This analysis was originally written for ChinaFile at the Asia Society in October, 2014.
It was written because of the New York Times and Sony hacks, when the cybersecurity firm Mandiant was called in to trace the breaches. Mandiant issued a report presenting the forensic evidence that the Chinese were behind the break-in. Mandiant felt the evidence was important enough to issue a report that was available to private companies, government agencies and the general public.
For various reasons, the size of the shop and the need for technical expertise to do the fact-checking, my piece went unpublished by China file.
In the wake of the recent cyber-attack on the United States government agency, the Office of Personnel Management (OPM), this piece became relevant. I thought it was important enough to post this on my blog. I will follow up this piece with more on China's accession to ICANN and its recent call for imposing a "code of conduct" on the internet (Washington Examiner). Given China's track record of censorship on the internet, I feel this deserves reporting.
The world of technology moves very fast. This piece is meant to be a snapshot.
In January of 2013, the New York Times went public with the story that it had been the victim of a hack attack that had been traced to the Chinese. They were the first of U. S. media company to go public. The victim list would later include the Washington Post and the Wall Street Journal.
The Chinese dismissed the accusations.
In February of 2013, the Mandiant Company released the “APT 1 Report: Exposing One of China’s Espionage Units."
(The acronym APT stands for Advanced Persistent Threat and refers to cyber attacks by a nation-state actor, the most advanced level of threat category. APT 1 is considered a Tier One threat, higher than a non-state player, a criminal entity or an individual player.)
Mandiant, a computer security firm headquartered in the greater Washington, D. C. area, had a track record of investigating security breaches of all types and at all levels of threat at hundreds of organizations around the world.
Mandiant had been following breaches of more than 20 groups with origins in China and APT 1 was one of them, “a single organization that had conducted cyber espionage against victims since at least 2006.” (Mandiant Report, 2)
The groundbreaking element of the report was that for the first time, the forensic evidence tracked back to a specific location and to specific hackers. There was no doubt that the advanced persistent threat came from the People’s Liberation Army (PLA). The report included photographs of the real world buildings and gave their street addresses.
The investigation led Mandiant to four large networks in Shanghai, two of which were located in the Pudong New Area, a neighborhood of Shanghai. The address was on Datong Road, a building of 130,000 square feet, 12 stories high, staffed by hundreds, perhaps thousands of people. China Telecom had provided special fiber optic communications for the unit in the name of national defense. Personnel for the unit have to be trained in computer security and computer network operations, and also have proficiency in the English Language.
“Our analysis has led us to conclude that APT 1 is likely government sponsored and one of the most persistent of China’s cyber threat actors. . . .In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT 1 in is mission capability and resources. PLA Unit 61398 is also located in precisely the same area from which APT 1 activity appears to originate.” (Mandiant Report, 2)
Mandiant report stated that the firm had uncovered “a substantial amount of APT 1’s attack infrastructure, command and control and modus operandi (tools, tactics and procedures.)” This was forensic investigation and it laid out hard evidence. (Mandiant Report, 2)
The report stated that APT 1 had compromised 141 companies, part of 20 major industries. It concluded that APT 1 maintained an extensive infrastructure of computer systems around the world. “In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese Language.” (Mandiant Report, 4)
The report described the unit’s method of operation: once they had established access, revisit the victim’s network over several months or years. They steal “broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations; leadership.” (Mandiant Report, 3).
Further, the report stated that the infrastructure of the unit would require a large organization. “Given the volume, duration and type of attack activity we have observed, APT 1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators and people who then transmit stolen information to the requestors. APT 1 would also need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management and logistics (e. g. shipping).” (Mandiant Report, 5).
Chinese officials denied the accusations.
The Motive: Why Steal?
It is a vast understatement to say that the area of cyber espionage is costly to U. S. companies and to private industry globally.
A 2014 joint report by the Center for Strategic and International Studies and the McAfee Corporation estimates that the cost globally for all forms of cyber theft is $400 billion dollars and extensive damage to economies in terms of job loss and competitive edge. (CSIS-McAfee report)
As national security writer Adam Segal says, “The illicit transfer of intellectual property (IP), through the failure to protect IP in the domestic market, industrial espionage, or cyber theft, also plays a role in efforts to move the economy up the value chain and to bolster the competitiveness of Chinese companies.” (forbes.com)
Cyber espionage is a cheap way for China to become competitive with the United States.
