In China, Hacking America Is a Career Path

“The supreme art of war is subdue the enemy without fighting,” says Sun Tzu

We Know Who Hacked Us

On Datong Road in Pudong, Shanghai, a nondescript 12-story high-rise built in 2007 is home to an unusual tenant, Military Unit 61398 of the People’s Liberation Army: a thousand Chinese workers make their living there, armed with advanced Internet technology skills and high levels of English proficiency.

A quick flyover would suggest that the office building housing Unit 61398 is a typical software development outpost. But the main business here is hacking computer networks in the United States, and the only software developed is malware.

How do we know this? The United States hacked into the Chinese facility.

Building 61398 Headquarters of China Cyber Hacking

Mandiant, a leading cyber-security consultant, has given the building its very own nom de guerre — APT1, or “advanced persistent threat number one.” Mandiant’s report on China’s cyber-attack capabilities is now required reading from Capitol Hill to the White House.

The findings have led business leaders and elected officials to consider a relatively new fear: Is the Chinese military concocting a technological version of WMD against the United States?

Thanks in part to this investigation, we are able to see more clearly than Albert Einstein the likely weapon of choice for World War III: attacks on America’s computer networks.

“I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.”
— Albert Einstein

Cyber Warnings

  • Mandiant has investigated hacking activity at APT1 since 2006, and recently published these findings:
  • APT1 is also known as the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (the Chinese equivalent to the U.S. National Security Agency), or simply Unit 61398.
  • The nature of Unit 61398’s work is considered by China to be a state secret. Once APT1 has established access to a U.S. network, it periodically revisits that network over several months or years and steals broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, e-mails, and contact lists from the victim organizations’ leadership.
  • In the first month of 2011, APT1 compromised at least 17 new victims operating in 10 different industries.

Shortly after Mandiant released its report, China Daily reported that hackers were generously distributing their own virus-infected versions of the report to security experts who then inadvertently spread the Chinese malware to colleagues.

Global companies headquartered in the United States used to think of themselves as “American” until it became more fashionable to say “borderless.”

When the Chinese wage cyber attacks behind a wall of sovereign immunity, however, “we are the world” is a hollow-sounding refrain. The only sensible response is to recognize that U.S. companies are being targeted by a powerful foreign government determined to gain access to their most valuable intellectual property.

It is a message that should resound in America’s boardrooms. Directors and management must urgently press their companies to come to terms with cyber security in a more strategic manner. It’s no longer just information technology, and goes far beyond the general counsel’s brief. America’s private and public enterprises are literally being outgunned in cyber terms.

It’s larger, more ominous, and presents far greater enterprise risk.

Existential Threat

Retired Gen. Peter Pace, former chairman of the Joint Chiefs of Staff, speaking in Chicago at a recent NACD event, drew a line in the sand: “Cyber security is one of two existential threats to our nation; the other is nuclear weapons, which have been used once, thank God. But cyber weapons are used thousands of times every day.”

After recent high-profile incursions on the New York Times and Washington Post and scores of other businesses, people are becoming familiar with the concept of sovereign cyber attacks on private enterprise.

But the subject is so technologically complex and legislatively conflicted that it has moved beyond the narrow scope of any single company or industry. The rampant increase in attacks on U.S. business interests has set in motion a new mandate: government and business must give cyber security a higher place on the list of national priorities.

Our elected officials are as in agreement on cyber security as they are on gun control or a national speed limit. Congress has the desire but is stumbling to the bandwagon.

In a recent New York Times article, Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) said the Mandiant report underscored the need for an international legal agreement, “but there is nothing currently in place to govern this emerging and increasingly dangerous national and economic security threat.”

It is the American way to have two sides on any issue, and this cyber skirmish is no different.

John Engler, president of the Business Roundtable, said at a recent congressional hearing, “American companies lack strong legal protections for sharing and receiving cyber-threat information, as well as guidance on how such information sharing may be treated under antitrust laws.”

Testifying on behalf of the pro-privacy lobby, the American Civil Liberties Union claimed that legislative remedies requiring business “to share sensitive personal information with the government, including military agencies,” will erode First Amendment rights.

President Obama felt compelled to offer a cyber-security plan in his 2013 State of the Union speech. The modus operandi behind his executive order is to allow both U.S. companies and the government to get around a thicket of anti-privacy concerns and share strategic information to help prevent cyber attacks. In issuing the order, the president was rattling a saber on sovereign information warfare, drawing an inescapable conclusion: he is of the opinion that it is a clear and present danger to the United States.

So what’s the endgame? It is now known that the Chinese seem determined to hack into every strategic American business and government network, motivated both by commercial interest and by nationalism, and they are doing so with impunity.

