http://www.politico.com/agenda/story/2015/12/china-us-cyber-attack-hacks-000332
China's hackers aren't delicate cat burglars. They're smash-and-grab artists helping build an economy, and that makes the Chinese hacking problem harder to fix than you think.
By Joseph Marks
When it comes to global cyberthreats, you could say there’s the whole rest of the world, and then there’s China. The victims of Chinese hacking cover every sector of the U.S. economy, from banks and tech firms to energy giants and government agencies.
Chinese hackers have been linked to the theft of 80 million Social Security numbers from the insurer Anthem, and most likely lifted the sensitive security clearance information on nearly 20 million Americans stored by the Office of Personnel Management. China allegedly stole plans for the F-35 fighter jet from Lockheed Martin, and analysts believe that the newest version of the Chinese military’s J-31 fighter jet, manufactured by Shenyang Aircraft Corporation, incorporates some of what they learned.
FBI Director James Comey declared on “60 Minutes” last year that there are “two kinds of big companies in the United States…those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
The scale of the threat may evoke images of a well-trained Chinese cyber army, carefully probing our weaknesses, sneaking in under virtual dark of night and making off with this or that scrap of data until, before we know it, we’re totally owned. But the truth, experts tell POLITICO, is less James Bond and more Tony Soprano. While Russian hackers are known for technical expertise and precision, sneaking cat-like through computer systems, Chinese hackers, often linked to the People’s Liberation Army, opt for smash-and-grab operations, breaking in and vacuuming up as much information as possible before they’re spotted and flushed out. Justin Harvey, chief security officer at the cybersecurity firm Fidelis, calls it “the path of least resistance.”
What’s actually going on, it is emerging, is a pattern more comprehensive than bits of cat burglary or a series of careful tactical attacks—and more difficult to deal with. Commercial hacking is a fundamental part of China’s economic strategy, observers say. The long-range goal: to steal its way to superpower status.
With its extensive history of blunt, state-sponsored theft of innovations in software, hardware, entertainment and other fields, our second-largest trading partner has built an industrial base so dependent on cyber intrusion that it’s not clear how easily the nation will be weaned off of it.
Despite the enormous scope of Chinese hacking, officials there have never acknowledged that the nation practices cyber theft. Thanks to the shady nature of cyberspace, where hackers can conceal their identities by bouncing off servers in multiple nations, it’s difficult to prove in many cases that they’re lying—especially without revealing the equally shady tricks the U.S. intelligence community uses to uncover such information. So, we’re left with a quandary: How do you convince a nation to stop doing something when it’s exceedingly difficult to prove it’s doing that thing in the first place?
TO BE FAIR to China, theft has been a part of many nations’ development. During the 19th century, for example, U.S. merchants benefited greatly from textile technology lifted from England, according to Peter Andreas, a Brown University political science professor. American publishers also routinely stole the work of famous British authors and sold it without any permission.
When you take the long view of Chinese hacking, say many observers, what you’re seeing is less a form of aggression than a long, multi-front effort by a nation of a billion people to play catch-up. Most cyber experts trace the roots of Chinese cyber espionage to the communist nation’s opening to the West in the 1980s, when it discovered it was significantly behind the times. “The Chinese might not say this publicly, but they felt as if Mao had taken 40 years out of their economic development,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies and a former official in the State and Commerce Departments. “They had to catch up, and the quickest way to do that is to take technology from Western companies.”
Chinese cyber espionage began in earnest in the early 2000s, aimed mostly at U.S. defense contractors and bolstered by the development of high-speed Internet, which aided rapid extraction of U.S. companies’ data. Around 2008 and 2009, Chinese hackers began to focus much more substantially on other commercial sectors. By 2012, when then-NSA Director Keith Alexander described Chinese hacking as the “greatest transfer of wealth in history,” Chinese targets had spread through every major industry. Other victims include United Airlines, U.S. Steel, Alcoa, Westinghouse and, in 2008, the presidential campaigns of future-President Barack Obama and Republican nominee John McCain.
