SAN FRANCISCO — China’s eating our lunch in cyberspace.

That’s the unified message that National Security Agency, FBI and Homeland Security Department officials brought to the RSA cybersecurity conference last week.

During keynote addresses, panel discussions and news conferences Tuesday, they were laser-focused on the digital security threat China poses to the U.S., describing it as more complex and damaging than any posed by other digital adversaries.

“I kind of look at Russia as the hurricane. It comes in fast and hard,” Rob Joyce, NSA’s senior cybersecurity adviser and former White House cybersecurity coordinator, told reporters. China, on the other hand, “is climate change: long, slow, pervasive.”

Chris Krebs, director of DHS’ Cybersecurity and Infrastructure Security Agency, backed up that assessment.

“Russia’s trying to disrupt the system,” he said, but “China’s trying to manipulate the system to its ultimate long-term advantage.” Combating Chinese digital espionage will be one of four major focus areas for his agency during the next 18 months, he said.

The intense focus on China at one of the country’s largest cybersecurity conferences was striking as much of the cybersecurity talk in Washington political circles remains focused on Russia. It was also notable heading into 2020 as Moscow’s hacking operations against Democratic political targets helped sow chaos during the 2016 elections – and after a drumbeat of indictments in the last year against government-linked hackers from not just China but also Russia, Iran and North Korea.

Yet U.S. officials seemed united in their assessment that while attacks from those nations may be damaging in the short run, the long-term financial damage of China stealing U.S. companies’ trade secrets and intellectual property will be devastating.

When moderator Susan Hennessey, editor of the Lawfare blog, asked FBI Director Chris Wray if the government might be overemphasizing China’s digital threat, Wray responded that – if anything – government had historically under-emphasized it.

“There is nothing like it,” Wray said. “I’m not somebody who is prone to hyperbole, but of all the things that surprised me when I came back into this world, the thing that most shocked me was the breadth, the depth, the scale of the Chinese counterintelligence threat.”

The singular focus on China didn’t make sense to all of the industry leaders at RSA, however.

Crowdstrike President Shawn Henry told me he agreed that China is the greatest threat to U.S. financial cybersecurity but warned that a cyberattack from Russia – which has a track record of destroying systems and data rather than just stealing them – could produce far broader damage.

“The theft of data will have a significant economic impact. A destructive attack can have a significant threat to life,” said Henry, a former FBI executive assistant director.

The messaging campaign about Chinese hacking may actually have an impact on Chinese leaders, Ryan Gillis, vice president for cybersecurity strategy at Palo Alto Networks and a former DHS official, told me.

Unlike Russia, which seems largely immune to public shaming, China has historically bristled when U.S. officials publicly accuse it of hacking, Gillis said. He noted that a similar public shaming campaign – and the threat of sanctions – were widely credited with pushing Chinese President XI Jinping to sign a 2015 no-commercial hacking agreement with the Obama administration.

China sharply reduced its commercial hacking after that agreement, but it has ramped up again during the Trump administration.

“China does want to be a leader in the international community, so that pressure and the unity of the message is an important thing right now,” Gillis told me.

The message was also well targeted to the industry-heavy audience at RSA.

A lot of China’s hacking involves exploiting very simple vulnerabilities that companies could protect against but don’t – either because they don’t understand their digital weaknesses or haven’t made cybersecurity a priority.

Krebs spent a lot of time at RSA urging cybersecurity industry pros to help companies do the simple security work to make Chinese hacking more difficult.

“The majority of the times they’re getting in, it’s just basic, basic stuff,” he said.

—