By Richard Weitz
Recent incidents make clear that Chinese hacking and espionage remain a core U.S. national security concern. The scope and scale of these activities are breathtaking. Defeating this threat requires an optimized public-private partnership since the magnitude of the challenge far exceeds what the federal government can combat on its own.
The Federal Bureau of Investigation has been sounding the toxin about Chinese cyberespionage for years. On September 18, FBI Director Chris Wray reiterated that Beijing’s cyberespionage program has grown so vast that it transcends the size and scope of all its major competitors combined. The People’s Republic of China (PRC) employs tens and perhaps hundreds of thousands of skilled hackers, whether as government employees or semi-private contractors, in a full-court campaign to steal foreign secrets.
There have been many reports over the years of major PRC espionage operations targeted against the United States that have severely compromised U.S. secrets; many more cases are likely unreported. Though Chinese human agents and spy balloons often gain the most popular attention, the most pervasive threat to Americans’ secrets comes from the PRC’s massive cyber espionage. Even in recent months, senior cyber officials fear Chinese hackers so deeply penetrated some sensitive U.S. computer networks that they still may have access to them.
In a major foreign policy speech earlier this week at Hudson Institute, former Vice President Mike Pence acutely observed that, “China is the greatest strategic and economic threat facing the United States in the 21st century.” It is imperative that the United States prevent the Chinese Communist Party from accessing our sensitive information, especially classified U.S. defense and intelligence data.
Though government bodies like the Office of Personnel Management (OPM) seem inclined to assume more responsibilities in this area, the United States would do better by having the private sector hold, manage, and store more of this data.
OPM has not been a reliable guardian of Americans’ secrets. Its vulnerabilities permitted one of the most egregious data breaches in history. In 2015, a PRC entity, likely the Jiangsu State Security Department, which is a subsidiary of China’s Ministry of State Security spy agency, stole the records of more than 22 million Americans.
Despite years of congressional hearings and generous appropriations designed to strengthen its cyber defenses, the OPM still received a cyber score of F on the July 2022 Federal Information Technology Acquisition Reform Act (FITARA) scorecard. Since OPM is the Human Resources authority for much of the federal government, cyber security issues often receive insufficient attention as the Office strives to provide and implement human resources policy and guidance for myriad other issues across many federal government agencies.
Unfortunately, many other U.S. government bodies are also not well positioned to secure U.S. cyber security efforts. In May of this year, the Government Accountability Office (GAO) found that an array of government agencies have not implemented critical cloud security practices, including defined security metrics. GAO listed almost three dozen recommendations that these government bodies had to follow to fully implement these practices.
In contrast, private sector companies have a more consistent and effective track record with preserving the integrity of the U.S.’ sensitive information. They must receive FedRAMP authorization, which means they must use sophisticated cloud technologies that have modern security and protection protocols to keep federal information safe and secure. Furthermore, private sector companies focus more closely on human capital needs and data security.
As the Chinese cyber espionage threat continues unabated, it is critical that the government lean more heavily on these entities in the years to come.