Though conducted behind a shroud of secrecy, Chinese hacking is crude enough that American officials and private cyber firms have begun to draw a fairly clear picture of its sources. Much of the hacking is conducted by the PLA and the Chinese intelligence agency, the Ministry of State Security. But it’s not purely a government operation: PLA hackers are also known to work during their off hours for private hacking operations, delivering their hauls straight to Chinese companies without direct state involvement.
Chinese state media claimed after a recent meeting between U.S. and Chinese officials that the OPM hack was just such a criminal operation, though U.S. officials, who say they’ve reached relative certainty about the source of the OPM breach, have declined to comment on that attribution.
In more recent years, the Chinese target list has expanded to include NGOs and research universities, said Harvey, who formerly worked for Mandiant, a cybersecurity firm that definitively traced hacking activities to an elite unit of the People’s Liberation Army in a landmark 2013 report.
China’s ambition is also taking it beyond purely economic targets. It is also, remarkably, poaching policy ideas and much more boring-seeming know-how. “Because they grew up so fast, they had to play catch-up in a lot of sectors,” Harvey said. “In commercial aviation, it’s not just about stealing the [intellectual property] for the jets and the engines. It’s about how do you create a supply chain? How do you project manage? What sort of people do you hire and how do you train and retain them?”
In the NGO sector, Harvey said, he’s observed Chinese cybertheft targeted at learning how to manage peacekeeping operations and other responsibilities that have nothing to do with growing an economy, but everything to do with an ambitious country taking its place among the world’s leading nations.
IN ONE SENSE, this economic cyber conflict can feel considerably less scary than a more physical threat—the sort of cyberwars envisioned by movies, where one mouse click can shut the lights off along the Eastern Seaboard or erase all the records from the global financial system. But its nuances make it harder to manage in some ways. Given the immense trading relationship between the U.S. and China, a host of global issues in which the U.S. is seeking Chinese cooperation and other areas of conflict, the U.S. has been slow to make Chinese hacking a priority.
Alexander’s 2012 comments were followed by a 2013 speech from Obama’s National Security Adviser Tom Donilon, who described “cyber intrusions emanating from China on an unprecedented scale” and warned “the international community cannot afford to tolerate such activity from any country.” In May 2014, the Justice Department indicted five PLA members for hacking U.S. companies.
The indictments infuriated Chinese officials and caused them to bolt a bilateral cyber dialogue. But in the absence of a counterstrike, the kind of retaliation that could cause real damage to the Chinese economy, it appeared to have little effect, and the hacks continued unabated. “I think they got the impression at some point that we didn’t care, that we weren’t going to do anything to reverse this,” Lewis said. “Getting the Chinese to feel this isn’t penalty free has been the single biggest problem.”
The problem is not that the U.S. government doesn’t recognize the seriousness of Chinese hacking, but it’s difficult to find a large enough constituency to tackle it. The field of battle for this conflict is the private sector, but many victim firms in the U.S. are largely silent on the issue because they value easy access to China’s vast market more highly than protecting their own trade secrets.
From left: FBI Director James Comey, CIA Director John Brennan and Director of National Intelligence James Clapper testify about "World Wide Cyber Threats" before the House (Select) Intelligence Committee in 2015.| Getty
That leaves the government to respond, but the U.S.-China relationship is so complex that commercial hacking often takes a backseat to other concerns such as securing Chinese cooperation on efforts to combat climate change and to halt the Iranian nuclear program, or pressing the Chinese on currency manipulation or their maritime disputes with neighbors.
Top officials understand the importance of resolving the cyber conflict, people familiar with the negotiations say, but when it comes down to writing up the agenda for a bilateral meeting between the nations, cyber often falls lower on the list—and, perhaps, rightly so.