The attacks were made public, the offenders were identified, the costs were tallied up. But why were the Chinese doing it?
Judging from the targets, as published in the report, the Chinese were seeking a competitive advantage in negotiations with companies in related industries.
As to the mentality of those who engaged in the theft of intellectual property, the idea is to leapfrog over the time and investment necessary for research and development.
There are no international laws making cyber espionage and the theft of intellectual property a crime. There are no governing bodies, including the ITU (an agency of the United Nations governing telecommunications and satellite communications worldwide), and the World Trade Organization, who could judge the evidence and impose a penalty that would serve as a deterrent to further activity. The U. S. had no way to take the Chinese before an international body and prosecute the transgressions.
China’s motive, as enunciated in a speech to the Chinese Academy of Sciences and the Chinese Academy of Engineering by President Xi Jinping was the restoration of China’s greatness in Science and Technology. (New York Times article, June 11, 2014).
This is a matter of national pride, the restoration of China’s pre-eminence after the century of humiliation at the hands of the Western powers. Little mention was made of the late Qing court’s rejection of attempts at reforming and modernizing China’s science and technology during the last dynasty. The great social rebellion and movements of the nineteenth century had an anti-Western, anti-colonial element with good reason.
The late dynasty was steadfast in its position that China needed little from the West. The coming to modernity, in essence, was a coming to terms with Western science and technology. While Japan embraced the study and went forward to greet it under the Meiji Emperor, China, under the last empress, rejected it. (Spence, Seagrave)
With that history firmly in the past, China has been investing in science, technology and education, as well as R & D. It has been engaged in reforming research institutions, state enterprises and government agencies in the attempt to spur innovation.
National Security writer Adam Segal published a telling insight. “In the cyber relationship Beijing sees itself as at a disadvantage to the United States, and so greater secrecy is required to maintain tactical advantage and create ambiguity in the mind of a potential adversary. Beijing also sees calls for greater transparency as bullying and an effort to de-legitimize Chinese security concerns.” (Forbes.com article).
Sound and Fury: A Heated Response in Washington
The publication of the report set off cries of outrage in Washington (links to New York Times citations here). An investigation by the Senate Armed Services Committee. (SASC report) demanded the cessation of the theft of intellectual property.
Soon afterward, the Edward Snowden revelations about American cyber spying activities on Hong Kong and China set off a psychological earthquake in China. America no longer had the high moral ground. The world of cyber-space, after all, is an arena where Defense Department experts predict will play a significant role in the warfare of the future.
The immediate response of Chinese officials in the Foreign Ministry and the Ministry of Defense was to deny the accusations and to counter-accuse the United States of hypocrisy. The denials ranged from statements made to the American press and quoted in the New York Times and Washington Post, among others, and to articles in the English language edition of China Daily.
The U. S. and China had been holding talks in a Cyber Working Group out of the State Department. The idea of the Obama administration in the runup to a presidential summit in Beijing and intended to reassure the Chinese that the U. S. military was not conducting aggressive attacks.
U. S. officials used briefings with Chinese counterparts to convince the Chinese to desist with cyber espionage, claiming that while spying of military to military was standard in international relations between great states, using the military to spy on industrial targets was out of bounds. (Links to articles: David Sanger (New York Times) and Adam Segal (Forbes Asia online).
The briefings with the Chinese were intended to alleviate concerns of Chinese about the Pentagon’s capabilities in cyber warfare, and to inform the Chinese of what the U. S. military refers to as “an emerging doctrine for defending against cyber attacks.”
At the retirement ceremony for General Keith Alexander, former director of the U. S. Cyber Command, Defense Secretary Chuck Hagel sought to give the Chinese reassurance about the buildup of personnel in the Cyber Command. Hagel stated that the U. S. would look with restraint on cyber attacks outside the military.
Statements on the Chinese side enunciated the Chinese position that the distinction between economic and military cyber was meaningless, because to the Chinese, the economic was military and part of China’s concept of its national security. This is a longstanding disconnect in worldviews in which the Chinese view such things as human rights as an offshoot of economic rights.
