From our 12 March LDESP Asia-Pacific News Update.
In mid-February, the New York Times reported on the People’s Liberation Army base for the Chinese cyber activity:
“On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors.
The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower.
An unusually detailed 60-page study, to be released on 19 February by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.
Other security firms that have tracked “Comment Crew” say they also believe the group is state-sponsored, and a recent classified National Intelligence Estimate, issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content. (…)
While Comment Crew has drained terabytes of data from companies like Coca-Cola, increasingly its focus is on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks. According to the security researchers, one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America. The unit was also among those that attacked the computer security firm RSA, whose computer codes protect confidential corporate and government databases.
Contacted on 18 February, officials at the Chinese embassy in Washington again insisted that their government does not engage in computer hacking, and that such activity is illegal. They describe China itself as a victim of computer hacking, and point out, accurately, that there are many hacking groups inside the United States. But in recent years the Chinese attacks have grown significantly, security researchers say. Mandiant has detected more than 140 Comment Crew intrusions since 2006. American intelligence agencies and private security firms that track many of the 20 or so other Chinese groups every day say those groups appear to be contractors with links to the unit.” (New York Times)
The Center for Strategic and International Studies Asia Policy Blog, CogitAsia has an excellent five-part series on cybersecurity. Of particular interest is the second part, “Cyber Criminals and Cyper Spies Active in Asia,” as well as the fourth part, “Cyber Espionage: China at the Forefront.” From the latter:
“China may be the leading practitioner (although by no means the only one) of economic espionage in cyberspace. If, as we saw in the previous post, Chinese authorities fear the political power of their own netizens, in contrast, Chinese officials tolerate malicious activity against foreigners and routinely use non-governmental hackers as proxies, as the recently released Mandiant report amply demonstrates. China’s cyber espionage may not radically shift the balance of military power, but it indicates a competitive and possibly hostile attitude towards the US.
Chinese government agencies, companies and individuals have expanded their efforts to illicitly acquire technology or gain business advantage into cyberspace. The findings of the Mandiant report aside, several complex economic espionage operations aimed at Western companies originating in China have been uncovered in recent years.
There are interesting parallels between China’s five-year economic plans and cyber espionage activities that appear to have originated in China. For instance, China has long sought the means to develop an indigenous computer central processing unit (CPU). Intel Corporation, the world’s leading producer of CPUs, was a target of a January 2010 corporate hacking (which also involved Google).
China’s cyber espionage reflects Chinese attitudes toward the protection of intellectual property. Currently there is no comprehensive protection of intellectual property in China. That said, there is a growing realization in parts of the Chinese Government that the lack of strong IP protections does serious damage to China’s ability to innovate.
Cyber conflict generally works to China’s advantage when compared to the United States or other Asian nations. China has integrated the use of cyber techniques into its military doctrine and economic policies far more comprehensively than any other nation in the region. Japan and Australia have focused more on cyber defense. North and South Korea do not yet have the capabilities to engage in the high end of cyber conflict (the ability to inflict physical damage through cyber attack). But although cyber espionage helps accelerate the increase in China’s power vis-à-vis other Asian nations and China’s own technological and economic growth, it is by no means the major contributor to China’s growth.” (CSIS CogitAsia)
The U.S. Response
In late January, according to the Washington Post quoting U.S. officials, the Pentagon approved expansion of its cybersecurity force to defend against the growing threat:
“The move, requested by the head of the Defense Department’s Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians.
Details of the plan have not been finalized, but the decision to expand the Cyber Command was made by senior Pentagon officials late last year in recognition of a growing threat in cyberspace, said officials, who spoke on the condition of anonymity because the expansion has not been formally announced. The gravity of that threat, they said, has been highlighted by a string of sabotage attacks, including one in which a virus was used to wipe data from more than 30,000 computers at a Saudi Arabian state oil company last summer.
The plan calls for the creation of three types of forces under the Cyber Command: “national mission forces” to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; “combat mission forces” to help commanders abroad plan and execute attacks or other offensive operations; and “cyber protection forces” to fortify the Defense Department’s networks. (…)
“Given the malicious actors that are out there and the development of the technology, in my mind, there’s little doubt that some adversary is going to attempt a significant cyberattack on the United States at some point,” said William J. Lynn III, a former deputy defense secretary who helped fashion the Pentagon’s cybersecurity strategy. “The only question is whether we’re going to take the necessary steps like this one to deflect the impact of the attack in advance or . . . read about the steps we should have taken in some post-attack commission report.” (Washington Post)
Dan Blumenthal, Director of Asian Studies at the American Enterprise Institute, explains in Foreign Policy “How to Win a Cyberwar with China”:
“The Internet is now a battlefield. China is not only militarizing cyberspace — it is also deploying its cyberwarriors against the United States and other countries to conduct corporate espionage, hack think tanks, and engage in retaliatory harassment of news organizations.