“Cyber is typically fourth, fifth or sixth on the agenda,” Harvey said, “and if the administration is using their levers to get change there, they’re typically being burned on other, higher priorities.”
DIPLOMATICALLY, THE U.S.’S current tack relies on a two-part approach, with hard talk at one end and the threat of sanctions at the other. The first part of the equation came in April, when the Obama administration unveiled a new sanctions authority targeting companies that benefit from commercial cyber theft. The authority, which has not yet been used, allows the Treasury Department to freeze those firms’ U.S. assets and bar their executives from visiting the U.S. The authority, which was modeled on sanctions against terrorist financing and proliferators of nuclear, chemical or biological weapons, can also target individuals.
During the buildup to a September White House visit by Chinese President Xi Jinping, U.S. officials strongly hinted that Chinese companies and individuals may be the first targets of those sanctions, hoping to pressure the Chinese into striking some kind of deal. They got what they wanted. In a joint statement following the visit, Obama and Xi pledged that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
This was the first time a Chinese leader had made such a pledge, and it soon spread. Weeks later, Xi made a similar no-commercial hacking pledge with British Prime Minister David Cameron, and China and Germany plan to reach a similar deal next year. In November, leaders of the Group of 20 major world economies pledged in their final communique following the G-20’s annual meeting in Ankara, Turkey, that none of the nations would hack for economic gain.
Even the agreement’s chief proponents, however, have expressed skepticism that China will honor it, saying that hacking is too deeply embedded in the fiber of the Chinese economy, that Xi alone won’t be able to shift direction even if he wants to and that hacking operations will simply shift further outside the government’s grasp where they’ll be less controlled and more difficult to attribute.
Harvey, a self-described skeptic of the U.S.-China deal, points out that Chinese economic growth now actually depends on a constant stream of new Western intellectual property to remain competitive. That suggests the hacking won’t stop until the nation has developed more domestic sources of innovation.
“They haven’t built the level of infrastructure to support the level of IP they’ve stolen,” he said. “If you steal something and manufacture it, it’s going to be out of date in two or three years. What are you going to do for version 2?”
CSIS’s James Lewis, who’s among the most optimistic analysts regarding the agreement, describes it as “the beginning of the story on how the Chinese and we work together to manages this problem,” rather than the end. Though he’s optimistic the agreement will be fruitful, Lewis speculated the U.S. will ultimately sanction some Chinese targets and that there will be many more tense meetings before Chinese hacking falls to a level U.S. officials decide they can tolerate.
He noted that the U.S. aided its cause by couching the agreement in anti-corruption language, which has been a signature campaign during Xi’s three years atop the Chinese Communist Party. Xi has also pushed to modernize the PLA, which would dovetail with shifting away from commercial espionage operations, Lewis said. It’s unclear how much Chinese commercial hacking is directly managed by the PLA, so even if top leadership fully intends to reduce it, the shift may be slow, he said.
“I can imagine an internal argument that the IP theft isn’t actually all that useful, that it’s not the way to encourage innovation domestically,” said Adam Segal, a China scholar and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. “I can also imagine foreign policy factions that say we have to swing back to a more cooperative relationship with the U.S. and Europe and cybersecurity is an unnecessary irritant.”
Another possibility is that China’s own vulnerability—“by many measures, they are the largest victim of cyber crime,” Segal said—may push its leaders to conclude that it’s more important to cooperate with other nations on combating cyber crime than to alienate those nations by hacking their companies.
The U.S. could press this outcome by being more responsive to Chinese requests for assistance investigating cyber crimes, Segal said, noting that Chinese officials frequently complain the FBI is unresponsive to such requests.
This concern about China’s vulnerability to cyber crime will become particularly compelling as the nation develops internal sources of commercial innovation and has intellectual property and trade secrets it’s eager to protect, experts noted. That day may still be far in the future, though.