The question of policy in digital security inevitably leads to a discussion of military strategy. In the event of full-scale warfare, cyber warfare aimed at critical infrastructure would play a major part on both sides. This is understood by the military on both sides, and is the reason why Secretary of Defense Hagel went out of his way to reassure the Chinese.
Transparency was supposed to take down the perception of the threat level from the American side.
The reassurances did little to stop the Chinese attacks. The Obama administration responded to the Chinese cyber attacks by setting up a Cyber Working Group out of the State Department. The idea was to handle in a quiet diplomatic fashion differences between the two countries.
From the date of the public revelations of its activity, the Chinese groups, APT 1 foremost, had lengthy periods of inactivity. The report speculated that the inactivity was due to the PRC’s attempt to assess political damage and to reorganize its operations to keep them hidden. (Mandiant 2014 Threat Report: Beyond the Breach).
By the late spring, the two groups APT 1 and APT 12 (the first group outed by the New York Times) had resumed their activity at lower levels.
Naming and Shaming: The Obama Administration Goes to Court
As the diplomatic approach had not produced results, in May, the Justice Department filed an indictment in the U. S. District Court in Western Pennsylvania. The location was chosen because the targeted companies, among them Alcoa and Westinghouse Electric Company, were located in Pennsylvania.
The indictment named five members of the APT 1 group, PLA General Staff Third Department. This department is the electronic intelligence agency known as 3PLA.
The indictment was 56 pages long and detailed the theft of corporate secrets and economic data which were provided to Chinese state-owned enterprises. (Link to indictment optional, link to Times article here).
Traditionally, the Chinese are extremely sensitive to negative press. The idea of the administration was to switch tactics, to use a legal arena to cause the Chinese what might be called a “loss of face.”
The indictment named five individuals, three of them by their cyberspace handles, “UglyGorilla”, “DOTA” and “Superhard.”
The use of online personas is a feature of hacker culture worldwide. (Author interviews, DefCon 22, the hacker’s convention, Las Vegas, July 7-11, 2014.)
It is highly unlikely that any members of the PLA will show up in an American court to face charges. The indictment remains a symbolic move.
Getting Lost and Getting Found Again: The Cancellation of Talks
The Chinese broke off talks with the Cyber Working Group of the State Department in the spring. By the late summer, secret cyber talks were on again in Washington for a simple reason. China and the U. S. need each other. This is the most important bilateral relationship in world diplomacy. At the time of the writing of this piece, President Obama was due to meet with President Xi Jinping in Beijing in November, 2014, at the Asia Pacific Economic Conference (APEC).
The question remained: was the aggressive hacking of a unit of the PLA enough of an issue to derail or damage talks among the leaders of the world’s two biggest economies. Could the administration take the risk? Was it worth the hassle?
Cyberspace is an emerging frontier with no clear rules of the road. At the top of both systems military people and policymakers have divergent views.
This is a scenario not unlike the old Cold War posture of mutually assured destruction. There is one glaring difference in the present century. The Chinese are far more integrated into the world economy than the old USSR .One element remains the same: contact between the military men is strategic. Even with the atmosphere of mistrust, it is a good thing to continue the briefings to ward off an arms race in cyberspace. If both sides know how the scenario will play out, the knowledge of the other side’s capacity acts as a deterrent to cyber war. (citation, Segal article)
Talks were cancelled but eventually they would be rescheduled but would take place in secret.
On President Obama’s 2013 visit to Beijing, the Chinese chastised the United States for the revelations about spying released by Edward Snowden and the talks on the important issue of cyber espionage went nowhere.
Indictments against five PLA members were handed down in Federal Court, but as to the question of whether the revelations would lead to a diplomatic solution to the problem of nation-state cyber espionage, a meeting of heads of state to agree on rules of the road, this has not happened.
The moves and counter-moves
A second bombshell in the form of a second report by a second computer security company exploded.
In June of 2014, CrowdStrike, a prominent computer security firm, issued their report on a second unit of the PLA, 3rd Department, 12th Bureau, Unit 61486. The cyber espionage unit was called Putter Panda. The Crowdstrike report had forensic evidence that this unit operated from Shanghai.