It is particularly disconcerting as China is not North Korea and it has much at stake in its high-profile relationship with the United States, leaving American citizens, business executives, directors, and elected officials asking: Why take the risk?

“He who knows when he can fight and when he cannot, will be victorious.”
— Sun Tzu

Other People’s Mistakes

Flash back to the Gulf War in 1992. CNN broadcasts to all Americans images of smart bombs honing in on targets with a precision previously known only in science fiction.

On the receiving end was Saddam Hussein’s army — the fourth largest in the world — armed to the brim with Soviet-era SCUD missiles and radar. “The mother of all battles” was how the dictator referred to it, unaware of the irony that was about to be visited upon him.

Then, in 2003, during the rematch called the Iraq War, U.S. forces shoved the entire Iraqi defense establishment into a bunker in barely 40 days.

But the Americans were not the only ones watching.

The Chinese military leadership refers to Iraq’s inglorious defeats as zhongda biange, meaning “the great transformation.”

Richard Clarke is a former advisor to three U.S. presidents for Global Affairs, Security, Counterterrorism, and Cyber Security, and the man who famously warned about 9/11. In his book, Cyber War, he reveals how the Chinese underwent a critical self-examination that ultimately led them to a new strategy now known as cyber war.

Throughout most of the post-Cold War years, the Chinese military was confident their success rested on their ability to withstand a war of attrition supported by extensive Soviet weaponry.

So when Iraq’s identical defense arsenal crumbled, they realized they had made a very poor purchasing decision.

The first step the Chinese took was to radically downsize traditional military spending (China spends just under 25 percent of what the United States allocates to defense today) and reinvest in “networkization,” or wanghuohua, to fight on a different battlefield: computing.

Given a target as technologically advanced as the United States, trading nukes for hacking seems risky, but the Chinese are playing the long game.

Their strategy now rests on two factors that shift the calculus in their favor. China’s efforts with paramilitary social movements that inspired their youngest and best minds were a success under Chairman Mao. Then it was the Red Guard. Today it is cyber warriors. An inherently nationalistic movement that rewards cyber cred and leads to a “cool” career would draw in the most talented Chinese.

Second, an investment in a technology offensive is far cheaper and “stealthier” than beefing up a nuclear arsenal against a formidable competitor like the United States.

The foreign military studies office at Fort Leavenworth published a confidential report in 2000 titled How Has the Information Age Affected China’s Attitude Toward Warfare?

It concluded: “It is fair to say that the major change was a reevaluation of how to evaluate and conduct warfare. China realized that it couldn’t threaten countries as a superpower might do with its current nuclear force, but it could so with its ‘Information War’ force.”

With the human assets in cyber safehouses like APT1, a bold and preemptive strike on U.S. networks would come next. That would place them at the heart of the Internet and set the stage for dominance down the road.

To execute this strategy, Clarke notes that the Chinese started with two leaders in computer and network technology. Using their giant economic lever, they threatened the ban of government procurement to get a copy of the Microsoft secret operating system code.

Next, they were able to produce counterfeit copies of the Cisco network router that were made in manufacturing plants in China. Armed with knowledge of flaws in Microsoft’s and Cisco’s software and hardware, China’s hackers could potentially stop most networks from operation. That’s about the time the attacks began, as Mandiant discovered.

“Keep your friends close and your enemies closer.” — Sun Tzu

Asia Pivot

Whether it is simply Confucian wisdom or Communist ideology, China sees the United States as a business friend and a geopolitical competitor. The Chinese leadership holds these two contradictory opinions without apparent conflict.

Clarke point outs that when President Obama’s national security advisor, Tom Donilon, commented that the strategic pivot toward the Asia-Pacific region would help to rebalance the focus of U.S. power in the region, he singled out only two countries for mention: North Korea, the perennial bad boy of geopolitics, and China.

Given the relatively paltry size of the North Korean economy, is the Asia Pivot merely a red herring to cover U.S. footsteps as it leans in on our real “enemy,” China?

The New York Times’ chief Washington correspondent, David E. Sanger, reported that when the Obama administration released a list of computer addresses linked to a hacking group that had stolen terabytes of data from American corporations, it ignored one minor detail: nearly all the digital addresses were traced to the Shanghai neighborhood of APT1.

An administration official was quoted as saying, “We were told that directly embarrassing the Chinese would backfire,” and it would only make them “more defensive, and more nationalistic.”

Views are beginning to harden, however. Mike Rogers (R-MI), chair of the House Intelligence Committee, responded to the Mandiant findings this way: “The Chinese cyber espionage has grown exponentially, and it’s doing damage to our economic future.”