“China will stop when they want to and on their own terms and their own timeline,” Harvey said. “I just don’t see China being at the point right now where they can fly on their own. They still have training wheels on.”
By Joseph Marks
When it comes to global cyberthreats, you could say there’s the whole rest of the world, and then there’s China. The victims of Chinese hacking cover every sector of the U.S. economy, from banks and tech firms to energy giants and government agencies.
Chinese hackers have been linked to the theft of 80 million Social Security numbers from the insurer Anthem, and most likely lifted the sensitive security clearance information on nearly 20 million Americans stored by the Office of Personnel Management. China allegedly stole plans for the F-35 fighter jet from Lockheed Martin, and analysts believe that the newest version of the Chinese military’s J-31 fighter jet, manufactured by Shenyang Aircraft Corporation, incorporates some of what they learned.
FBI Director James Comey declared on “60 Minutes” last year that there are “two kinds of big companies in the United States…those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
The scale of the threat may evoke images of a well-trained Chinese cyber army, carefully probing our weaknesses, sneaking in under virtual dark of night and making off with this or that scrap of data until, before we know it, we’re totally owned. But the truth, experts tell POLITICO, is less James Bond and more Tony Soprano. While Russian hackers are known for technical expertise and precision, sneaking cat-like through computer systems, Chinese hackers, often linked to the People’s Liberation Army, opt for smash-and-grab operations, breaking in and vacuuming up as much information as possible before they’re spotted and flushed out. Justin Harvey, chief security officer at the cybersecurity firm Fidelis, calls it “the path of least resistance.”
What’s actually going on, it is emerging, is a pattern more comprehensive than bits of cat burglary or a series of careful tactical attacks—and more difficult to deal with. Commercial hacking is a fundamental part of China’s economic strategy, observers say. The long-range goal: to steal its way to superpower status.
With its extensive history of blunt, state-sponsored theft of innovations in software, hardware, entertainment and other fields, our second-largest trading partner has built an industrial base so dependent on cyber intrusion that it’s not clear how easily the nation will be weaned off of it.
Despite the enormous scope of Chinese hacking, officials there have never acknowledged that the nation practices cyber theft. Thanks to the shady nature of cyberspace, where hackers can conceal their identities by bouncing off servers in multiple nations, it’s difficult to prove in many cases that they’re lying—especially without revealing the equally shady tricks the U.S. intelligence community uses to uncover such information. So, we’re left with a quandary: How do you convince a nation to stop doing something when it’s exceedingly difficult to prove it’s doing that thing in the first place?
TO BE FAIR to China, theft has been a part of many nations’ development. During the 19th century, for example, U.S. merchants benefited greatly from textile technology lifted from England, according to Peter Andreas, a Brown University political science professor. American publishers also routinely stole the work of famous British authors and sold it without any permission.
When you take the long view of Chinese hacking, say many observers, what you’re seeing is less a form of aggression than a long, multi-front effort by a nation of a billion people to play catch-up. Most cyber experts trace the roots of Chinese cyber espionage to the communist nation’s opening to the West in the 1980s, when it discovered it was significantly behind the times. “The Chinese might not say this publicly, but they felt as if Mao had taken 40 years out of their economic development,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies and a former official in the State and Commerce Departments. “They had to catch up, and the quickest way to do that is to take technology from Western companies.”
Chinese cyber espionage began in earnest in the early 2000s, aimed mostly at U.S. defense contractors and bolstered by the development of high-speed Internet, which aided rapid extraction of U.S. companies’ data. Around 2008 and 2009, Chinese hackers began to focus much more substantially on other commercial sectors. By 2012, when then-NSA Director Keith Alexander described Chinese hacking as the “greatest transfer of wealth in history,” Chinese targets had spread through every major industry. Other victims include United Airlines, U.S. Steel, Alcoa, Westinghouse and, in 2008, the presidential campaigns of future-President Barack Obama and Republican nominee John McCain.
