The New York Times and The Wall Street Journal are pointing fingers of accusation at China in the wake of hacking incidents. China is pointing back.
China is responding to a damaging report from security firm Mandiant. The report suggests APT1, a prolific cyber-espionage group that has conducted attacks on a number of victims since at least 2006, is likely sponsored by the Chinese government and is one of the most persistent of China's threat actors.
Ministry of National Defense spokesman Geng Yansheng said China had been the victim of cyber-attacks that have originated in the United States, and that Mandiant mischaracterized China's activities, according to a New York Times report.
"Chinese military forces have never supported any hacking activities," Geng said at a press briefing. "The claim by the Mandiant company that the Chinese military engages in Internet espionage has no foundation in fact."
Hong Lei, a spokesman for China's Foreign Ministry, also briefed the press on Tuesday. According to China.org.cn, he said cyber-crime is an international problem and should be solved through international cooperation on the basis of mutual trust and respect.
"Groundless criticism is irresponsible and unprofessional, and it will not help to solve the problem," he said. "China has called on the international community to make a code of conduct for cyberspace on the basis of the submission and make joint efforts to build a peaceful, secure, open and cooperative cyberspace."
Who's Naive Now?
So who is right? Are U.S. companies overreacting or is China covering secret operations against the U.S.? Or both?
Richard Wang, manager at SophosLabs U.S., said Mandiant put together a convincing case that one of the cyber-attack groups it follows is linked to the Chinese government.
"Attribution is, of course, very difficult to obtain for cyber-attacks, which can be routed through compromised servers around the world," he said. "While the Chinese deny the claims in the Mandiant report, it would be naive to assume that any major government, Eastern or Western, has not extended its espionage capabilities into the online realm."
Meanwhile, he continued, it is important to remember that although the report mentions a significant number of attacks over several years, that is tiny compared with the thousands of attacks daily from common cyber-criminals.
"Advanced persistent threats (APTs) are comparatively few and far between. If you are in a high-risk industry such as aerospace or defense, or tasked with securing government systems, then APTs should be on your list of concerns," Wang said. "However, for less frequently targeted industries, focusing too much on APT at the expense of your day-to-day network security is not a wise strategy."