In this new cyber era, the concept of enemy is ambiguous. Logic bombs are not atom bombs, and China is not an outright belligerent, but happens to be a crucial supplier and customer. The two countries traded $425 billion in goods last year, and China holds vast amounts of U.S. debt.

In 2010, before her first visit to China as secretary of state, Hillary Rodham Clinton asked Australia’s prime minister, “How do you deal toughly with your banker?”

Weaponized IT

If there were a Communist party poster in Unit 61398, it might be a map of the United States with the slogan, “You work for us now.”

The objective of all hacking is to gain control of computer networks. Recalling the infamous bank robber Willy Sutton, who went where the money was, the Chinese are simply going where the intellectual property is — and connectivity is their getaway car.

This is why such relatively cyber poor (in network density) powers as Venezuela, Cuba, and North Korea can wage cyber war with such wanton disregard. It takes scant resources to train and arm a cyber hacker/terrorist group. They can be housed discreetly in buildings where their work is quiet, and even if discovered, so what? If the target country wanted to retaliate, how much important IP would they download from computers in Havana or Hanoi, assuming they find a ready connection?

Cyber-rich countries like the United States and European nations, on the other hand, have scads of intellectual property and connectivity. And to make it even more tempting, the World Wide Web is world wide open to anyone with some formal HTTP training and a modem.

There are two billion Internet users in the world today, and according to Nielsen, a 79 percent penetration in the United States alone. Hewlett-Packard estimates that cyber crime is growing at a rate of 40 percent per year and that organizations are experiencing an average of 102 attacks per week.

In a report on cyber risks to government computers, the Government Accountability Office reported that cyber-security incidents against U.S. agencies increased nearly 1,000 percent to 48,562 in fiscal 2012, from 5,503 in 2006.

It turns out to be somewhat ironic that cyber war is one of the world’s great growth businesses, with a successful product suite that any developer would envy.

Kurt Volker, the former ambassador to NATO whose billet includes oversight of operations in Afghanistan, peace and stability in the Balkans, and security challenges in the 21st century, and who is today executive director of a geopolitical think tank, Arizona State University’s McCain Institute, is well-versed on the methods of engagement used by cyber attackers.

Disclosure: The author is a member of the board of The McCain Institute.

At the ground level, where the cyber combat takes place, there are three modes that should be of concern to directors. “There are different types of cyber attacks,” Volker explains. “Deny access to the Internet and cyber information, also called ‘denial of service’ or DOS attacks. These overwhelm servers so that people lose access to Internet-based activities. The second is theft of private and confidential information, as the Chinese do every day. And the third is tactical sabotage that inflicts damage on someone by access to systems. All three present very serious risks and are all tools of choice for regimes promoting cyber crime and cyber espionage against U.S. interests.”

Only it’s not just worms and viruses, cloaks and daggers. Managers should also be concerned about the traditional threat against intellectual property — which former Intel CEO and Chairman Craig Barrett calls “sneaker security.”

“Technology companies in the old days,” Barrett told NACD Directorship, “were worried about procedures to lock up intellectual property, yet a single engineering employee could effectively amass that IP, walk out the door, and get hired by a competitor. For global companies, sneaker security still poses a great threat as well.”

“You can be sure of succeeding in your attacks if you only attack places which are undefended.”
— Sun Tzu

Whiskey Tango Foxtrot

An old combat adage suggests that war is long periods of boredom punctuated by moments of sheer terror. There is a parallel in cyber war, which the U.S. military refers to as “Whiskey Tango Foxtrot” (or WTF) moments.

Mandiant’s report documented a number of WTF moments that enabled the Chinese to get a wide range of products: technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies, and other proprietary information from more than 100 major companies, mostly in the United States.

The Mandiant team discovered a 2009 attack on Coca-Cola that coincided with the beverage giant’s attempt to acquire the China Huiyuan Juice Group for $2.4 billion. The New York Times’ Sanger reported that as Coca-Cola executives were negotiating the purchase of a Chinese company, PLA Unit 61398 was busy penetrating its computers looking for details on Coca-Cola’s negotiation strategy.

The attack on Coca-Cola started out as a “seemingly innocuous e-mail to an executive” that was, in fact, a spear-phishing (bogus e-mails that mirror both legitimate sender, subject, and design) attack. When the executive clicked on a malicious link in the e-mail, the attackers had their mole inside Coca-Cola’s network.

From the inner sanctum, they pilfered confidential company information and redirected that information through a thread of computers back to Shanghai, performing this exercise weekly, without anyone’s regard.

