continued for several years between 2008 and at least 2013, is unsurprising to long-time watchers of the Western intelligence establishment. Under the auspices of the Five Eyes (USA, Canada, Australia, New Zealand and the UK), large-scale industrial espionage has been alleged to have been conducted for many years, however this latest scandal looks to be one of the first real pieces of evidence of this occurring.

Moral relativism in the digital age

With this in mind, some very serious questions need to be asked about the moralistic preaching of the US when it comes to cyber-espionage. For all that they officially deny it, it appears increasingly likely that the US and its Five Eyes allies engage in widespread and targeted espionage, not just directed at governments and terrorist groups, but also at foreign corporations.

While the outrage against spying by China and other countries does play well for the cameras and might give some political figures a domestic poll boost, it achieves little more than that. The charges laid against the 5 Chinese men last year triggered a diplomatic spat between the two countries and made further cooperation on many issues more difficult for a period. In fact, in most cases such actions probably make the spectre of international cooperation of cybersecurity even less likely.

Realism as a cyber-security policy

The rivals of the West are unlikely to give up industrial cyber-espionage in the near future due to the comparative technical advantage of Western companies. This, combined with the fact that diplomatic spats based on hypocritical moralistic preaching are unproductive, means that that new cyber-security policies need to be developed by governments and businesses based on an acceptance of this new paradigm.

A Realist view of the situation would show that both sides are engaged in widespread spying, and are unlikely to stop. Furthermore, an agreement to better police this is both very far away, and almost impossibly difficult to implement.

Within this paradigm, companies need to develop comprehensive policies to protect not just against random and disruptive spectacular hacks, but also against long term efforts to steal their trade secrets. Employees need to be educated from the get-go on data security, and systems need to be made secure to a much greater level. A trust-nobody, not even the government, approach would be considered the most comprehensive solution to these persistent threats.

Meanwhile Western governments also need to change their approach. While it is unlikely they would admit to the existence of large scale industrial cyber-espionage, they should at least put an end to pointless diplomatic complaints over each other’s programs. As retaliatory cyber-spying is almost certain, the most sensitive secrets of a nation, be they economic, political or military, should be taken completely offline, and instead stored through other low tech means.

The West is no better than the rest when it comes to cyber-spying, and it’s about time they stopped acting like it.