For centuries, there was a form of execution in China where a condemned person was methodically and slowly cut with a knife until their eventual death. The Chinese word for that torture is Ling Chi, which translates to “Death by 1,000 cuts.” China invented it. Today, U.S. businesses are suffering similar abuse through cyber attacks originating in the People’s Republic.
Thousands of U.S. businesses are routinely penetrated by cyber criminals who make off with proprietary information and sensitive data. There are several culprits in the cyber onslaught against U.S. business, but hackers in China are the most prolific and present the most urgent need for action. At least one expert has said that all major U.S. companies have had their networks penetrated at some point by hackers in China.
The private sector is being robbed of intellectual property and spied on by America’s biggest competitors.
If this criminal enterprise and espionage was conducted in person rather than via a computer, citizens and businesses might better understand what is happening to the United States in the cyber realm. The private sector is being robbed of intellectual property and spied on by America’s biggest competitors.
Imagine lines of industrial and corporate spies walking unfettered out of U.S. businesses, pilfered company secrets in hand. This is no different than what hackers are doing digitally at an increasing rate. With viruses, phishing emails, and other tactics, hackers access detailed R&D and business data. The U.S. private sector is facing thousands of cuts that are slashing away the competitive advantages hard-earned through American innovation.
Daggers are Already Drawn
There is unfortunately a good deal of public uncertainty about the severity of the cyber threat. Hacktivist groups (like Anonymous), while capable and often discussed in the media, are somewhat less interested in capitalizing on corporate and industrial secrets. Chinese hackers, however, are focused on stealing profitable business data, and they operate within a country aggressively pursuing a strategic policy of catching up with the United States and other Western nations, particularly in terms of technological capabilities. Begun in 1986, Beijing’s Project 863 gives funding and guidance to “clandestinely acquire U.S. technology and sensitive economic information,” according to a report from the National Counterintelligence Executive’s Office. Chinese hackers fit perfectly within this state objective.
There seems an obvious link between China’s national strategic and economic goals and the relentless cyber attacks originating in the country. Tracing an attack to an exact country and machine is difficult; however, ongoing analysis and strong circumstantial evidence (coupled with several confirmed attacks) show a clear, deliberate, and focused effort on the part of Chinese hackers to penetrate U.S. businesses and government networks. And the specter of the Chinese industry and government looms in the shadows behind many of these attacks. Some examples:
- In February this year, representatives from Huawei Technologies Co. Ltd. spoke at a security and intelligence conference in Dubai, discussing how the company used a technology called Deep Packet Insertion (DPI) to hack into U.S. and other telecommunications networks, intercepting “malicious” data. Huawei – suspected to have ties to the Chinese army and government – operates in 140 countries and is the second-largest supplier of mobile telecommunications infrastructure equipment in the world. Huawei equipment can mirror (aka, intercept) any and all data they transfer.
- In 2011, an employee of RSA Security clicked on a phishing e-mail and downloaded an attached spreadsheet. This allowed hackers – later traced to China – to breach RSA‘s networks. RSA security products are used by the White House, the CIA, the NSA, the Pentagon, DHS, defense contractors (like Lockheed Martin and Northrop Grumman), and Fortune 500 corporations.
- NASA testified to Congress that in 2011, hackers using Chinese IP addresses gained full system access to the agency’s Jet Propulsion Laboratory with the ability to modify, copy, and delete files, upload hacking tools, and steal 150 employees’ personal credentials.
- In 2009, Chinese hackers exploited Internet Explorer vulnerabilities to penetrate Google‘s source code. McAfee Labs determined the goal was to access and modify source code repositories at technology, security and defense companies. The hackers also stole some of Google’s intellectual property. The attacks were highly sophisticated, and a diplomatic cable from the American Embassy in Beijing (later revealed via Wikileaks) noted a Chinese source, who said China’s Politburo directed the attack.
- Beginning in November 2009, a wave of attacks originating in China targeted international oil, energy, and petrochemical companies, using phishing emails, vulnerabilities in Microsoft Windows®, remote administration tools (RATs) and other methods. The attacks targeted “sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations,” according to a McAfee report.
- Beginning in 2006, specific targets began receiving phishing emails that included a link to a Web page that loaded a RAT onto the user’s computer. This gave automatic, live computer access to a hacker, who could then penetrate the user’s network and steal data. The RAT email reached more than 100 high-profile targets, including a U.S. Department of Energy laboratory, a U.S. real estate company, four U.S. defense firms, and U.S. state and county government organizations, as well as companies and government agencies throughout the world. The RAT did not target any organization in China, and most (if not all) of the targets held data in which the People’s Republic has interest. McAfee said the operation was “an unprecedented transfer of wealth in the form of trade secrets and I.P., primarily from Western organizations and companies.”
These breaches threaten national security and business competitive advantages, and they are but a handful of examples among many other cases that have been found and reported. There are more hacker penetrations, however, that even now are unknown, leaking sensitive and proprietary data like a sieve.
“There are only two types of companies,” Dmitri Alperovitch of McAfee told Vanity Fair. “Those that know they’ve been compromised and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”
Hackers in China work independently or in loose groups. U.S. intelligence agencies report there are at least 17 China-based cyber espionage operations. Hacking in China is a profitable (albeit technically illegal) endeavor, with corporate and probably government customers paying handsomely for stolen data on U.S. technologies. Though Beijing did toughen hacking laws and punishments last year, enforcement is weak. There are other hackers working within the People’s Liberation Army who focus on securing business and defense intelligence, and still other groups operating more fully under government direction. All of these hacking elements in China can and in many cases have struck U.S. targets. If that smacks of a conspiracy for the country and its businesses to illegally secure U.S. trade and state secrets, it’s because it basically is.
Taken in full, the focused effort to steal U.S. private-sector intellectual capital is blatant. The advantage for the hackers is direct profit; for Chinese and other corporations (in which the government often holds a stake), buying stolen data is far cheaper and faster than going through the laborious process of creating and advancing technological innovation. It feeds the country’s strategic goals of rapidly acquiring its competitors’ technologies, but the stolen information necessarily decays the technological and product advantages U.S. businesses worked hard to create.
The Senate is debating legislation that will set some standards for private-sector cybersecurity, but businesses should not wait for a gridlocked Congress to mandate how to mitigate cyber threats. It is in the private sector’s best interest to be proactive. There are a number of steps business leaders and their employees can take independently that will go a long way toward stemming the flow of stolen information. The larger challenge is committing to a consistent, widespread effort and recognizing that cyber complacency is slowly killing the U.S. private sector’s competitive advantages.