Two months later, the hackers breached Lockheed Martin, the nation’s largest defense contractor. Emboldened by the “product” they gained, Chinese hackers from APT1 sent e-mails to several highly placed Google executives and, according to Clarke, duped them into visiting websites where malware was automatically downloaded to give the hackers what is known as root access. Root access grants all the permissions and authorities of the software manufacturer.

To a hacker, that means it is open season on data.

Being something of a cyber wunderkind, Google was able to trace the hacking to a server in Taiwan, where it also found copies of proprietary information for 20 other companies, including Adobe, Dow Chemical, and Northrop Grumman.

From there, the attacks were traced to mainland China. Google reported its findings to the FBI and then made a public announcement it would exit the Chinese market.

Clarke describes the Google hacking as a “Trojan horse” ploy that allowed the Chinese to embed software known as a “trap-door” that can be deployed when needed. More ominously, it can also be used to remove any trace of the activity, as if you were wiping up your fingerprints at the scene of a crime.

Hackers can go one better and insert a “logic bomb,” which can release a slew of computer misdeeds, such as commanding a power grid to produce a surge that fries circuits in transformers, or controlling an aircraft to go into dive position, then erase the data stream, even the cyber commands.

The National Security Agency has found logic bombs all over America’s power grid, by the way.

Joel Brenner, the author of America the Vulnerable and former head of counterintelligence for the director of National Intelligence, says similar attacks have been waged against companies as well known as Citibank, RBS, General Dynamics, Marathon Oil, ExxonMobil, and ConocoPhillips, in which thieves got away with a huge trawl of real-time bid data. Chinese intelligence operatives had hidden in the networks for months and gotten data no antivirus maker could filter because the malware was something new and no antivirus software producer had seen it before.

To be sure, the Chinese are far from alone among nations that promote or sanction cyber attacks against the United States. Russia, Al Qaeda-type Islamic terrorist groups, Iran, Venezuela, and North Korea all get due credit for making bold attempts to hack into U.S. networks. Yet, as the Mandiant report shows, the sophistication of the Chinese and their direct state involvement has secured them the role of leading candidate for cyber enemy №1.

A Legal Framework

What should business leaders be thinking about? As in so many business cases, it is part technology and part compliance.

The smart money is not betting on the constant ebb and flow of cyber counter-espionage tools that are the consultants’ passion. Craig Barrett believes the same game played by anti-aircraft and police radar countermeasures endlessly trying to leapfrog the enemy’s technology has been discredited.

Astute global players, he believes, are looking at another remedy, and one where the United States is seriously the world’s leader: legalistic enforcement of the rules that govern international trade and commerce, supported by more forceful communications at the highest levels, with consequences for noncompliance. If Google can depart China, then the United States may have to make similar decisions to send the right message.

For instance, Barrett is convinced that a legal framework could force countries that want to trade with the United States, Japan, and Europe to clean up their cyber-crime activities.

“The newcomers will need to deal within a legal framework if they are to ramp up their economic engines,” Barrett says. “I would think that a swift and agile government and judicial system, which do not take a year or two to bring a charge of intellectual property violation, but which have the ability to do it in 30 days, would be a serious remedy.”

Volker augments the possible remedies through the use of an internal manufacturing protocol “in the form of regulatory requirements that are aimed at security and protection of systems, in which legislation would control the ways technology is created, to ensure it is secure and will be a cost of doing business ultimately.”

For example, Volker suggests computer servers could be built to make them more resilient against denial-of-service attacks, and then government agencies would be required to buy those, and costs get spread around that way.

He also believes our nation’s Internet infrastructure, much of which has already been developed by the private sector with conditional interests from the military budget, would benefit from the same approach. “We could easily force more secure paradigms into our development process and, in short order, overturn the vulnerabilities that are slugging at us today,” Volker says.

There is much more that business can do at a practical level, as well; the board chair could require a quarterly technology overview that would include attack prevention and the involvement of third-party cyber-security experts. Managers with oversight responsibility need to understand how the company is complying with cyber security at a strategic level — which would also underscore the threats as part of a larger national security problem.

Strategic discourse is not often associated with technology dialogue in the boardroom. So why not take the same approach as a board’s oversight of financial controls? Clarke suggests directors make greater efforts to ensure that rigorous security compliance is part of the company culture. This includes asking questions about the company’s vulnerabilities that are inherent in the software and devices it uses. It also means training executives on how to detect and avoid the blackest of the cyber arts by requiring patching updates, pass- word compliance (a Google search provides 21 million results for “password cracker”), default set- tings on devices (e.g., not changing password and user names), and the detection of spear-phishing schemes. There is even the prospect that cyber insurance will be one of many remedies, and should be examined carefully.

