The U.S. government is turning to some unexpected partners to fend off Chinese cyber spies and Russian hackers -- China and Russia.
While both countries have been accused of condoning, if not outright sponsoring, malicious online activity, they each share America's frustration with identity theft. U.S. officials see that commonality as a starting point for dialogue that eventually might resolve differences of opinion on other matters in cyberspace.
"Cybersecurity is a problem in China. Fraud is a big problem. So there are areas where we can cooperate to improve the health of the ecosystem," Bruce McConnell, a counselor for the National Protection and Programs Directorate, said Thursday. He and other government cybersecurity specialists spoke at a breakfast sponsored by Nextgov's sister publication Government Executive.
"There are obviously areas of difference," such as theft of U.S. intellectual property in China and its censorship of Internet traffic, McConnell added. "Their perspective on some of these issues will change so we want to be a reliable partner."
The FBI has a liaison in Beijing. This spring, the Secret Service, which investigates computer crime, acquired a long-term visa to open an office there and also has an office in Russia.
The thinking is that proactive engagement will be more persuasive than aggression because it's hard to prove the Chinese or Russian governments are behind invasions perpetrated by anonymous individuals. China has been accused of sponsoring intrusions at Google and most recently the International Monetary Fund, but neither suspicion has been verified. Allegations that Russia knocked Estonia offline for two weeks have yet to be confirmed, four years after the 2007 assault.
"The different motivation of different actors in that space, combined with the difficulty of attribution, speaks to why a deterrence strategy is so opportune," said Jason Chipman, senior counsel to the deputy attorney general. He was making the point that it often is unclear whether attackers are committing malicious activity to gain money, bragging points or military intelligence.
Part of the preventive strategy is a U.S. public-private effort to establish "trusted identities," or certified credentials, in cyberspace that verify people are who they claim to be during online transactions. The National Institute of Standards and Technology is leading the multiyear project.
Many foreign countries, including the former Soviet republic, have contacted NIST to express interest in the initiative.
"Russia has tried a national ID card in this space and it failed," said Ari Schwartz, NIST senior Internet policy adviser. "We can engage with them and learn from their failure in this space and come up with a solution that works internationally." Cooperating with America's reluctant partners also might financially benefit U.S. companies that produce the technologies, he added.
"You can look at it from the negative side or you can look at it from the positive side and I think we have to go ahead and forge relationships on the positive side," Schwartz said.