If you think the timing of a damning report on China’s government-sponsored cyber-attacks on U.S. industry and government is a coincidence, think again.
The 60-page report (PDF) from cybersecurity firm Mandiant, for those of you who missed the media hellfire it sparked on Tuesday, blames the People’s Republic of China for widespread cyber-attacks and cyber-espionage on U.S. industry and government. Targets include companies like Coca-Cola, as well as companies that operate critical infrastructure, like electrical grids, oil and gas pipelines, and water supply.
The report, which was featured in a front-page story by The New York Times (a former client of Mandiant), pinpoints a 12-story office building in Shanghai which Mandiant researchers believe is home to “APT1,” one of “more than 20” similar hacker outfits supported or employed by the China’s People’s Liberation Army (PLA). The hacker contingent is officially known as “Unit 61398,” and has been labeled the “Comment Crew” or “Shanghai Group.” Mandiant even published video of one of the alleged APT1 hackers in action, an individual known as “DOTA” who creates fake Gmail accounts to launch spear-phishing attacks on targets – one of the primary weapons used by APT1, according to Mandiant.
“APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations,” reads the report, “and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.”
This highly detailed report marks the first time a private company has explicitly called out the PLA as the source of a barrage of cyber-attacks on the U.S. It is also the first publicly available report to reveal exhaustive evidence – if not a “smoking gun” – to support accusations that China’s government poses a major threat to U.S. cybersecurity. Many people have talked about it over the years, few have provided something close to proof.
The Chinese government has firmly denied the credibility of the Mandiant report. “The Chinese army has never supported any hackings,” said China’s Ministry of National Defense in a statement to state-owned news agency Xinhuanet. The ministry also said the report was false and unprofessional.
Of course, this denial is neither new nor particularly believable. During the course of reporting various cybersecurity stories, I have personally witnessed real-time cyber-attacks on major U.S. businesses that originated in China. And the information in the Mandiant report has since been backed up by sources within the U.S. government and by a variety of other cybersecurity firms that have gathered similar data.
So the legitimacy of the Mandiant report is not really in question, whatever the Chinese government has to say about it. What did strike me as odd, however, was the timing of its release.
Since January 31, we have seen high-profile cyber-attacks by Chinese hackers on The New York Times, Wall Street Journal, Washington Post, and Bloomberg News. In the last week, we saw Chinese hackers blamed for infecting a developer’s website that resulted in malware infections at Facebook, Apple, and possibly Twitter.
We also saw President Obama call out cybersecurity as a major priority for the U.S. in the State of the Union address on February 12, and, earlier that day, sign an executive order meant to bolster U.S. critical infrastructure networks. Also that Tuesday, Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA) – implicit support for which Mandiant CEO Kevin Mandia gave during a testimony (PDF) before the House Permanent Select Committee on Intelligence on February 14.
All of this felt eerily familiar. In the months that followed the September 11, 2001, attack on the World Trade Center and the Pentagon, our media and our government constantly bombarded us with evidence for why military action was necessary. Al Qaeda, weapons of mass destruction, and the hideous might of Saddam Hussein saturated our world. Talk of Chinese hackers, and the media reports surrounding them, in no way match the insanity churned up in immediate post-9/11 America. But upon reading The New York Times report about Mandiant’s findings in the wee hours of Tuesday morning, I couldn’t help but wonder: Why now?
“We felt like there’s a bunch of things coming together at the same time,” Richard Bejtlich, Mandiant Chief Security Officer, told me during a phone interview. “Our CEO Kevin Mandian just testified before the House Permanent Select Committee on Intelligence last week all about information sharing. This is what we’re doing; we’re sharing information.”
Bejtlich also points to Obama’s executive order, and the admission by the Times and other news outlets that Chinese hackers had infiltrated their networks, as an indication that “this is the time to let the world know what we know about this one group.” Furthermore, he said, “We had heard through some back channels that there’s some support for less observation of the fireworks – in other words, just watching companies get hacked – and more putting the message out there that this isn’t acceptable, and doing something about it.”
So, what does “doing something about it” look like? According to the Associate Press, the Obama administration has already begun “eyeing fines, penalties and other trade restrictions as initial, more-aggressive steps the U.S. would take in response to what top officials say has been an unrelenting campaign of cyber-stealing linked to the Chinese government.” Hawks, like former FBI executive assistant director and current president of cybersecurity firm CrowdStrike Shawn Henry, are calling for even more aggressive action.
“If the Chinese government flew planes into our airspace, our planes would escort them away. If it happened two, three or four times, the president would be on the phone and there would be threats of retaliation,” Henry told the AP. “This is happening thousands of times a day. There needs to be some definition of where the red line is and what the repercussions would be.”
Others have linked the current situation between the U.S. and China as something akin to the Cold War between the U.S. and the Soviet Union – an analogy Bejtlich echoed during our conversation.
“For those of us that remember the Cold War, we had this sort of mindset that it’s expected that the Russians are out there, and that they had a certain world view, and there’s certain things that they do, and we deal with them in a certain way,” said Bejtlich. “We’re not in a Cold War now, thankfully, but we are in a different sort of conflict.”
In an interview with CNN, former CIA and Homeland Security official Chad Sweet also equates the current U.S.-China relationship to the Cold War – but adds that the dangers of this conflict could be even more severe.
“We’re essentially facing a new Cold War – a cyber Cold War,” he said. “The destructive capacity is equal to that of a nuclear warhead … But what makes it more sinister than the nuclear age is that there’s no easily identifiable plume.”
The U.S. government’s view on the severity of cyber-attacks was made most clear last October, when Defense Secretary Leon Panetta warned that the U.S. could face a “cyber-Pearl Harbor.”
“An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” said Panetta. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Why passenger trains would be loaded with lethal chemicals, Panetta did not say. But the message is clear: cyber-attacks are serious business. And the Mandiant report further promotes this worldview.
Now, I won’t pretend for a second to understand the massively complicated relationship between the U.S. and China, or the degree to which the Mandiant report complicates those ties even further. But as a citizen witnessing the sudden deluge of activity surrounding cybersecurity, I can’t help but wonder – and worry – about where all this is headed.
The passage of legislation like CISPA – a bill civil rights advocates see as a threat to our Fourth Amendment rights – seems all but certain. But then what? How does the Internet change for everyday people once it’s become an officially declared battleground of the world’s two most powerful countries? I have no idea, and have yet to find an answer. One can only hope that when that answer comes, it will be a good one. For now, we wait.