Though conducted behind a shroud of secrecy, Chinese hacking is crude enough that American officials and private cyber firms have begun to draw a fairly clear picture of its sources. Much of the hacking is conducted by the PLA and the Chinese intelligence agency, the Ministry of State Security. But it’s not purely a government operation: PLA hackers are also known to work during their off hours for private hacking operations, delivering their hauls straight to Chinese companies without direct state involvement.
Chinese state media claimed after a recent meeting between U.S. and Chinese officials that the OPM hack was just such a criminal operation, though U.S. officials, who say they’ve reached relative certainty about the source of the OPM breach, have declined to comment on that attribution.
In more recent years, the Chinese target list has expanded to include NGOs and research universities, said Harvey, who formerly worked for Mandiant, a cybersecurity firm that definitively traced hacking activities to an elite unit of the People’s Liberation Army in a landmark 2013 report.
China’s ambition is also taking it beyond purely economic targets. It is also, remarkably, poaching policy ideas and much more boring-seeming know-how. “Because they grew up so fast, they had to play catch-up in a lot of sectors,” Harvey said. “In commercial aviation, it’s not just about stealing the [intellectual property] for the jets and the engines. It’s about how do you create a supply chain? How do you project manage? What sort of people do you hire and how do you train and retain them?”
In the NGO sector, Harvey said, he’s observed Chinese cybertheft targeted at learning how to manage peacekeeping operations and other responsibilities that have nothing to do with growing an economy, but everything to do with an ambitious country taking its place among the world’s leading nations.
IN ONE SENSE, this economic cyber conflict can feel considerably less scary than a more physical threat—the sort of cyberwars envisioned by movies, where one mouse click can shut the lights off along the Eastern Seaboard or erase all the records from the global financial system. But its nuances make it harder to manage in some ways. Given the immense trading relationship between the U.S. and China, a host of global issues in which the U.S. is seeking Chinese cooperation and other areas of conflict, the U.S. has been slow to make Chinese hacking a priority.
Alexander’s 2012 comments were followed by a 2013 speech from Obama’s National Security Adviser Tom Donilon, who described “cyber intrusions emanating from China on an unprecedented scale” and warned “the international community cannot afford to tolerate such activity from any country.” In May 2014, the Justice Department indicted five PLA members for hacking U.S. companies.
The indictments infuriated Chinese officials and caused them to bolt a bilateral cyber dialogue. But in the absence of a counterstrike, the kind of retaliation that could cause real damage to the Chinese economy, it appeared to have little effect, and the hacks continued unabated. “I think they got the impression at some point that we didn’t care, that we weren’t going to do anything to reverse this,” Lewis said. “Getting the Chinese to feel this isn’t penalty free has been the single biggest problem.”
The problem is not that the U.S. government doesn’t recognize the seriousness of Chinese hacking, but it’s difficult to find a large enough constituency to tackle it. The field of battle for this conflict is the private sector, but many victim firms in the U.S. are largely silent on the issue because they value easy access to China’s vast market more highly than protecting their own trade secrets.
From left: FBI Director James Comey, CIA Director John Brennan and Director of National Intelligence James Clapper testify about "World Wide Cyber Threats" before the House (Select) Intelligence Committee in 2015.| Getty
That leaves the government to respond, but the U.S.-China relationship is so complex that commercial hacking often takes a backseat to other concerns such as securing Chinese cooperation on efforts to combat climate change and to halt the Iranian nuclear program, or pressing the Chinese on currency manipulation or their maritime disputes with neighbors.
Top officials understand the importance of resolving the cyber conflict, people familiar with the negotiations say, but when it comes down to writing up the agenda for a bilateral meeting between the nations, cyber often falls lower on the list—and, perhaps, rightly so.
“Cyber is typically fourth, fifth or sixth on the agenda,” Harvey said, “and if the administration is using their levers to get change there, they’re typically being burned on other, higher priorities.”
