By charging five Chinese officials with hacking into U.S. companies and stealing trade secrets, the Justice Dept. has added a new dimension to America’s national-security strategy. Yet the danger posed to the nation and its business sector may be far greater than even the government lets on.
The indictment issued by a federal grand-jury identifies six U.S. organizations allegedly victimized by Chinese hackers: Westinghouse Electric, Alcoa (AA), U.S. Steel (X), Allegheny Technologies (ATI), U.S. subsidiaries of the German firm Solar World, and a tradeworkers’ union. The indictment highlights numerous incidents in which the hackers supposedly broke into corporate computer systems and stole files, email messages and other documents containing valuable trade secrets. That information allowed Chinese competitors to underprice the U.S. firms, build comparable capabilities and develop other advantages.
While the indictment focuses on industrial firms, however, cybersecurity experts say most U.S. companies are vulnerable to foreign hacking, and many have proprietary data stolen without even knowing it.
“What companies have to realize is, while we’re waiting for a cyber Pearl Harbor that may become a national problem, companies have a problem every day,” Richard Clarke, CEO of Good Harbor Security Risk Management and a former U.S. counterterrorism official, said at a recent Milken Institute conference. “What you’re losing every day is intellectual property, research and development, and business intelligence, and you’re losing money because they create accounts payable and send money offshore.”
Foreign spy agencies have always played cat-and-mouse with their American counterparts, using any means available. What’s relatively new is the effort by China to use military cyberspies — especially a group known as Unit 61398 of the People’s Liberation Army, based in Shanghai — to steal gargantuan amounts of data from U.S. and Western firms. The PLA unit passes such information to Chinese companies — many controlled by the ruling communist party — so they can rapidly build their own capabilities in defense, aerospace, energy, technology and many other sectors as China strives to become a global superpower on par with the United States.
From traditional espionage to cyber theft
A 2013 White House report identified the shift from traditional corporate espionage to cyber-based theft, while identifying U.S. firms such as Ford (F), General Motors (GM), DuPont (DD), Goldman Sachs (GS) and Motorala (MSI) as victims. Another 2013 report, by the private security firm Mandiant, was the first big public accounting of Chinese corporate espionage efforts emanating from the PLA and Unit 61398. At the time, Mandiant said it had identified at least 150 U.S. business organizations targeted by Chinese hackers — but that only included firms it had done business with. A complete tally is probably much higher. Such attacks are stealthy by nature, and therefore hard to quantify, in contrast to cybersabotage carried out by groups such as Anonymous, which are typically meant to generate publicity for a cause.
Mandiant says a typical corporate cyberattack goes on for about 230 days before the company realizes something is wrong. In one case, spies spent more than six years lurking inside a company’s computer network before being discovered. A recent survey by the Secret Service found three-quarters of U.S. companies that had been hacked didn’t know about it until the government told them. Clarke says one company, which he won’t identify, spent eight years doing $1.2 billion worth of R&D work — which Chinese spies vacuumed up in one day.
“That’s not atypical, it’s typical,” he warns. “How are you going to win when you pay for the R&D and your competitor gets it for nothing?”
There seems to be a careful rationale determining which western companies Chinese hackers target. “The government calls out specific areas they want to invest in,” says Jen Weedon of FireEye (FEYE), a cybersecurity firm that acquired Mandiant last year. “Their targeting generally dovetails with industries they deem of strategic importance.”
After the Japanese nuclear disaster in 2011, for instance, Chinese authorities emphasized a need for greater safety at the country’s own nuclear plants — and FireEye noticed an increase in hacking attacks on Western companies that specialize in such technology. In addition to Fortune 500 firms, Chinese hackers have also targeted nonprofits, news organizations and smaller research outfits when they’re doing work that might relate to China.
For any CEO, it’s worth keeping in mind that firms selling cybersecurity services have an interest in making the threat sound dire. Yet reports of Chinese cyberstealing mesh with the nation’s well-known disregard for intellectual property rights and the piracy of everything from military aircraft to Microsoft software to Hollywood movies. The Chinese, for their part, routinely deny they engage in cyberspying and sometimes point out that America itself stole many trade secrets from Britain and elsewhere in the 1800s, as it was growing into a world power much like China is today.
In a statement responding to the federal indictment, China's foreign ministry also claimed that China itself is a "victim of U.S. cyber surveillance and theft." That may very well be true.
Yet Chinese hackers have become so proficient that many Western firms are already outmatched. One common mistake, cyberdefenders say, is spending heavily to protect a company’s entire network instead of layering protection where it’s needed most.
“What companies do is look for attacks at the perimeter, but the adversaries are inside the perimeter,” Chris Ingliss, who retired this year as deputy director of the National Security Agency, said at the Milken conference. “Start with the premise that security is impossible. Then develop your strategy to defend [the company].”
The indictment of the five Chinese officials is risky for the Obama administration, since China could retaliate in some way, threatening a vital trade relationship. Yet it’s hard to foresee how five Chinese military officials would ever end up in the United States facing trial. In that regard, the Justice Dept. action may be targeted as much at American CEOs as it is at Chinese spies.
The message: Even though you may never see them, thieves are everywhere.
Rick Newman’s latest book is Rebounders: How Winners Pivot From Setback To Success. Follow him on Twitter: @rickjnewman.