From: WSJ
By Siobhan Gorman

WASHINGTON—China almost certainly would mount a cyberattack on the U.S. in the event of a conflict, and the U.S. has no clear policy to determine how to respond appropriately, a congressional advisory panel is set to warn on Thursday.

In a lengthy report analyzing Chinese cyber-capabilities and the threat facing the U.S., the U.S.-China Economic and Security Review Commission found that the U.S. telecommunications supply chain is particularly vulnerable to cyber-tampering and an attack could result in a “catastrophic failure” of U.S. critical infrastructure.

The report was written for the commission by analysts at defense firm Northrop Grumman Corp.

The commission’s findings are likely to stoke a fight on Capitol Hill over competing cybersecurity proposals, which are likely to reach the Senate floor in the coming weeks. Supporters of a White House-backed cybersecurity bill have clashed with Republicans over whether the government should require critical infrastructure companies to meet new standards.

Late Wednesday, the White House pressed its case for new cybersecurity standards with a classified administration briefing that pointed the inadequacy of current cybersecurity authorities of the U.S. government, an administration official said. The briefing for senators from top intelligence and national security officials focused on how the U.S. would respond to a cyber attack on its infrastructure.

While the congressional proposals aim to improve U.S. cyberdefenses, they wouldn’t address the key policy gap the commission identified: In the event of a cyberattack during a conflict with China, there is no standard U.S. policy for responding proportionally, when it can’t clearly prove who carried out the attack.

China’s military, the People’s Liberation Army, has been intensifying its focus on cyberwarfare, the report concluded.

Chinese military leaders appear to have reached agreement on the importance of developing tactics and techniques to pursue “information confrontation” against its adversaries in concert with traditional military means, according to the commission report.

The PLA now regularly incorporates cyberattack and defensive techniques into its national military exercises, as it has done for the past three years, the report says. Yet, some Chinese military officials have acknowledged gaps in current capabilities, including technical issues like incompatible software systems.

The commission also found that the Chinese government is funding research at 50 civilian universities to bolster cyberattack and defensive capabilities.

The report examined how China would likely respond in the event of heightened military tensions with the U.S. The Chinese would first seek to check and enhance the cyber-surveillance mechanisms it has already hidden in U.S. military-communications systems, according to the report.

Chinese military operatives would then identify targets of opportunity, which likely would include U.S. military commands and the contractors that serve them, the report found.

The Chinese government regularly denies allegations of cyberspying and has called the U.S.-China commission a “product of Cold War mentality.”

The commission report depicts the U.S. as a rich target for cyberattacks, particularly its telecommunications systems. There are few mechanisms to ensure that key pieces of equipment aren’t tampered with from the time they are manufactured to the time they end up in U.S. government networks or in key pieces of U.S. infrastructure.

A typical Internet router, it found, has components made in 16 locations, many in China, which all could provide avenues for meddling. Similarly, once the equipment is manufactured, there are few controls on the distribution process, which provide additional opportunities for security breaches.

The White House is addressing similar concerns about the integrity of U.S. telecommunications. The Obama administration is in the middle of an exhaustive survey of the U.S. telecommunications supply chain. The House intelligence committee is investigating Chinese telecommunications companies and their efforts to gain access to U.S. markets.

The commission report warns that Chinese telecommunications firms receive support from the Chinese government and maintain relationships with the PLA, so they could be used to assist the Chinese government with cyber-warfare research, training, and cyber-surveillance.

Some of those firms, like Huawei Technologies Co., have denied any link to the Chinese government.