In late December Bloomberg published China-Based Hacking of 760 Companies Shows Cyber Cold War. This story is part of a coordinated campaign “now being rolled out by the Obama administration, [Rep. Mike] Rogers and others in Congress.”
The Bloomberg article is long and interesting, especially the mention that the US was reading messages between a PLA officer and his mistress:
An informal working group of private-sector cybersecurity experts and government investigators identified the victims by tracing information sent from hacked company networks to spy group-operated command-and-control servers, according to a person familiar with the process. In some cases, the targets aren’t aware they were hacked.
Such tracing is sometimes possible because of sloppiness and mistakes made by the spies, said another senior intelligence official who asked not to be named because the matter is classified. In one instance, a ranking officer in China’s People’s Liberation Army, or PLA, employed the same server used in cyberspying operations to communicate with his mistress, the intelligence official said.
This raises a couple of questions. First, is the US formally tracking the moral and financial corruption of Chinese officials? As Major General Jin Yinan disclosed in a talk leaked onto Youtube last year, corruption played a role in several recent espionage cases in China. Blackmail has a long history in intelligence, corruption is epidemic in China, and many officials or their families have moved significant assets overseas, including to the US.
Second, how aggressive is the US in conducting cyber espionage of Chinese entities? If the US can read a ranking officer’s love notes with his mistress (no word if they were via email, QQ, Weixin or Weibo), what else is it reading?
Congress can pass a bill trying to pressure the Chinese but it will not solve the problem. For centuries countries have used whatever capabilities they have to spy on others, and no law is going to stop that. The onus on solving the problem lies with American companies and organizations. Jeffrey Carr, CEO of cybersecurity firm Taia Global, is right when he argues that:
The heart of the matter is not that foreign states are stealing U.S. intellectual property. Espionage is the 3rd oldest profession and our reliance upon cyber-space-time has made it easier than ever for agents around the world to not only take what they want but make it look like others are the culprits. The solution doesn’t lie in deterrence because deterrence is a laughable concept among sophisticated attackers. While its natural to want to stop the “bad guys” from stealing what is yours, it’s also naive to believe that you can do it. You can’t stop bad guys from coming in, but you can stop your data from leaving. That’s the key to ending China and Russia’s relatively free access to U.S. technological secrets.
Don’t threaten them. Don’t pretend that you can deter them. Don’t imagine that you even know which one of them is doing the attacking at any given time. Instead, Rep. Rogers should write legislation that requires U.S. companies to inventory their critical data so that they know where on their network it resides, then implement a set of security controls that monitors the behavior of authorized users and locks that data down when certain norms are violated. The hard truth of the matter is that most companies today don’t have a clue about where on their network their critical data resides because they’ve bought into the old school security model of trying to stop attacks at the perimeter of their network. Until that changes, Rep. Rogers and others like him will just waste more taxpayer money and perpetuate the illusion that the problem is somewhere “out there” and can be stopped with U.S. muscle.