The last 6 months has seen a series of
extraordinary revelations by US government officials who have revealed that China based actors are
responsible for an extensive industrial cyber espionage campaign and, further, link this activity to the Chinese government itself.
This started in October 2011 when the Office of the National
Counterintelligence Executive issued the 2011 report on Foreign
Economic Collection and Industrial Espionage which is available
here.
The report has many interesting details and is well worth reading but
from the executive summary we have the key paragraph.
"Chinese
actors are the world’s most active and persistent perpetrators of
economic espionage. US private sector firms and cybersecurity
specialists have reported an onslaught of computer network intrusions
that have originated in China, but the IC cannot confirm who was
responsible.”
This is the first time the US government has
officially named Chinese actors as carrying out extensive cyber espionage, but it is worded carefully to not say the Chinese government or name any entities within China. Then in January
2012 Mike McConnell,Michael Chertoff, and William Lynn writing in the Wall
Street Journal stated something stronger, naming the Chinese government as responsible.
"Only three
months ago, it would have been a violation of national security rules
for us to share what we are about to say, even though, as the former
Director of National Intelligence (DNI), Secretary of Homeland
Security, and Deputy Secretary of Defense, we have long known this to
be true: The Chinese government has a national policy of economic
espionage in cyberspace. In fact, the Chinese are the world’s most
active and persistent practitioners of cyber espionage today.”
"Evidence of China’s economically devastating thefts of
proprietary technologies and other intellectual property of U.S.
companies is growing exponentially, and only in October 2011 were the
details declassified in a report to Congress by the Office of the
National Counterintelligence Executive. By contrast, as a matter of
official national policy, the United States does not engage in or
allow economic espionage.”
The full article is available
here.
Then from a Senate Armed Service
Committee hearing on Cyber Command from March 2012(transcript and
video is available
here)
we have the following.
From Chairman Levin's opening remarks.
Chairman LEVIN."...General Alexander has
stated that the relentless industrial espionage being waged against
U.S. industry and Government chiefly by China constitute ‘‘the
largest transfer of wealth in history.’’ The committee needs to
understand the dimensions of this technology theft and its impact on
our national security and prosperity..."
From an exchange between Chairman Levin and General Alexander(commander Cyber Command and Director NSA).
Chairman LEVIN."...The industrial espionage
campaign I noted in my opening statement, and you made reference to
it in your statement, particularly China’s aggressive and
relentless industrial espionage campaign through cyberspace. I
wonder. Can you us some examples in open session of the technologies
that have been stolen through penetration of major DOD contractors
and perhaps the Department itself."
General ALEXANDER. "...We are seeing a great deal of DOD-related equipment
stolen by the Chinese. I cannot go into the specifics here, but we do
see that from defense industrial base companies throughout. There are
some very public ones, though, that give you a good idea of what is
going on. The most recent one, I think, was the RSA exploits. RSA
creates the two-factor authentication for things like PayPal. So when
you get on and order something and pay for it over the network, the
authentication is done by encryption systems that RSA creates. The
exploiters took many of those certifications and underlying software
which makes it almost impossible to ensure that what you are
certifying or what someone else is certifying is in fact correct.
Now, RSA acted
quickly and is replacing all those certificates and has done that in
priority order for the Defense Department and others.
But when you
think about it, the ability to do it against a company like RSA is
such a high-order capability, RSA being one of the best, that if they
can do it against RSA, that makes most of the other companies
vulnerable."
(The Chinese state actor then used the stolen RSA information to attempt to breach
Lockheen Martin and other Defense contractors, see for example
this article in the New York Times.)
From an exchange between Senator McCain and General Alexander.
Senator
MCCAIN. "I want to thank the witnesses. I would ask General
Alexander. Do you agree that Secretary Panetta and the FBI have said
that cyberattacks may soon be the number one threats to the United
States?"
General
ALEXANDER.
"Absolutely, Senator."
Senator
MCCAIN. "And would you agree that the major threats to our
national security come from outside the United States specifically,
obviously from unclassified information, from China"
General
ALEXANDER. "Absolutely."