The road from cyber security to cyber safety may seem long and winding, but the time for business to begin the trek is now, not later.

“There is no instance of a nation benefiting from prolonged warfare.”
— Sun Tzu

The Sleeping Giant

In World War II, after the bombing of Pearl Harbor, Japanese Admiral Isoroku Yamamoto said, “I fear all we have done is to awaken a sleeping giant and fill him with a terrible resolve.” As it did then, when America does finally recognize a threat to its citizenry, it responds with extraordinary force and energy, sometimes to the shock and awe of its adversaries.

American technological prowess will undoubtedly rise to this as it has on previous occasions. It is likely that a “smarter” computer network will be developed to detect cyber intrusions instead of allowing them to penetrate, the intended sabotage will be acted out on a staging server far away from the actual target, and the perpetrators will be duped into believing they are doing their damage when, in reality, their own networks are compromised, with American law enforcement on its way.

The only truth and ultimate deterrent in cyber space is that technologically speaking, we all live in glass houses.


Top Cyber Myths

  • You have never experienced a virus or malware attack. Most malware conceals itself and its presence while stealing information or controlling your computer.
  • Pornographic sites are where the danger lies. The majority of infected sites are bogus copies of trusted and ordinary websites that have been created by malware hosts.
  • An attachment needs to be downloaded to spread an infection. Hackers now inject malicious code into web page content that downloads automatically when viewing the page. These tools are available in kits that are sold commercially.
  • A lock icon in the browser means it is secure. This icon represents an SSL-encrypted connection to protect the interception of personal information but does not prevent against malware. That’s why hackers emulate bank and credit card sites complete with spoofed SSL certificates.
Source: Cyber Security Tips (www.cyber-security-tips.com)

A Pandora’s Box of Computer Disease

A zero day attack is one that exploits an unknown vulnerability in an application or software. The attack occurs on “day zero” of awareness of the vulnerability. This also has a corollary; developers don’t have time to address the problem with a patch. Because the malware is inserted into the program in this way, it is also possible that it goes undetected for some time, or permanently.

Malware or malicious software is used to disrupt a computer’s operation, steal sensitive information, or gain access to a network. Browsers are likely targets because of wide distribution. e-mail can also carry bugs that launch when an attachment such as a PDF is opened.

A botnet is a computer or network whose security has been breached and is now controlled by a third party.

A virus is a program passed from user to user (via USB or flash drives or over the internet) that either disrupts a computer’s operation or provides a hidden point of access to steal private information for the future.

Worms do not require a user to pass on the program to another user. They can copy themselves by taking advantage of known vulnerabilities and “worm” their way across the internet through contact information.

Phishing, or more targeted spear phishing, scams try to trick an internet user into providing information such as bank account numbers and access codes by creating e-mails and look-alike websites that appear to be the legitimate business.

A backdoor exists after a system is compromised to allow future access, even when the original penetration is remedied.

Root kits allow penetration to be concealed from the owner of a computer or network. They modify the host’s operating system to hide malware from users or investigators, and can be used to hide the malware of defend against its removal.

To Syria, With Love

Cyber war is also becoming a weapon of traditional combat. in a fascinating display of the control that can be achieved through cyber tactics, Richard Clarke relates the cyber lesson taught the old-fashioned way to the dictatorship of Syria — through misinformation.

On Sept. 6, 2007, along the Euphrates River in Syria — where nations have fought battles for 5,000 years — a group of north Korean workers left a work site for the night. as the evening wore on, locals witnessed a streak of light and the sounds of explosions coming from the work area, then saw falling debris. The next morning, Syrian President Bashar Hafez Al-Assad said an empty building had been bombed. But nearly a year later, the U.N.’s international atomic energy agency inspected the site and found radioactive materials.

What happened that on that September night? Syrian forces were expecting trouble from Israel because they knew their collaboration with North Korea to build a nuclear weapons facility might not be a secret. But their radar revealed only the darkness of the night desert. Israeli cyber warriors owned Damascus’ air defense network and the tranquil image the Syrians saw was nothing more than wallpaper on a computer.

This is how information can now be used in a time of war.

For Further Reading

For those with a curiosity to learn more about cyber security, here are three titles that are exemplary for their accessibility, written by some of today’s leading experts:

Cyber War By Richard A. Clarke and Robert E. Knacke (Harper Collins, 2010)
America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare By Joel Brenner (The Penguin Press, 2011)
Zero Day: The Threat in Cyberspace By Robert O’Harrow Jr. (The Washington Post, 2013)