Can the U.S. rein in China’s voracious theft of secrets online?
[dropcap]F[/dropcap]or more than a decade, a relentless campaign by China to steal valuable, confidential information from U.S. corporations flourished with barely a peep from Washington. And now it might never be stopped.
The secret online assault was well understood by the Clinton and Bush administrations. The program’s scope was confirmed in a 2009 classified inquiry that discovered Chinese hackers—many of them traced to facilities connected to the People’s Liberation Army—had penetrated not only all of the corporate computer networks analyzed, but also every examined computer system used by U.S. state or federal agencies.
Still, the State Department warned—as it had for years—that publicly confronting China over its online economic warfare would damage relations with Beijing, so American government statements about the hacking did not disclose the scope of China’s efforts. It was not until October 2011 that the Obama administration pulled back the curtain a bit on a single page of a little-noticed public report by the Office of the National Intelligence Executive. But that muted warning bell did nothing to slow the hacking or to create greater concern on Capitol Hill, and Washington’s demands that China rein in its hacking continued to be delivered quietly in diplomatic tête-à-têtes.
All that changed early this year. In January, The New York Times reported that Chinese hackers had infiltrated its computers after Beijing threatened “consequences” if the newspaper published an unflattering article about the country’s prime minister. In February, Mandiant, a security firm, disclosed that hackers from the Chinese military unit 61398 had stolen data from scores of American companies and agencies. In March, Tom Donilon, then the national security advisor to President Barack Obama, publicly urged China to curtail its cyber activities. Then, administration officials leaked classified details of a Pentagon report that Chinese hackers had obtained designs for scores of the nation’s most sensitive advanced-weapons systems, including some critical to missile defenses and combat aircraft.
China’s protests that it did not engage in hacking were waved aside by Washington, which pushed forward with a plan to publicly confront its leaders. In May, Donilon flew to Beijing to meet senior government officials there and set the framework for a summit between Obama and Chinese President Xi Jinping; Donilon and other American officials made it clear they would demand that hacking be a prime topic of conversation. By finally taking the step of putting public—and, most likely, international—pressure on the Chinese to rein in their cyber tactics, the administration believed it was about to take a critical step in taming one of the biggest threats to America’s economic security.
But it didn’t happen. The administration’s attempt to curb China’s assault on American business and government was crippled—perhaps forever, experts say—by a then-unknown National Security Agency contractor named Edward Snowden.
Snowden’s clandestine efforts to disclose thousands of classified documents about NSA surveillance emerged as the push against Chinese hacking intensified. He reached out to reporters after the public revelations about China’s surveillance of the Times’ computers and the years of hacking by Unit 61398 into networks used by American businesses and government agencies. On May 24, in an email from Hong Kong, Snowden informed a Washington Post reporter to whom he had given documents that the paper had 72 hours to publish them or he would take them elsewhere; had the Post complied, its story about American computer spying would have run on the day Donilon landed in Beijing to push for Chinese hacking to be on the agenda for the presidential summit.
The first report based on Snowden’s documents finally appeared in The Guardian on June 5, two days before the Obama-Xi meeting, revealing the existence of a top-secret NSA program that swept up untold amounts of data on phone calls and Internet activity. When Obama raised the topic of hacking, administration officials say, Xi again denied that China engaged in such actions, then cited The Guardian report as proof that America should not be lecturing Beijing about abusive surveillance. “Snowden couldn’t have played better into China’s strategy for protecting its cyber activities if he had been doing it on purpose,” one U.S. intelligence official says.
Snowden’s revelations quickly veered away from what he called the NSA’s “domestic surveillance state” to overseas espionage by the United States. After fleeing to Hong Kong, he provided local reporters with NSA documents and told them the United States was hacking major Chinese telecommunications companies, a Beijing university, and the corporate owner of the region’s most extensive fiber-optic submarine cable network. That information, government officials and industry experts say, is now used by the Chinese to deflect criticism, both in meetings with the U.S. administration and at cyber security conferences.
The activities of the two sides, however, are vastly different in scope and intent. The United States engages in widespread electronic espionage, but that classified information cannot legally be handed over to private industry. China is using its surveillance to steal trade secrets, harm international competitors, and undermine American businesses.
China says that after Snowden, America should not be lecturing anyone about surveillance.
“Snowden changed the argument from one of ‘The Chinese are doing this, it’s intolerable’ to ‘Look, the U.S. government spies, so everybody spies,’” says Richard Bejtlich, chief security officer at Mandiant, the firm that linked hacking intrusions in America to the Chinese military. “Of course the U.S. spies, but none of what the U.S. is doing is benefiting American business, and pretty much everything the Chinese are doing is benefiting Chinese businesses.”
China does not limit its computer espionage to America: All of western Europe, Australia, Japan, and other industrialized nations have been targeted—a fact the Obama administration had hoped to leverage into unified international pressure against Beijing. But subsequent Snowden disclosures about American surveillance of allied countries and world leaders (including German Chancellor Angela Merkel) have robbed the U.S. of the ability to persuade other countries to join it in condemning China.
“I don’t think that point is going to win the day with Angela Merkel anymore,’’ says Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, a national-security think tank in Washington. “Certainly no one cares anymore about our whining about Chinese espionage. The time we had for making the case on that is long gone. Internationally, I don’t see how we recover.”