In late April 2012 Rep. Mike Rogers (R-Mich,chairman) and Rep. Dutch Ruppersberger (D-Md,ranking member) of the House Permanent Select Committee on Intelligence wrote an op-ed for Politico which opens with a very strongly worded article.
"The Chinese government has been quietly pursuing a strategy to help
project that nation into superpower status. China steals as much
intellectual property as it can from U.S. companies and uses it to
artificially and unfairly compete in the global marketplace. Beijing
uses this information to further its military modernization and, most
important, to help fuel economic growth."
and continues
"Every morning in China, thousands of highly trained computer spies now
wake up with one mission: Steal U.S. intellectual property that the
Chinese can use to further their economic growth. American companies are
hemorrhaging research and development on products ranging from fighter
engines, to pesticides, to cutting-edge information technology."
The full op-ed is available
here.
Then on the 18, May 2012 the Department of Defense released its 2012 report on
"Military and Security Developments involving the People's Republic of China" which mentions concerns regarding China and cyber espionage. At the news conference launching this report there was the following exchange between a reporter and Dave Helvey, the acting deputy assistant secretary of defense for East Asia. The official is much more cautious than the members of congress and only talks about China based actors.
Q:David, Bob Burns from AP."On the topic of cyber espionage, which
you mentioned very prominently in the report, do you see signs of
them accelerating this capability, in particular as it could be
applied against U.S. targets?"
MR. HELVEY:"Well, we continue to highlight in this report some of
the concerns that we have about China's investment in cyber
capabilities.We note that China's investing in not only capabilities
to better defend their networks but also they're looking at ways to
use cyber for offensive operations.We also highlight a number of
areas where we see China engaging in cyber activity focused on
computer network exploitation.That continues to be a concern of ours,
and we've raised it and we've talked to the Chinese about it, most
recently during the Strategic Security Dialogue in Beijing.As well,
Secretary Panetta raised that with General Liang in their visit. So
this is something that we continue to pay very careful attention to,
and we've raised these concerns with the Chinese."
The full transcript is available here.
Turning now to
non-government sources we have the following from the March
26,2012
testimony of Richard Bejtlich, CSO,
Mandiant before the
U.S.-China Economic and Security Review Commission.
"For the
most part, our team and I use the strict definition of APT as created
by the Air Force in 2006, namely as an unclassified reference to
intrusions sets ultimately traced back to actors in China. Our
intelligence team currently tracks approximately twenty distinct APT
groups. These groups include all of the parties identified by reports
publicly released by other security companies, as well as actors that
we believe are unknown to many of those other companies. “
"Most of the
APT groups we track target the US defense industrial base (DIB). Some
of these groups also target US government agencies, think tanks and
political organizations, and other commercial or private targets.”
So there are at
least 20 distinct groups of cyber espionage actors tied to China. Is
further attribution possible? Yes of course, despite what is commonly
said regarding the difficultly of attribution. A
Reuters report based on authoritative information clearly attributes at least some
Chinese cyber espionage activity to the People's Liberation Army's
Third Department Technical Reconnaissance Bureaus. The report also
links this activity with the intrusions detailed within the 2009
Information Warfare Monitor report
“Tracking GhostNet:
Investigating a Cyber Espionage Network”, the subsequent IWR report
“Shadows in the Cloud: Investigating Cyber Espionage 2.0” details
similar activity. These reports make for fascinating reading and are
available
here.
A couple of actors involved in these activities have even been named,
in particular,
Lost33 and
Yinan Peng. An excellent
report on the PLA Third Department is available from the Project 2049
Institute,
“The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure”. Further
information on the PLA and Cyber Espionage is available from a report
prepared for the U.S.-China Economic and Security Review Commission,
“Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage”.
Early reporting on Titan Rain suggest Chinese based cyber operations have been underway for many years.
http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html
Here is some links to useful summaries of significant cyber events over the last few years.
Of course others do it too, see reports below on Buckshot Yankee.
- William Lynn (writing when he was United States Deputy Secretary of Defense) in Foreign Affairs magazine on "Defending a New Domain".
- Extensive Washington Post article with many interesting details, here
- Here is a LA Times article which suggests the intrusion came from Russia.
