A Chinese View

Richard Zhao is the Chief Strategy Officer for NSFOCUS Information Technology, a Chinese firm that provides network security to a broad range of clients. In a recent conversation in Beijing with EWI’s Andrew Nagorski, Zhao—who has worked in both China and the United States—discussed the differing perceptions of these two countries of key cybersecurity issues.

What is really happening when it comes to cyber developments in China and the United States? Where do we see deepening integration and where to we see deepening suspicion?

Both sides use cyber as an extension of their traditional intelligence services. Maybe the difference between traditional intelligence gathering and intelligence in the cyber age is the level of transparency and the degree of collaboration with intelligence services. For example, China and the U.S. have a hotline and bilateral talks to deal with traditional security issues, but in the cyber age, the corresponding mechanisms have not been established for cyber. Besides, China is not very comfortable with the huge technological advances of the United States. The U.S. has companies like Google, Amazon, Microsoft, Cisco and IBM. They control most of the world’s ICT infrastructure, and they have the capacity to collect enormous amounts of data and general intelligence. Based on this intelligence, the U.S. “understands” China better than China “understands” the U.S.

There have been many reports of alleged Chinese cyber attacks against the U.S. Are you saying that you think China’s actions are motivated by this sense that it is behind in the cyber field?

Yes, they want to do something more to better their position. Technically, I do think the U.S. is in a stronger position.

So you feel that China is more vulnerable than the United States?

I do. Most of the technical reports reflect this point. China is more vulnerable by far than the U.S. The U.S. leads in high-tech areas; they make use of this advantage to do some things that that other nations can’t visualize or detect. Increasingly, however, the U.S. is far more transparent than other nations; it has a complete set of laws, which China doesn’t have.

Has there been progress in terms of working out common standards for things like cloud computing to provide more of a sense of assurance to both sides?

There has been some progress. For example, there is the CSA (Cloud Security Alliance), a non-profit organization, founded in 2009. They developed security guidance for the cloud and are unique in the industry for providing guidance for security operations and auditing services for the cloud providers and customers. The ISO (International Organization for Standardization) and ITU (International Telecommunication Union) have started some initiatives to develop some standards for the cloud as well. Some of them are collaborating together with CSA and ENISA (European Network and Information Security Agency).

As for China, I founded the CSA Greater China Chapter, later called the Greater China Regional Coordinating Body. We offer promotions and education awareness programs about security governance for cloud providers, customers, researchers, etc. in China. CSA security governance guidelines are not mandatory. As an aside, CSA is preparing an Open Certification Framework (OCF) for cloud providers based on their security guidance programs. According to my knowledge, the Alibaba Group just passed the OCF. CSA is planning to promote this OCF worldwide.

Can more be done here to promote such joint efforts?

I don’t know for sure, but I do think that if EWI can initiate a dialogue between the U.S. and China on the cloud and cloud computing’s impact on the economy, and try to establish communication on issues concerning legal data and privacy, that would be a big step forward.

One of your colleagues said money motivates 90 percent of hacking. In the U.S., there’s a tendency to think that the attacks from China originate with the government. Do you think that there could be serious attacks originating in China that are not initiated by the government but criminally motivated?

There could be, but the essential point may be that the U.S. and China need to sit together and put the data on the table. The U.S. should share the evidence it has collected on China so China can do some proper investigation. For example, Google reported they were hacked by attackers, in a case now nicknamed Operation Aurora. Given that the finger is pointed at China, why not provide the detailed evidence through some channel so that some proper China agencies can investigate and reach a jointly acceptable conclusion? In general, when you point your finger at all of China, then no single Chinese agency is likely to jump in to take responsibility.

Do you think anything can change this atmosphere of mutual recriminations and suspicion?

The Chinese need to establish a central point of coordination. China doesn’t have a cybersecurity coordinator, a cyber tsar, similar to the special coordinator for the U.S. president. If the U.S. were to detect an APT (Advanced Persistent Threats) attack, this coordinator could work together with many agencies. There needs to be an established mechanism for dealing with these kinds of threats.