DIPLOMATICALLY, THE U.S.’S current tack relies on a two-part approach, with hard talk at one end and the threat of sanctions at the other. The first part of the equation came in April, when the Obama administration unveiled a new sanctions authority targeting companies that benefit from commercial cyber theft. The authority, which has not yet been used, allows the Treasury Department to freeze those firms’ U.S. assets and bar their executives from visiting the U.S. The authority, which was modeled on sanctions against terrorist financing and proliferators of nuclear, chemical or biological weapons, can also target individuals.
During the buildup to a September White House visit by Chinese President Xi Jinping, U.S. officials strongly hinted that Chinese companies and individuals may be the first targets of those sanctions, hoping to pressure the Chinese into striking some kind of deal. They got what they wanted. In a joint statement following the visit, Obama and Xi pledged that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
This was the first time a Chinese leader had made such a pledge, and it soon spread. Weeks later, Xi made a similar no-commercial hacking pledge with British Prime Minister David Cameron, and China and Germany plan to reach a similar deal next year. In November, leaders of the Group of 20 major world economies pledged in their final communique following the G-20’s annual meeting in Ankara, Turkey, that none of the nations would hack for economic gain.
Even the agreement’s chief proponents, however, have expressed skepticism that China will honor it, saying that hacking is too deeply embedded in the fiber of the Chinese economy, that Xi alone won’t be able to shift direction even if he wants to and that hacking operations will simply shift further outside the government’s grasp where they’ll be less controlled and more difficult to attribute.
Harvey, a self-described skeptic of the U.S.-China deal, points out that Chinese economic growth now actually depends on a constant stream of new Western intellectual property to remain competitive. That suggests the hacking won’t stop until the nation has developed more domestic sources of innovation.
“They haven’t built the level of infrastructure to support the level of IP they’ve stolen,” he said. “If you steal something and manufacture it, it’s going to be out of date in two or three years. What are you going to do for version 2?”
CSIS’s James Lewis, who’s among the most optimistic analysts regarding the agreement, describes it as “the beginning of the story on how the Chinese and we work together to manages this problem,” rather than the end. Though he’s optimistic the agreement will be fruitful, Lewis speculated the U.S. will ultimately sanction some Chinese targets and that there will be many more tense meetings before Chinese hacking falls to a level U.S. officials decide they can tolerate.
He noted that the U.S. aided its cause by couching the agreement in anti-corruption language, which has been a signature campaign during Xi’s three years atop the Chinese Communist Party. Xi has also pushed to modernize the PLA, which would dovetail with shifting away from commercial espionage operations, Lewis said. It’s unclear how much Chinese commercial hacking is directly managed by the PLA, so even if top leadership fully intends to reduce it, the shift may be slow, he said.
“I can imagine an internal argument that the IP theft isn’t actually all that useful, that it’s not the way to encourage innovation domestically,” said Adam Segal, a China scholar and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. “I can also imagine foreign policy factions that say we have to swing back to a more cooperative relationship with the U.S. and Europe and cybersecurity is an unnecessary irritant.”
Another possibility is that China’s own vulnerability—“by many measures, they are the largest victim of cyber crime,” Segal said—may push its leaders to conclude that it’s more important to cooperate with other nations on combating cyber crime than to alienate those nations by hacking their companies.
The U.S. could press this outcome by being more responsive to Chinese requests for assistance investigating cyber crimes, Segal said, noting that Chinese officials frequently complain the FBI is unresponsive to such requests.
This concern about China’s vulnerability to cyber crime will become particularly compelling as the nation develops internal sources of commercial innovation and has intellectual property and trade secrets it’s eager to protect, experts noted. That day may still be far in the future, though.
“China will stop when they want to and on their own terms and their own timeline,” Harvey said. “I just don’t see China being at the point right now where they can fly on their own. They still have training wheels on.”
No comments:
Post a Comment