In June, only weeks after the Justice Department handed down the indictments of the five members of the PLA, a California computer security company that specializes in the relatively new field of computer forensics, CrowdStrike, issued a report tied attacks against government and private targets, back to a second group of Shanghai hackers. The NSA (and its partners) identified them as Unit 61486.
The unit in some instances shared resources with and communicated with Unit 61398, the previously identified unit of the PLA. Some of this new group of hackers used the same IP addresses as member of Unit 61398 to launch attacks.
The targets were technology companies in the fields of satellites, drones and nuclear weapon components, to technology and energy companies.
Chinese activity continued. The conflict between the U. S. and China over cyber espionage escalated.
A U. S.-China Economic and Security Review Commission urged the administration to impose economic penalties on China for its cyber espionage. The idea that government spy on one another for military purposes was not at issue. What the United States objected to was the Chinese military spying on industrial and corporate targets.
The economic penalties included: blocking imports of Chinese goods from companies that benefited from cyber espionage. This idea received no traction as U. S. officials had no wish to antagonize China. Banning Chinese firms that are guilty of cyber theft of trade secrets and research and development from the use of U. S. banks. In the extreme, refusing travel visas to officials of companies that have been proved to be behind cyber attacks.
The administration decided against this approach. It had no wish to pursue a hard line.
In early June, President Obama traveled to Beijing for a US China presidential summit. The cyber talks were called off. The back and forth game of accusation and counter accusation had heated up. The Snowden revelations allowed the Chinese to deflect attention from their own activities and brand the United States as the cyber threat to China.
By late July, both groups had resumed the pre-disclosure levels of activity.
In September of 2014, the Senate Armed Services committee published an unclassified version of its report on a year long investigation into key defense contractors. The report stated that the Chinese had penetrated TRANSCOM, the U. S.
Transportation Command. Transcom acquires civilian air, shipping and other transportation assets as needed to deploy U. S. forces in times of crisis. (Link to report)
The SASC in response to the findings of the report included a provision in the National Defense Authorization Act for Fiscal Year 2015 improving the way the Department of Defense disseminates information about cyber penetration into the networks of its contractors. This is similar to the improving of information-sharing systems throughout the first responders networks in the aftermath of 9/11.
The way forward: the carrot and the stick
China has a white hat side, in wanting to emerge as a scientific and technological power. On the black hat side, they are doing war by stealth, stealing what they need to get ahead and denying it.
The U. S.-China relationship is the most important bilateral relationship in U. S. foreign policy. These are the two biggest economies in the world, the relationship takes place over a wide variety of issues, from China’s muscular approach to issues in the South China Sea, to trade relations in ASEAN, the biggest common market in the world, to Taiwan and to China’s emergence in regional bodies in Central Asia, as the U. S. prepares to withdraw from Afghanistan.
For the moment, the U. S. approach in regard to cyber espionage has been two-pronged: bind the Chinese ever more closely into the international economic system and make clear the penalties for violation of the rules of the game. (Tellis,“Balance Without Containment, Carnegie Endowment Paper). The noted lawyer Michael Pillsbury in his recent book, "The Hundred Year Marathon" also recommends calling the Chinese to task when they break the rules instead of buying into the 100 years of humiliation excuse that the Chinese routinely invoke.
In other words, the stated policy, not only of the U. S. but of the international community, should be that cyber espionage is a no-no. Violators must cease and desist. If they do not, and the penetrator is caught, it costs and the costs should be punitive. The reason for this is to remedy the harm done: this can be stated simply--the economic and competitive disadvantage to the target.
This means that laws stating international norms of behavior have to be put in place. Which body would impose the penalties and what would the penalties be? These might be implemented by the WTO, but as of this writing, the WTO has not taken this role. As of now, there are no laws and there are no penalties. This will take time to achieve.
The second prong has made progress. China has expressed its desire to have more say in the governance of the internet. The Chinese feel that they are entitled to a vote, given the size of their country and its population, and they oppose the dominance of the internet by the United States. (Author interview, Richard Bejtlich, Q & A, online forum)
These issues are of a type that are properly addressed in the international bodies that govern the internet, namely ICANN and the ITU. China is a member of ICANN and has been active in promoting the idea that the Internet should be available and run in Chinese. Users of other non-Western languages such as Arabic have advocated the same idea, as they must, in essence, use English as a second language to access the Internet.