Some security industry and former intelligence officials say they originally believed Snowden’s apparent outrage at espionage by governments might lead him to expose activities by the Chinese, who use their hacking skills not only for economic competition but to track and damage dissidents overseas and monitor their citizens. There was good reason to believe Snowden had plenty of details about Beijing’s activities—he has publicly stated that as an NSA contractor he targeted Chinese operations and taught a course on Chinese cyber counterintelligence. And while he says he turned over his computerized files of NSA documents to journalists in Hong Kong, he boasts that he is so familiar with Chinese hacking techniques that there is no chance the government there can gain access to his classified material.
But outside of American intelligence operations conducted there, Snowden has revealed nothing about surveillance and hacking in China, nor about the techniques he asserts he knows so well.
And there is plenty to disclose. The threat of Chinese espionage is so large that U.S. Sen. Sheldon Whitehouse, who chaired the Intelligence Committee’s Cyber Task Force, proclaimed it to be part of “the biggest transfer of wealth through theft and piracy in the history of mankind.”
The major impetus behind China’s use of hacking as an economic and military strategy came in the wake of the Gulf War in 1991. At the time, both Iraq and China had a similar strategy: They believed that having enough armor, weapons, and fighters could deter any military assault. But the United States and its allies swept aside the Iraqi military almost effortlessly. The strategy of relying on large masses of equipment wouldn’t work against the technological sophistication of American weaponry, leaving China solely with nuclear weapons as a counter to any conventional confrontation—a position no rational military strategist would want to adopt.
“Imagine being a [People’s Liberation Army] planner watching that war unfold and realizing your strategy didn’t match up with the adversary you wanted to match up against,” says Stewart A. Baker, former assistant secretary for policy at the Department of Homeland Security and former general counsel to the NSA.
Recognizing that it could not compete on the battlefield against America’s military, China turned to hacking. Late in 1991, Chinese leaders began to spend a massive amount of money to develop, acquire and field advanced cyber technology in the government, the military, and the civilian sector. If the Americans had better technology, the Chinese would take it; if they attempted to attack, Beijing would fight back in ways the United States couldn’t predict.
“Twenty years after Iraq, China has stealth fighters stolen with hacker techniques, designs for its carriers, and can pick and choose from all the research the United States has paid for,” Baker says. “If we find ourselves in a serious conflict with a nation with those capabilities, we could find ourselves threatening cruise missile strikes and discover that hackers shut off all the power in New York” as a warning of how much power they have to disrupt and inflict damage—potentially including the American weapons reliant on computers to operate.
China is using information hacked from U.S. companies to shore up its own private sector.
In its economic hacking, the Chinese go far beyond stealing information from American defense contractors. “If you have an information system connected to the Internet and you have information that is of great interest to China, they probably have it already,” says Martin Libicki, a senior management scientist at the Rand Corporation who specializes in the impact of IT on domestic and national security.
Plenty of American companies have learned that lesson. As a result, cyber security experts say, some companies are now contacting them for help rooting out hackers, not because they have experienced any problems but simply because they have Chinese corporate competitors. “That’s different from what it was three years ago when people thought it was make-believe,” says Tim Ryan, who ran the FBI’s largest cyber squad and is now managing director of the cyber practice at Kroll. “Some organizations know they’ll be in the crosshairs of Chinese hackers and want to start looking. And the number of times hackers are found is really high.”
In the last few years, dozens of companies—including some in high-tech, energy, and finance—have reported that their computer systems were hacked and their proprietary data stolen by the Chinese government. In 2010, for example, Google disclosed that it had been the target of an attack involving malicious software, dubbed Aurora. The attack was used to set up a virtual information “buffet”—the hackers examined Gmail for information on political dissidents and to see if U.S. law enforcement was monitoring the accounts of Chinese spies in America. The Chinese also loaded up their plates with intellectual property related to services and products, such as search engine technology, and passed that to Google’s Chinese competitors. And the attack wasn’t limited to Google—security industry executives say Aurora struck hundreds, if not thousands, of companies.
The bad news on top of all the bad news? Knowing that the espionage is taking place doesn’t help much—there are no widely used technological fixes available to prevent a network infiltration. “There’s a lack of good mitigation options in the U.S. in terms of stopping the attacks,” says Kenneth Geers, senior global threat analyst with FireEye, a company that specializes in protecting clients against advanced cyber attacks. “Cyber defense is a new and immature discipline that has a long way to go.”
Despite the threat to corporate secrets, strategies, and intellectual property posed by Chinese hackers, experts say, plenty of businesses discount the threat, leaving them open to damage. “Many companies have not paid serious attention to securing their networks,” says James A. Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies. “This means that it is very easy for Chinese hackers to extract intellectual property from companies in the U.S. and around the world.”
This is not simply a matter of which companies have the most sales, security industry officials say. If an American business invests hundreds of millions of dollars in developing an industrial product only to see the work stolen, if it creates a trading strategy only to have Chinese businesses take advantage of it, if it pays for customer research only to have it go to a competitor, it will eventually die.
“I don’t know what the tipping point is, but a parasite can always kill the host,” says Jeffrey Caton, president of Kepler Strategies, a consulting firm on aerospace, cyberspace, and national security issues. “The long-term effects could be stagnation in research and development, or eventually companies going out of business in the U.S.”
Now, though, with the world raging about the NSA secrets exposed by Snowden, the threat to American companies by Chinese hacking is being ignored once again, opening up the possibility that the threat that for so many years raised so much concern behind closed doors in Washington could now grow more destructive than ever. “It certainly seems that China is in a position to act with far more impunity because the United States and other nations are distracted by the NSA spying scandal,” Healey says. “The American private sector was already having it bad before. Now it is only going to get worse.”
From our Nov. 22, 2013, issue.