The U.S. Department of Justice, working with the FBI, this week took the unprecedented step of indicting five Chinese army officers for allegedly breaking into the networks of American companies and a labor union to steal trade secrets of use to Chinese businesses.
China, upset that the DoJ wants these alleged hackers extradited to the U.S. to stand trial, has threatened retaliation in what’s become the most serious cyber-spying confrontation yet, with business caught in the middle.
But is it realistic to expect a nation’s spy agencies to adhere to rules that would make it off limits to swipe informaton from companies in other countries and share it with businesses in their own backyard? The American Chamber of Commerce in Beijing, which represents about 1,000 American firms with presence in China, Tuesday expressed hope that there might be just such cyber-spying rules of the road.
“While we cannot comment on the specifics of any particular case, AMCham China believes there is a fundamental difference between intelligence gathering for legitimate national security purposes and intelligence gathering for stealing trade secrets, and that the definition of national security ought not include economic interests,” Chairman Gregory Gilligan stated. “We urge both governments to reach agreement on the rules of the road regarding cyber security incorporating this distinction.”
The National Security Agency, the spy agency vacuuming up massive amounts of data outside the U.S., claims it doesn’t share information with U.S. companies for their competitive advantage, but only with government officials for national-security purposes. That restriction is established under law, points out Tim Ryan, managing director at Kroll who joined the security firm two years ago after a career at the FBI leading a cyber-division.
How far that cyber-spying restriction extends is hard to really know. But even Edward Snowden, the former NSA contractor who has leaked volumes of information about how the NSA collects data, hasn’t accused the agency of sharing intelligence with American companies the way China’s state-sponsored cyber-espionage operations now stand accused of doing with Chinese firms, many of which involve government management anyway.
The problem for the U.S. today, says Ryan, is that the Chinese government’s-sponsored cyber-attacks against U.S. businesses are “just so non-stop” that “it’s a machine over there.”
Many agree. Chinese cyber-attacks against U.S. companies are an unremitting wave that only slows down during Chinese New Year, says Stuart McClure, CEO of security vendor Cylance. “Once it’s over, the activity comes flooding back in.”
Chinese facing charges
Indeed, the DoJ this week presented a laundry list of computer-crime charges related to four years of hacking into American corporate networks.
According to the 56-page indictment, the victimized companies were Westinghouse Electric, U.S. Steel, Allegheny Technologies, labor union USW, Alcoa, and the U.S. subsidiaries of Germany-based SolarWorld AG.
The accused Chinese cyberspies—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui---are said to be officers in China’s People’s Liberation Army (PLA) thought to be associated with the so-called Unit 61398. That’s the Chinese military’s suspected cyber-spying operation based in Shanghai. The officers face charges of computer fraud, damaging a computer, aggravated identity theft and economic espionage. The indictment came complete with the officers’ mug shots and hacker handles, like UgkyGorilla and KandyGoo.
Many doubt these five will ever be brought to the U.S. to stand trial, but “the indictments are very important because they send a deterrent message to both the Chinese government as well as the individuals involved in these operations,” says Dmitri Alperovitch, CTO at security company CrowdStrike. He notes these five officers could face extradition if they travel to countries friendly to the U.S. China doesn’t have an extradition treaty with the U.S., notes Craig Carpenter, chief cyber security strategist at AccessData, but he adds it might be possible for the DoJ to get a guilty verdict in absentia.
In announcing that it wants these five PLA officers extradited to the U.S., the DoJ included the accusation that Chinese state-owned companies hired some PLA members working at Unit 61398 to break into U.S. corporate networks to steal information for their gain.
The PLA gained “unauthorized access” into the victims’ networks to steal information “useful to China, including state-owned companies,” said Attorney General Eric Holder this week at a press conference. Holder stood flanked by members of the FBI’s national security and cyber divisions as well as by David Hickton, U.S. attorney for the Western District of Pennsylvania, where most of the companies allegedly hit by the Chinese cyber-intrusions are located, according to the indictment.
“The victims are tired of being raided,” said Hickton, alleging that the theft of technology, cost analysis and trade secrets over the past four years had directly sabotaged U.S. competitiveness, leading to outcomes such as Chinese “dumping” of cheap pipe and the loss of U.S. jobs. “This 21st century burglary has to stop.”