These attacks are another dimension of the ongoing strategic competition between the United States and China — a competition playing out in the waters of the East and South China seas, in Iran and Syria, across the Taiwan Strait, and in outer space. With a number of recent high-profile attacks in cyberspace traced to the Chinese government, the cybercompetition seems particularly pressing. It is time for Washington to develop a clear, concerted strategy to deter cyberwar, theft of intellectual property, espionage, and digital harassment. Simply put, the United States must make China pay for conducting these activities, in addition to defending cybernetworks and critical infrastructure such as power stations and cell towers. The U.S. government needs to go on the offensive and enact a set of diplomatic, security, and legal measures designed to impose serious costs on China for its flagrant violations of the law and to deter a conflict in the cybersphere.
Fashioning an adequate response to this challenge requires understanding that China places clear value on the cyber military capability. During the wars of the last two decades, China was terrified by the U.S. military’s joint, highly networked capabilities. The People’s Liberation Army (PLA) began paying attention to the role of command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) assets in the conduct of war. But the PLA also concluded that the seeds of weakness were planted within this new way of war that allowed the United States to find, fix, and kill targets quickly and precisely — an overdependence on information networks.
Consider what might happen in a broader U.S.-China conflict. The PLA could conduct major efforts to disable critical U.S. military information systems (it already demonstrates these capabilities for purposes of deterrence). Even more ominously, PLA cyberwarriors could turn their attention to strategic attacks on critical infrastructure in America. This may be a highly risky option, but the PLA may view cyber-escalation as justified if, for example, the United States struck military targets on Chinese soil.
China is, of course, using attacks in cyberspace to achieve other strategic goals as well, from stealing trade secrets to advance its wish for a more innovative economy to harassing organizations and individuals who criticize its officials or policies.
Barack Obama’s administration has begun to fight back. On Feb. 20, the White House announced enhanced efforts to fight the theft of American trade secrets through several initiatives: building a program of cooperative diplomacy with like-minded nations to press leaders of “countries of concern,” enhancing domestic investigation and prosecution of theft, promoting intelligence sharing, and improving current legislation that would enable these initiatives. These largely defensive measures are important but should be paired with more initiatives that start to play offense.
Offensive measures may be gaining some steam. The U.S. Justice Department, in creating the National Security Cyber Specialists’ Network (NSCS) last year, recognizes the need for such an approach. The NSCS — consisting of almost 100 prosecutors from U.S. attorneys’ offices working in partnership with cyber-experts from the Justice Department’s National Security Division and the Criminal Division’s Computer Crime and Intellectual Property Section — is tasked with “exploring investigations and prosecutions as viable options for deterrence and disruption” of cyberattacks, including indictments of governments or individuals working on the government’s behalf. It’s a good first step, but Congress could also consider passing laws forbidding individuals and entities from doing business in the United States if there is clear evidence of involvement in cyberattacks.” (Foreign Policy)
U.S. Demands China Block Cyberattacks and Agree to Rules
The White House demanded on 11 March that the Chinese government stop the widespread theft of data from American computer networks and agree to “acceptable norms of behavior in cyberspace.” The demand, made in a speech by President Obama’s national security adviser, Tom Donilon, was the first public confrontation with China over cyberespionage and came two days after its foreign minister, Yang Jiechi, rejected a growing body of evidence that his country’s military was involved in cyberattacks on American corporations and some government agencies. The White House, Mr. Donilon said, is seeking three things from Beijing: public recognition of the urgency of the problem; a commitment to crack down on hackers in China; and an agreement to take part in a dialogue to establish global standards. (…) Until now, the White House has steered clear of mentioning China by name when discussing cybercrime, though Mr. Obama and other officials have raised it privately with Chinese counterparts. In his State of the Union address, he said, “We know foreign countries and companies swipe our corporate secrets.” But as evidence has emerged suggesting the People’s Liberation Army is linked to hacking, the China connection has become harder for the administration not to confront head-on. (…) American officials say raising the issue with the Chinese is a delicate balancing act at a time when the United States is seeking China’s cooperation in containing North Korea’s nuclear and missile programs, and joining in sanctions on Iran. Yet they have been expressing their concerns about cyberattacks with Chinese officials for years. Starting in 2010, they invited P.L.A. officials to discuss the issue — a process that has only just started — and last November, Mr. Obama broached the subject at a summit meeting with Prime Minister Wen Jiabao, a senior administration official said. (New York Times)