I just returned from a week of meetings in China on cyber security. I heard repeatedly that the United States and China were the two most important nations in the world. That point may be up for debate, but there is little doubt that the two countries are responsible for the lion’s share of international cybercrime.
They account for over one-third of global Internet users, and, according to Symantec’s most recent Internet Security Threat Report, the United States and China rank first and second respectively for malicious activity or nearly 30 percent of the total. China’s .cn domain is third on the latest world-wide risk ranking according to McAfee’s Mapping the Mal Web report. While .us comes in at number twelve, we can all probably guess where the lion’s share of the .com registrations that rank second on the list come from. Microsoft’s latest Security Intelligence Report places the United States and China again at first and second on the list of countries with the most hosts infected with malware (and then cleaned by Microsoft’s anti-malware products).
The bottom line is that while multilateral efforts are stalled, the overall health of the Internet could significantly improve if the United States and China worked together to clean up their networks and started cooperating on cybercrime.
Let’s start with the proposition that neither country has any real interest in being a haven for cybercrime. In both countries, cybercrime is a byproduct of rapid expansion of information technology and large bandwidth networks. It is not, as it is in Eastern Europe, an important part of national economies. Moreover, both are victims of criminals that reside outside of their national borders. In the United States, 75 percent of cyber attacks originate from abroad. Numbers are probably similar for China, creating incentives for both sides to help each other—if you want to stop attacks on your own users, you have to offer cooperation in reverse.
The problem is that the two sides lack a process to deal with cybercrime quickly. Now, if one of the two sides needs help in investigating a cybercrime it must request that assistance through the exchange of letters. While no official statistics are recorded, I am told that since the start of 2010, the FBI office in Beijing has forwarded ten letters through the Ministry of Foreign Affairs and received a response on only two. For their part, Chinese officials complained that they have sent in a varying number of requests for assistance with no response from the United States, a claim that U.S. officials deny. U.S. law enforcement is also not allowed to work directly with their counterparts.
A task force approach that involves law enforcement agencies may be the best mechanism for combating cross-border cybercrime. The model for this effort could be the European Electronic Crimes Task Force that the U.S. Secret Service and an Italian anti-crime unit developed last summer. The key is for each country to dedicate investigative and prosecutorial resources and exchange personnel. Get cops working together and I guarantee you will see surprising cooperation and results.
The definition of crime is a potential sticking point. We don’t like it that the Chinese view political dissent as a crime. The Chinese don’t like it that we encourage and protect hactivists that target their government. Putting these issues aside, the task force should focus on two areas where there already is agreement about what constitutes cybercrime: cleaning up the network to eliminate the tools used by cybercriminals and crimes committed with financial motivation.
Once trust is built in cross-border cybercrime, cooperation could expand to other areas. The Chinese government is not monolithic. There may be elements within certain security organizations whose job is to extract every last piece of intellectual property U.S. companies have but there are other organizations with missions to clean up their national network and to fight cybercrime. If we can build an effective partnership with these organizations, who knows where it could lead.