Diplomatic efforts to stop cyber-attacks against U.S. firms have largely “failed,” said Robert Anderson, FBI executive assistant director in the criminal, cyber, response and services branch. “We are going to hold you accountable,” he said about the five accused officers, suggesting more actions to prosecute Chinese cybercrime would be coming. John Carlin, FBI assistant attorney general for national security, said the hope is China will now simply stop the criminal actions.
But the U.S., action has left China furious.
“The U.S. accusation against Chinese personnel is purely ungrounded with ulterior motives,” said China’s Foreign Ministry spokesman Qin Gang in a statement. “China is a victim of sever U.S. cyber theft, wiretapping and surveillance activities” which have impacted Chinese government departments, companies and universities. China abruptly ended talks in the Sino-U.S. Cyber Working Group the U.S. and China had begun on cyber-spying issues, and suggested it may bring its own cyber-spying charges against the U.S.
Such charges sprang to life in the Snowden leaks, one being that the NSA hacked into Huawei’s network, points out Richard Stiennon, senior research analyst with IT-Harvest.
Where do we go from here?
On the plus side, Stiennon says that the U.S. in the new indictment has provided details in methodologies and targets that were only hinted at in veiled warnings before. He says the spear-phishing attacks used by the accused PLA members “were not sophisticated at all. There are plenty of simple technologies available to counter them.”
Is there really hope for a resolution in which China might agree to follow cyber-espionage “rules of the road” along the lines of what the U.S. would want?
“There’s definitely room for agreement here,” says Kroll’s Ryan, noting that some countries actually do have such agreements in place. The U.S. has enough cyber-intelligence-gathering ability that it could probably detect if China were adhering to such rules.
If confrontations over state-sponsored hacking keep mounting, it’s possible that Congress might step in and change the law to allow the NSA and other U.S. government agencies to share stolen information gained through cyber-espionage with U.S. companies for their advantage. Though arguments can be made to change current law, that would not necessarily be the best decision, Ryan adds.
Tom Cross, director of research at network security and monitoring firm Lancope, expressed hope that there might be a way to carve out “a set of international norms regarding cyber espionage.” There needs to be dialog about “what is and is not an acceptable target” that might eventually lead to a “clear legal framework.”
The Chinese military’s Unit 61398 in Shanghai believed to do be doing all this hacking of U.S. companies became widely heard of a year ago when Mandiant, since acquired by FireEye, issued a report based on its own research. The Chinese strongly refuted the report’s findings.
Nart Villenueve, senior threat intelligence researcher at FireEye, says the five suspects named in the new indictment are just some of the players associated with what his firm calls the “APT1” group. There are many more groups doing something similar around the world, he adds. One clear value in the actions taken this week by the DoJ against cyber-espionage is that they show the scale of what is happening to U.S, companies, among others.
The Chinese cyber-attacks are typically carried out remotely from China behind network hops in servers, many of them compromised machines in the U.S., for purposes of plausible deniability, Villenueve says. FireEye’s research indicates the cyberattacks typically adhere to a workday schedule. “The attackers are most active 8 AM to 5 PM, Chinese stand time,” he says. Villenueve says he doesn’t know if it’s possible for the U.S. and China to reach an agreement on cyber-espionage rules of the road, though talk about cyber-treaties has been floated for a long time.
A Chinese People's Liberation Army soldier stands guard in front of the building housing "Unit 61398," the secretive Chinese military unit believed to be involved in cyber-spying.
In any event, this week’s DoJ actions to try and prosecute Chinese cyber-espionage is a turning point.
The FBI goes to U.S. companies all the time to tell them that their networks have been breached. Kroll’s Ryan says what’s changed now is that U.S. companies will recognize that when the FBI informs them, there’s now the distinct possibility that breach could end up in a public indictment of cybercrime suspects similar to what was seen this week.
What happened to U.S. Steel and Westinghouse Electric has happened to many others. “There’s thousands of companies this has happened to,” says Ryan, predicting this week’s actions by the DoJ is likely to change how U.S. companies investigate and handle information they receive about data breaches.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: email@example.com