(Some techno-speak is in order here. An informed public may just have to get up to speak on what is at issue here and to do this, one needs to understand how the internet works in general terms. Please skip this if you want the big picture without the technical explanation.
ICANN is an international organization, the Internet Corporation for Assigned Names and Numbers. It coordinates the Internet Assigned Numbers Authority (IANA) functions, which are key technical services critical to the continued operations of the Internet's underlying address book, the Domain Name System (DNS).
ICANN defines their organizing principle as the multi-stakeholder model. Their fundamental belief is that all users of the Internet should have a say in how it is run. (https://www.icann.org/resources/pages/welcome-2012-02-25-en)
ICANN’s members include Internet Service Providers (ISPs), intellectual property advocates, commercial and business interests, non-commercial and non-profit interests, representation from more than 100 governments, and a global array of individual Internet users.
ITU is the International Telecommunications Union, an agency of the United Nations that governs telecommunications and satellite communications. They allocate global radio spectrum and satellite orbits, develop the technical standards that ensure networks and technologies seamlessly interconnect, and strive to improve access to ICT’s to underserved communities worldwide.
(ICT is the acronym for internet and communication technologies. (http://www.itu.int/en/Pages/default.aspx)
According to Richard Bejtlich, China’s argument was that it did not have enough say in the governance of the internet, given the size of its population and the number of its users. (The internet has been governed by the United States since its beginning, and the English language has been the dominant language of the internet since the beginning.) (Bejtlich Q & A, online forum, Mandiant Webinar, 10-23-14)
On October 23, 2014, Houlin Zhou was elected Secretary-General of the agency. China would now have a governance role in the ITU. Its goal was achieved.
What is to be done?
Beijing has a conflicting set of goals. They want to be a status player in the bodies which govern the internet, as they have become in the World Trade Organization, but they want to cheat to get ahead at the game. For the near future, it is not likely that there will be in Beijing’s behavior.
The rules of the road in cyberspace are yet to be defined and both parties are testing the rules the new arena. China polices and censors the Internet, but as this author noted in an early piece on China and the internet, the dilemma for a modern economy is to choose between censorship and the free flow of information necessary to the running of a modern economy. The Chinese have traditionally ignored a principle the United States holds dear: the protection of intellectual property rights.
The contradictions are there and in the emergence of Market Stalinism, the idea of a business ethic still carries with it the stigma of class crime. The decision of President Xi Jinping to make his anti-corruption campaign a hallmark of his leadership is a positive development.
Until they abide by the rules, and that may be a longterm process of coming to business ethics in a top down system, U. S. targets have to play a game of defense that is more like martial arts and less like defending the barricades.
The protection of American corporations and institutions, private and governmental sector, and critical infrastructure, for the time being, will have to be the playing of a defensive game against cyber espionage. They cannot man the barricades, it has to be a game of weiqi (the Chinese name for the game of Go, as it is called in Japan). This is a strategy game that has been played by Chinese and Japanese admirals and generals for centuries. It involves moving against the opponent in a game of encirclement and expulsion. This means getting the attackers off the playing field through superior intelligence, technology and tools.
Where does that leave U. S. corporations and institutions that are the targets of the ongoing cyber attacks? For the near future th attacks will continue.
Richard Bejtlich suggests the implementation of his theory of computer security: it is impossible to prevent intrusion. If your system can be penetrated, it will be penetrated. In a classic game of weiqi, there are black markers and white markers, each striving for advantage on a battleground.
The intruder is on the board. What is left is strategy, a set of tools and ideas to surround him, render him harmless, and expel him.
Assume that you have been breached and conduct forensic methods and tools aimed at detection, enclosure and expulsion.
For the near future, U. S. policy should be keep talking and keep up the defense.
Note: If you are a journalist and you need the citations on my sources, please email me and I will send them to you. I have written this piece as a backgrounder for those journalists who are covering this story, but don't have the background on China, nor the researchers to do the legwork. I have noted that covering this story requires expertise that most writers who are not specialists do not have. Thus, the reportage only skims the surface. The tech writers don't have the background on China and their coverage is not often helpful to general readers as it assumes a geek mentality.
For a list of citations for this piece, please email the author.