May was a grim month for American cybersecurity. First, the Obama administration accused China of hacking government computers, potentially to exploit weaknesses in the US military. Then, US officials announced that hackers, believed to be sponsored by the Iranian government, had successfully broken into computer networks that run US energy companies, giving Iran the means to sabotage power plants. This week, the Washington Post reported that Chinese cyberspies had hacked more than two dozen big-name US weapons programs, including the F-35 fighter jet, an army program for downing ballistic missiles, and the Navy's Littoral Combat ship. Not all cyberthreats are equal, but one question remains: Who poses the greater danger—Chinese or Iranian hackers?
To date, Chinese hackers have gotten more public attention, thanks to a February 2013 New York Times investigation of a top-secret government hacking operation based in Shanghai, and high-profile attacks, originating from China, on US media outlets. But experts point out that though China has greater capabilities for cyberwarfare and is actively stealing US military secrets, Iran's attacks could ultimately be more worrisome, because its hackers are targeting critical infrastructure and developing the ability to cause serious damage to the United States' power grid.
"The Chinese are engaged in cyberespionage, which is more or less understood," says Richard Bejtlich, the chief security officer at Mandiant, a company that offers cybersecurity services for Fortune 100 companies. "We know what lines they will and will not cross. But a country like Iran is much more willing to be destructive. They go ahead and delete computers, they corrupt them, and they cause a lot of trouble." James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies who frequently advises the White House, agrees that Iran's "attacks on critical infrastructure are probably the bigger threat…Iran is much more unstable."
Hackers directly backed by the Iranian government have demonstrated the capability to destroy critical information and an interest in causing damage to US computer systems, not simply hacking them to collect information. According to the Wall Street Journal, in their most recent campaign, Iranian-linked hackers broke into computer systems to gain information on how US energy companies run their operations, acquiring the means to "disrupt or destroy them in the future." Iranian hackers were also blamed by US officials for erasing thousands of hard drives owned by Saudi Aramco, the world's biggest oil company, in August 2012.
China and Iran have different goals when it comes to meddling with US computer systems. China's hacking culture dates back to the 1990s, with a famous underground group called the "Green Army," which reportedly led attacks on foreign websites. Today, evidence suggests that the Chinese government has an elaborate hacking operation, backed by both the People's Liberation Army and intelligence agencies, which spies on US government agencies and defense contractors. In 2006, the Commerce Department had to throw out hundreds of computers injected with spyware by hackers working through Chinese servers. In 2009, a massive Chinese cyberespionage network called "GhostNet" penetrated embassies, nongovernmental organizations, and media outfits in 103 countries. Richard Clarke, a former counterterrorism adviser for presidents Bill Clinton and George W. Bush, estimates that China's industrial espionage against US companies is resulting in the loss of billions of dollars in assets, including tax dollars spent developing new weapons.
"China's hacking is a long-term competitive issue," says Bejtlich. "It's not tolerable. We want them to reign their activity in, but they're not going to suddenly take down a power grid." Lewis notes that "China is a responsible power" and adds that "the risk of them launching a true cyberattack"—meaning a malicious takedown of US government computers—"is probably zero outside of an armed conflict."
Iran has a shorter, more volatile hacking history, which began in the early 2000s. In 2010, a computer worm believed to be created by the United States and Israel to damage Iranian nuclear facilities spurred Iran's interest in cyberwarfare. "They felt they could do to us what we did to them," Bejtlich says. The first real test of Iran's hacking abilities came in 2011, when Iranian hackers, suspected of cooperating with the government, breached over 300,000 targets, including some in the United States. Since then, Iran has also been blamed for disrupting the websites of American banks in retaliation against US sanctions imposed on Iran.
Experts say it would take Iranian hackers several months to locate a specific target and figure how to get access to it—such as finding the computer at a power plant in New York City that could be used to shut down the grid. But Lewis says that once that information is obtained, it would only take Iran "about 20 minutes" to hack an identified target and unleash a virus. He thinks that Iran will only deliberately cause harm if the United States interferes with its upcoming presidential elections. Clarke argues that Iranian threat isn't as dire, because, unlike China, Iran isn't actively stealing state secrets on a massive scale. Even if Iran is poking around US computers, Clarke notes, it hasn't actually destroyed US infrastructure yet: "The Iranians appear to be more interested in destruction and damage, but it's about deterrence—deterring the US from bombing them…Iran would be crazy to launch a preemptive cyberstrike. And they're not crazy."
US lawmakers have focused on preventing both cyberspying and cyberattacks. In February, President Obama issued an executive order on cybersecurity that requested that utility companies participate in a voluntary information-sharing program so that the government can help them stop assaults. Obama is also expected to address the Chinese cyberattacks at a summit next month with China's new leader, Xi Jinping.
"The executive order alone is not enough," says Candace Yu, an associate security fellow with the Truman National Security Project and a cyberpolicy adviser at the US Department of Defense from 2010 to 2012. "To prevent a large-scale cyberattack, we need national cyberlegislation that enhances information sharing." For the US government to design effective cyberdefenses, Yu explains, US companies must share information with the government about when and how they have been attacked by hackers. Clarke points out that many companies so far haven't been inclined to do this because of privacy concerns and a lack of interest in regulation.
Ultimately, Clarke says, it doesn't matter which country poses more of a threat because "the difference between hacking infrastructure and spying is only a couple of keystrokes. It's still all about getting in. And once you're in, it's relatively easy to do the destruction you want to do."